[Arm-netbook] Verifying firmware

Raphaël Mélotte raphael.melotte at gmail.com
Sun Aug 21 21:19:31 BST 2016


Hello,

First of all I have been following the crowdfunding and mailing list since
the first of august (I have been using another email adress) and I have to
say I really like every aspect of this project and I highly respect and
admire the ideology that goes with the project.


I haven't been able to pledge until now but I will make sure to do so as
soon as I can and before the crowdfunding ends. I really want to test what
an EOMA68 laptop would look and behave like, and I want to replace my  tiny
Raspberry pi server with another EOMA68 (I will also be willing to buy more
powerful computer cards if they ever get created).

Since the EOMA68 is entirely free, I was thinking that *theoretically* it
should be possible to read and verify every firmware, and/or binaries
present to run the chip (I don't really know how to call it so I will call
it "microcode"). More and more people are worried about the microcodes that
are run on our hardware and being able to verify what is actually running
on our machine (when it boots for example) would be comforting. It seems to
me that it's the first time the source code for every microcode in a
computer will be available, since some projects tried to do so in the past,
but never achieved to run 100% without proprietary code (purism, novena,
...).

>From a security point of view, open source code is the best option since it
allows to check if the code being run isn't malware. However, if I don't
verify the code present on my machine, how will I know it is the same code
as the source that was analyzed and that it is not malicious code ? That's
why I'm asking if it would be possible to read the microcodes present on
the chip, and check them against the online source codes (kind of a
checksum ?). That way we would be able to know if the code had been
tampered with, be it during shipping, after being infected by a malware
that was somehow able to change the boot code or some firmware, an evil
maid attack, etc.

Just to be clear I'm not being paranoid to the point where I would suspect
some bad guys inserting malware in my machine during shipping (I guess the
country I live in is "libre" enough to not do that, but that's surely not
the case for everyone everywhere in the world), and I will probably not try
to verify every firmware on the chip, but since this is one of the first
truly free system I was asking myself if it would be possible. Also maybe
being able to do so easily would attract more people who are deeply focused
on security and privacy and would be beneficial to the project.

I also understand that as of today, checking every code on a system is more
an utopia then a doable thing (you'd also have to check firmware from your
keyboard, mouse, webcam, USB flash drive, and pretty much everything you
connect to the main board) and may be pointless, but I'm also confident
that in the future (maybe distant, maybe not) we will have to be able to do
so if we want to keep our digital life private, as everything we do is more
and more linked to the digital world, and malware techniques are becoming
more and more creative (see for example BadUSB).

I'm not a computer scientist and although I do my best to learn how
software works, I don't understand everything about hardware and I may be
missing some important point that makes my idea impossible to realize.
That's why I'm asking it here since you know far more about it then me.

Also please forgive my written expression: I'm doing my best to express my
ideas clearly, but English isn't my native language and I sometimes don't
know how to express myself to be best understood.

Anyway, I sincerely hope this project becomes a great success, and that you
will be able to make it grow even more.


Kind regards,

Raphaël Mélotte
A Bioengineering student interested in computers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phcomp.co.uk/pipermail/arm-netbook/attachments/20160821/0dc9d18a/attachment.html>


More information about the arm-netbook mailing list