Coreboot future security

As I understand Coreboot is a security feature for the Librem laptops. I noticed that the NSA got involved in the Coreboot project.

Or am I mixing up something? It would make me suspicious, probably trying to include and hide a back door?

It is very well possible that they have a need for that for their own (internal) purposes, just like they had Intel implement a kill-bit for the ME, because they also want to trust their own computers :wink:

It’s also likely that the new module that they are implementing will not be included in updates of Purism, as there is no need to have it.

hahaha I hope so, for both of Your statements :slight_smile:

Thanks for the Article.
Your comments made me laugh, because there is someone now officially from NSA working on this when in fact they could be inserting it under false names a long time ago without you and me knowing. My point is: If the NSA have malicious intentions for Coreboot, they will have done so by now under a pseudonym and not by using an employee’s real name.

3 Likes

Not necessarily, it could be good code w/ bad defaults (per dual ECC).

While there is potentially a few useful things a consumer could do with SMITM this doesn’t actually bode well.

SMITM will allow the ME (co-processor code) so selectively hide SMM (ring -2) calls from the OS. And there is no way for OS or application code to tell that SMM code is running without advance timing analysis. And with TXT enabled, you wont be able to tell what it’s doing, even if you dump the RAM.

If you have enough money and influence, you’ll be able to get an ME image that gives real security even to SMM calls from less trusted code, the rest of us will have to deal with a real possibility there’s a backdoor there and SMM can be called w/a network packet through the ME.