[Arm-netbook] Verifying firmware
Russell Hyer
russell.hyer at gmail.com
Tue Aug 23 23:30:28 BST 2016
Yes, Raphaël, that is an issue. After all, if you have one of those
new fancy laptops (that doesn't have a libre BIOS) to run a
non-Windows kernel, the tool you get to use (that you can find
packaged into the Ubuntu boot discs) is actually a self-signed hack by
Microsoft (MS) to allow you to boot ANY system, and the system
"validates" itself. So, yeah, the commercial systems aren't worth
much, but at least they allow you to undo the security, by pressing
the hollywood button (TM).
:)
Russell
On 23/08/2016, Raphaël Mélotte <raphael.melotte at gmail.com> wrote:
> 2016-08-23 19:50 GMT+02:00 Henrik Nordström <henrik at henriknordstrom.net>:
>
>>
>> > > That's
>> > > why I'm asking if it would be possible to read the microcodes
>> > > present on the
>> > > chip, and check them against the online source codes (kind of a
>> > > checksum ?).
>> >
>> > no idea.
>>
>> There is no microcode or closed firmware running on the A20.
>>
>> There is a bootrom embedded in the CPU that allows the CPU to load the
>> bootloader from flash or usb recovery but once the bootloader takes
>> control the bootrom ceases to execute entirely.
>>
>> The bootrom is easily extracted from both Linux and the USB recovery
>> boot protocol if you want to analyze it further. But it is an embedded
>> ROM memory in the CPU silicon that can not be modified short of
>> Allwinner making another CPU silicon production mask and produces new
>> CPUs.
>>
>> What the A20 is missing from a security perspective is secure boot
>> procedure. There is some primitive support but not really functioning.
>> Some of you may think I am crazy speaking about secure boot, but
>> properly used it is a very strong tool for ensuring that the installed
>> software is not tampered with by untrusted parties. But this requires
>> that you are in control of the security keys and not some untrusted
>> proprietary vendor.
>>
>>
>> Regards
>> Henrik
>>
>
>
>
> Thank you for detailing that :-)
> It's true that a secure booting mechanism would be a great addition to
> security.
> Nevertheless if I have to choose I prefer no secure boot than secure boot
> the way it has been implemented in almost all modern laptops, where almost
> only proprietary OSes are allowed to boot and everything is obfuscated
> since it's proprietary (that sort of secure boot in my opinion, doesn't add
> any security and only brings hassle).
> And the EOMA68 being libre, maybe people will be interested in developing a
> libre secure boot :-)
>
More information about the arm-netbook
mailing list