Re: [Libreboot] Password protected Grub entries

[The Gluglug]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 20/05/15 12:16, The Gluglug wrote:
> 
> 
> On 20/05/15 11:30, Beni wrote:
>> To replace a hard drive in a laptop you need to open up at least 
>> one screw. If you don't seal your screws and let people open up 
>> your laptop, you've got a problem anyway. Everyone can read your 
>> libreboot rom and reflash another rom, e.g. one that logs your 
>> passphrase somewhere. So that's dangerous anyway.
> 
> You can write-protect the flash chip, in a way that then requires 
> external flashing (SPI programmer needed, in other words). This
> also isn't perfect because the attacker can probably use a SPI
> flasher, but with a randomized seal as you have pointed out, you
> can detect if this has occurred.
> 

It's also possible for you to read the flash chip contents, and verify
the SHA512 hash.

However, distros don't really have reproducible builds yet, and
neither does libreboot.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVXG2EAAoJEP9Ft0z50c+U30wH/18lqC3kx1xSSN4aQBs+Xs3N
9ikLaEOZ3gihWB0FbQ+xjdpe9NWyyFfT0R+XFy7+UCbVyNOQ1pvdIf98ICnzyE3b
HeObc0BOBB8LJKez7bMuCyIdU8dcmXKYAjC2k38JMBZ6SQStza7oyVkR/sIr/otL
U56EBz51ln3Mm9gFjfJL3LWjyUmZo7+GYB+ZL9lFNUa4TRrk1b1glPG6ALHX7lF8
DC2riYhfDAYpJGtr+psOeG34xnm3PgiTy8Ir7O3BOm9ViExmIoK6ycOMJMpmdO+1
VlhCvvko5XOjcsJOu8fKMZjbO8sU/Sq9HQ8tYi5r57ei+c0MyGLUj6FPb85GlKM=
=xGKA
-----END PGP SIGNATURE-----