Anyway to verify Bios


#1

I recently ordered a librem 15. Is there anyway to check the integrity of the firmware that runs the the Bios to verify the integrity of the code.


#2

I have mailed a developer about the same question but unluckily he never answered.
I like the product idea and it’s philosophy behind; but seems that they don’t understand that it is a product that will be used mainly by people interested in security.
not because is complex to use but because normal people have no idea that it exists.
i’d like that they publish more info about the specifications, how to verify the bios where is the chip and so on…

meanwhile i have done it myself on other computer (and also added phisical switch for mic+webcam). i don’t have purism yet and will not buy until new real HARDWARE security features are added (anyone is able to install softwer like tor, httpseverywhere and so on, what we can’t do and purism can is hardware security! pls anyone!?!?)

HOW TO VERIFY BIOS:
first of all is not a very simple thing.
you will need a hardware SPI flash programmer.
to connect it you can use a soic test clip (photo here)
https://duckduckgo.com/?q=soic+test+clip&kl=it-it&iax=1&ia=images
since i don’t want to waste much money for it i have built it myself using Arduino UNO (about 20€).
i desoldered the chip and placed in a breadboard
here some details about how to do it
https://www.flashrom.org/Serprog/Arduino_flasher
i have not used their program, i have coded it myself but it should work.

here is an example of reflashing (in circuit serial programming, so no desoldering needed)


#3

if you think that you will try and need more detailed info let me know.

ps i forgot to add one important thing:
suppose you have dumped the full bios what then?
-you hope that it is not bad / compromised, compute a sha256 over it and check for bios integrity sometimes using he programmer?
-you reverse it all to check what does it do?

probably the first.
not the best but thats a good start


#4

At the moment, the best way is probably* to:

If anyone else knows a better way, please post it. Thanks.

* I haven’t yet confirmed this.