Details of BIOS security, Re: Intel to include DRM in new Pentium 4 series processors

Matthew Astley lists-ukcrypto at fruitcake.demon.co.uk
Mon, 16 Sep 2002 11:40:26 +0100 

I think at least three of us are happy to take a discussion of secure
boot elsewhere if the group is growing weary.

IMHO the issue of whether TCPA is actually necessary for security,
rather than just being sufficient, is close enough to Topic to
continue chasing.


On Mon, Sep 16, 2002 at 02:03:37PM +0800, Brian Gladman wrote:
> From: "Peter Gutmann" <pgut001@cs.auckland.ac.nz>

> > A lot of MBs don't have [switch to disable BIOS upgrade] any more
> > (I had to specifically look for one which does).

I always imagined this was so they could sell new mobos to those who
caught the Chernobyl or CIH (?) virus.

I would imagine cutting a track could protect the flash, if it were
accessible, but that's a bit hairy for most!

> And if you are worried about low level attacks and think thats good enough,
> think again.

(Brian posted details on the "Fixing BIOS/bootloader security -->
subsidising DRM" subthread)

Thank you for that detail.

While it appears reasonable to claim that TCPA is sufficient for boot
security, it isn't obvious that it's actually necessary. The other
stuff which comes with TCPA appears to be worth avoiding,

> > Yup. Anyone who cares about secure boot can get a MB with a
> > write-disable jumper [...] This [doesn't] gives you all the
> > benefits of TCPA at no cost, and without having DRM stealthed on
> > top of it.

As for the DRM, I think "railroaded" is more appropriate that
"stealthed". 8-/

> Sadly it does not, although it might be nice if we had a solution
> that did.
> 
> But it seems that this won't be on offer.

Doug (different list (-8 ) pointed out the LinuxBIOS project,
  http://slashdot.org/articles/00/06/14/2110209.shtml [2 years old]
  http://www.acl.lanl.gov/linuxbios
  http://www.linuxbios.org [redirects to www.acl.lanl.gov]

The .gov site gives an "unknown host" DNS error, but it is still in
Google's cache. The cached download page says it has moved to
  http://sourceforge.net/projects/freebios/

The /. discussion also mentions Tiarra,
  http://sourceforge.net/projects/utcboot/

and Google found me
  http://www.freiburg.linux.de/OpenBIOS/


I believe this will fix the warm boot problem, because an open BIOS of
whatever flavour can avoid treating the warm boot as something
special.

Whether it fixes the problems with reflashable peripherals diddling
with the PCI bus and setting back doors is another thing. Presumably
if DMA is disabled 8-/ this problem also goes away?


Matthew  #8-)