ELI5 bios write protection

eagle · August 13, 2020, 9:57am

I’ve read the article on this feature, but i did not understood how does it work.
Could someone explain what is this and how does it work in a easy way?
Thanks

vmedea · August 13, 2020, 10:48am

The idea of Purism’s BIOS write protection is that changing the BIOS (so the computer’s startup code) can only be done after flipping a physical switch, that is inside the laptop.

Protecting the BIOS is important because backdoors in the BIOS code work no matter how secure your operating system is, and stick around when you completely reinstall it.

Because physical access is needed to do this, this means that malware and remote exploits cannot infect your BIOS. Additionally, it makes it harder for someone who has temporary access to your laptop to change the BIOS, as it takes extra time to open the device and close it again.

It does make legit BIOS upgrades (for bugfixes) more work, but that’s a trade-off. As I understand it it’s an optional feature, in that you can leave the switch in the on position.

I hope that’s clear enough if not just ask.

eagle · August 13, 2020, 1:33pm

Very clear, thank you

reC · August 14, 2020, 8:57pm

more exactly - the switch is located DIRECTLY on the laptop motherboard INSIDE the chasis so it is a separate thingy from the hardware killswitches that can be accessed from the OUTSIDE …
why was this not included on the Librem-Mini ?

vmedea · August 15, 2020, 1:55pm

Yes, exactly, if it was on the side of the laptop it would offer less protection in the case of physical tampering. And I guess there’s an upper limit on the number of kill switches that can be usefully fit on the side of a laptop

No idea! They introduced the concept for the first time for the most recent product. Hopefully in the next generation.

reC · August 15, 2020, 3:04pm

+1 for a double BIOS switch as well. in case the first one gets corrupted or something you can easily flip to the second as a back-up and/or restore the first to a know working state. even better if they are isolated from each other in case of some security/privacy vulnerability discovered in the current active one …

vmedea · August 15, 2020, 3:11pm

Yes, that would be useful. There’s not really a good way to recover from a failed coreboot flash right now, for example.