Yes, Raphaël, that is an issue. After all, if you have one of those new fancy laptops (that doesn't have a libre BIOS) to run a non-Windows kernel, the tool you get to use (that you can find packaged into the Ubuntu boot discs) is actually a self-signed hack by Microsoft (MS) to allow you to boot ANY system, and the system "validates" itself. So, yeah, the commercial systems aren't worth much, but at least they allow you to undo the security, by pressing the hollywood button (TM).
:)
Russell
On 23/08/2016, Raphaël Mélotte raphael.melotte@gmail.com wrote:
2016-08-23 19:50 GMT+02:00 Henrik Nordström henrik@henriknordstrom.net:
That's why I'm asking if it would be possible to read the microcodes present on the chip, and check them against the online source codes (kind of a checksum ?).
no idea.
There is no microcode or closed firmware running on the A20.
There is a bootrom embedded in the CPU that allows the CPU to load the bootloader from flash or usb recovery but once the bootloader takes control the bootrom ceases to execute entirely.
The bootrom is easily extracted from both Linux and the USB recovery boot protocol if you want to analyze it further. But it is an embedded ROM memory in the CPU silicon that can not be modified short of Allwinner making another CPU silicon production mask and produces new CPUs.
What the A20 is missing from a security perspective is secure boot procedure. There is some primitive support but not really functioning. Some of you may think I am crazy speaking about secure boot, but properly used it is a very strong tool for ensuring that the installed software is not tampered with by untrusted parties. But this requires that you are in control of the security keys and not some untrusted proprietary vendor.
Regards Henrik
Thank you for detailing that :-) It's true that a secure booting mechanism would be a great addition to security. Nevertheless if I have to choose I prefer no secure boot than secure boot the way it has been implemented in almost all modern laptops, where almost only proprietary OSes are allowed to boot and everything is obfuscated since it's proprietary (that sort of secure boot in my opinion, doesn't add any security and only brings hassle). And the EOMA68 being libre, maybe people will be interested in developing a libre secure boot :-)