Conversation

Notices

1. Embed this notice
   Leah Rowe is not a Rowebot (libreleah@mas.to)'s status on Saturday, 30-Nov-2024 11:36:25 JST Leah Rowe is not a Rowebot

   @encore Well, the people who use Libreboot tend to be more saavy to these things, and these attacks rely on being able to write to the flash in any way.

   By default, Linux kernels these days typically protect /dev/mem by default (prevents flash writes).

   Libreboot does not enable things like SMMSTORE; anything you flash then hardcodes the machine configuration until re-flash.

   Libreboot also uses coreboot and doesn't use edk2 so, smaller attack surface. Also see:

   https://libreboot.org/docs/linux/grub_hardening.html

   • Embed this notice
     Leah Rowe is not a Rowebot (libreleah@mas.to)'s status on Saturday, 30-Nov-2024 11:38:26 JST Leah Rowe is not a Rowebot

     in reply to

     @encore Remember these words:

     Code equals bugs therefore fewer lines of code will lead to fewer bugs.

     Coreboot uses a more minimalist design philosophy (for example it doesn't overly rely on SMM and other nasty things). A lot of these firmware-based attacks target edk2 which is the reference UEFI implementation from Intel.

     Libreboot actually does provide UEFI now, but implemented by U-Boot instead of edk2. U-Boot has much higher code quality and (IMO) better auditing than anything edk2-based.

   • Embed this notice
     Leah Rowe is not a Rowebot (libreleah@mas.to)'s status on Saturday, 30-Nov-2024 11:51:16 JST Leah Rowe is not a Rowebot

     in reply to

     @encore Also, it isn't a UEFI attack. Or rather, isn't a rootkit. Look what @marcan wrote:

     https://social.treehouse.systems/@marcan/113561803290693406

     https://social.treehouse.systems/@marcan/113560945800582652

     Just some dumb EFI application that you can easily remove.

     NOTE: Libreboot doesn't implement SecureBoot. It has a *much* better security model:

     https://libreboot.org/docs/linux/grub_hardening.html

     ^ GRUB in flash so you harden the flash, and GPG-check the Linux kernel at boot, and lock the flash.

     Libreboot has UEFI support for the memes(and BSD). I recommend GRUB if booting Linux.

   • Embed this notice
     Leah Rowe is not a Rowebot (libreleah@mas.to)'s status on Saturday, 30-Nov-2024 11:58:20 JST Leah Rowe is not a Rowebot

     in reply to

     @encore @marcan If using the GRUB payload in Libreboot, note that it isn't UEFI or BIOS GRUB. It's actually running on bare metal, and has to implement its own drivers.

     You add a GPG pubkey to flash, and sign every file inside the flash, including grub.cfg. Signature for Linux too. GRUB can also have a password protect, and boot Linux from LUKS2 partitions.

     Linux on bare metal. No UEFI/BIOS services. Just coreboot initialisation. It still has a few things like minimal SMM implementation, ACPI.