Re: [Libreboot] Libreboot Digest, Vol 23, Issue 23

[Eduardo Dominguez]

I have a t500. I'm willing to test.

On Aug 22, 2016 12:00 PM, <address@hidden> wrote:

> Send Libreboot mailing list submissions to
>         address@hidden
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.gnu.org/mailman/listinfo/libreboot
> or, via email, send a message with subject or body 'help' to
>         address@hidden
>
> You can reach the person managing the list at
>         address@hidden
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Libreboot digest..."
>
>
> Today's Topics:
>
>    1. Re: Git clone authentication (koanhead)
>    2. tester needed for t400 (Arthur Heymans)
>    3. Re: Git clone authentication (Duncan Guthrie)
>    4. Re: GNU Libreboot, version 20160818 released (Robert Alessi)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 21 Aug 2016 16:53:04 -0700
> From: koanhead <address@hidden>
> To: address@hidden
> Subject: Re: [Libreboot] Git clone authentication
> Message-ID: <address@hidden>
> Content-Type: text/plain; charset=utf-8
>
> On 08/20/2016 02:11 AM, Leah Rowe wrote:
> > Hi,
> >
> > Op 20/08/16 om 01:41 schreef koanhead:
> ...
> >
> >> Other than that, if you clone the repository in a manner vulnerable
> >> to MITM, you should still be able to verify its checksum against
> >> the one that's published. As far as I can tell from perusing
> >> http://git.savannah.gnu.org/cgit/libreboot.git/, there's no global
> >> sum published for the whole tree. This might not matter, since
> >> after all we're using git, which uses hashes to identify the
> >> objects it tracks. The cgit link above shows some of these hashes.
> >> I'm not sure just now how exactly to convince git to emit enough of
> >> the correct information that you can compare the results with those
> >> shown on the savannah site, so I'm going to send this off as-is and
> >> look into it; if I figure it out I'll post in reply to this.
> >> Hopefully someone else out there already knows how to do this
> >> thing?
> >
> >
> > sha1 was broken afaik, I don't remember the link but I was reading
> > about it. Whether it's practical in practise to mitm accesses to the
> > git repository I don't know.
>
> As to whether that's practical, I don't know either, but Leah is
> definitely right about sha1 having been 'broken' in the sense that it's
> possible to generate sha1 hash collisions in somewhat reasonable time.
>
> According to
> https://en.wikipedia.org/wiki/SHA-1#Cryptanalysis_and_validation it was
> do-able but very expensive in 2005; I expect it's a lot cheaper now.
>
> I had thought that it might be practical to verify the path from the
> root of the git tree to the HEAD of whichever branch you're pulling by
> validating each hash in order; but that's only a linear increase in
> complexity (unless you have lots of branches having lots of branches) so
> it doesn't seem like it would be worthwhile to try. If anyone still
> wants to try it they can grep the list of commits from `git log`.
>
> Fortunately it doesn't matter, because https!
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 22 Aug 2016 02:04:06 +0200
> From: Arthur Heymans <address@hidden>
> To: libreboot <address@hidden>
> Subject: [Libreboot] tester needed for t400
> Message-ID: <address@hidden>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi
>
> Currently libreboot reverses a patch in coreboot that is supposed to
> handle lenovo systems with 2 gpu's attached. This revert had to be done
> because
> this hybrid lenovo gpu driver does not work on t400 and results in the
> display not working in either grub or linux.
>
> A proper fix is needed and I think to know how but I don't have a t400
> to test. So it would be nice if someone could test a rom for me on his/her
> t400 with dual
> graphics to confirm its working.
> link to rom:
> https://home.aheymans.xyz/shared/coreboot_t400.rom
>
> How to test:
> 1) flash that rom
> 2) boot into GNU/linux
> 3) report if you have working display in GNU/linux
>
> notes:
> - that its possible this patch does not work and then you won't have
> a working display in linux so be prepared to either work blindly or use
> ssh to reflash a working rom
> - its unknown if you will have working grub on high res screens
>
> Technical details: the hybrid driver uses wrong gpio (gpio52 instead of
> gpio22) on t400 to connect gpu's to the display.
>
> PATCH:
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: diff
> Type: application/octet-stream
> Size: 354 bytes
> Desc: not available
> URL: <http://lists.gnu.org/archive/html/libreboot/attachments/
> 20160822/644d538e/attachment.obj>
> -------------- next part --------------
>
>
>
> --
> Arthur Heymans
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 800 bytes
> Desc: not available
> URL: <http://lists.gnu.org/archive/html/libreboot/attachments/
> 20160822/644d538e/attachment.pgp>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 22 Aug 2016 01:15:56 +0100
> From: Duncan Guthrie <address@hidden>
> To: address@hidden
> Subject: Re: [Libreboot] Git clone authentication
> Message-ID: <address@hidden>
> Content-Type: text/plain; charset=UTF-8
>
> I did some more investigation into these issues.
>
> More worrying is the build process of crossgcc. It downloads source
> tarballs for its dependencies over regular http, and doesn't even verify
> the checksums, let alone cryptographic signatures. I asked about this on
> #coreboot IRC, and luckily, there is a patch on Coreboot's code review
> website, and this will probably end up being put in upstream:
> http://review.coreboot.org/#/c/15170/. This is, of course, incredibly bad
> form, but it is good that Coreboot developers are willing to fix the
> problem.
>
> With the cached packages being included in Libreboot source distribution,
> can someone confirm to me whether these had signatures verified, or at
> least checksums (manually, I presume)? Because otherwise, if some malicious
> group wanted to target a whole group of users (read: juicy targets) with an
> interest in preservation of privacy, one could target the Libreboot project
> developers. I doubt it would be especially difficult. I really hope you
> verified them...
>
> Either way, fixing the build process, obviously starting with applying the
> patch to Coreboot is absolutely essential. I can't really believe nobody
> here ever inquired into security of the buildgcc script.
>
> Thanks for all your responses,
> D.
>
> On 22 August 2016 00:53:04 BST, koanhead <address@hidden> wrote:
> >On 08/20/2016 02:11 AM, Leah Rowe wrote:
> >> Hi,
> >>
> >> Op 20/08/16 om 01:41 schreef koanhead:
> >...
> >>
> >>> Other than that, if you clone the repository in a manner vulnerable
> >>> to MITM, you should still be able to verify its checksum against
> >>> the one that's published. As far as I can tell from perusing
> >>> http://git.savannah.gnu.org/cgit/libreboot.git/, there's no global
> >>> sum published for the whole tree. This might not matter, since
> >>> after all we're using git, which uses hashes to identify the
> >>> objects it tracks. The cgit link above shows some of these hashes.
> >>> I'm not sure just now how exactly to convince git to emit enough of
> >>> the correct information that you can compare the results with those
> >>> shown on the savannah site, so I'm going to send this off as-is and
> >>> look into it; if I figure it out I'll post in reply to this.
> >>> Hopefully someone else out there already knows how to do this
> >>> thing?
> >>
> >>
> >> sha1 was broken afaik, I don't remember the link but I was reading
> >> about it. Whether it's practical in practise to mitm accesses to the
> >> git repository I don't know.
> >
> >As to whether that's practical, I don't know either, but Leah is
> >definitely right about sha1 having been 'broken' in the sense that it's
> >possible to generate sha1 hash collisions in somewhat reasonable time.
> >
> >According to
> >https://en.wikipedia.org/wiki/SHA-1#Cryptanalysis_and_validation it was
> >do-able but very expensive in 2005; I expect it's a lot cheaper now.
> >
> >I had thought that it might be practical to verify the path from the
> >root of the git tree to the HEAD of whichever branch you're pulling by
> >validating each hash in order; but that's only a linear increase in
> >complexity (unless you have lots of branches having lots of branches)
> >so
> >it doesn't seem like it would be worthwhile to try. If anyone still
> >wants to try it they can grep the list of commits from `git log`.
> >
> >Fortunately it doesn't matter, because https!
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 22 Aug 2016 12:49:29 +0200
> From: Robert Alessi <address@hidden>
> To: Leah Rowe <address@hidden>
> Cc: address@hidden
> Subject: Re: [Libreboot] GNU Libreboot, version 20160818 released
> Message-ID: <address@hidden>
> Content-Type: text/plain; charset="us-ascii"
>
> Good point.  This way everyone may use it.
>
> On Sat, Aug 20, 2016 at 10:08:54AM +0100, The Gluglug wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On the other hand, a statically compiled 32-bit binary should also
> > work on 64-bit distros, so i coul ddo that.
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 801 bytes
> Desc: not available
> URL: <http://lists.gnu.org/archive/html/libreboot/attachments/
> 20160822/5a1f6443/attachment.pgp>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Libreboot mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/libreboot
>
>
> ------------------------------
>
> End of Libreboot Digest, Vol 23, Issue 23
> *****************************************
>