BIOS - firmware update protection

One threat that I haven’t seen addressed too often is the firmware update process. What steps have been taken to protect this? Remember the old days when you had to physically move a jumper to flash your BIOS? The jumpers were replaced by the manufacturer’s “convenience” of being able to flash your BIOS, often from the desktop - and very few people even raised an eyebrow when it happened. I would much prefer a dip switch or jumper that has to be placed to enable a BIOS update - and not a software-read dip switch either - I’m talking about interrupting power to a write line or forcing you to attach a cable to a connector on the motherboard. And don’t forget the other devices with firmware - video cards, hard drive controllers, etc. Anyhow, firmware updates are a great current topic for consideration.

In the Librem 15 rev2 we added a BIOS write protect switch, as you mentioned. But it was a first-version for us to test the integrity of. Ron Minnich @ Coreboot recommended this, and we are continuing to research the best path. We have also thought about taking this to the next level of having two drives, the OS and user data, where the OS has a write-protect switch to avoid software updates, and the user-data is rw, which may work, but it is all in its infancy right now.

So what I can tell you is we are evaluating the best way to include a write-protect physical switch, but have not implemented it in all our products yet. The issue as a policy is that we want it, so it comes down to cost and negotiation of the fabrication, which means it might make it into the next batch, but if not, it will in future batches.

Thanks for writing! While we have not locked out video cards or drives, that same ‘single switch’ could be a read-write for them all. Do you have wiring knowledge to help us determine the pin-outs needed to disable writing of firmware for each of these areas you’re concerned about?

Todd.