https://puri.sm/coreboot/ says “The script uses only files available from public Purism repositories, and performs numerous checks to ensure the integrity of the downloaded/compiled firmware update all the way through the flashing process.” but I’m not sure what this means.
I saw this question about having a firmware write protect switch, but it doesn’t seem to answer the question, and in that case couldn’t malicious software just wait until you flipped the switch?
Perhaps I’m oversimplifying this, but I would think a checksum should be enough. Update coreboot then compare the actual hash sum with the expected one, no? Though I suppose that would assume one isn’t dual booting.
That’s my deduction. Please inform me if I’m wrong.
Since coreboot_util has the target hashes, and Matt Devillier signs the coreboot_util commits, it looks like I just need a way to verify Matt Devillier’s signature. Unfortunately I’m not sure how to do that.
Also it would be better to have a signature downstream of something more official.
But how could you trust that your method of verifying his signatures is legitimate?
Eventually you’re going to have to make an assumption that everything is ok, up to and including that you’re not currently the victim of a MITM attack. I think if you’re so concerned then you’d be better off building your own ISO, perhaps of another linux distro.
I’m experimentally trying to figure out best practices in a new space and I may as well see what the best I can do is. It’s a learning process.
The set of all CAs is much larger than NSA&co and includes various non-US governments.
Compromising a web server or dev laptop is way easier than compromising an airgapped dedicated signing computer whos fingerprint I can check on other websites.
Qubes suggests you check their signature and fingerprint on multiple other websites and have a philosophy of not trusting the infrastructure, telling people not to trust the contents of their website, and in the spirit of using Qubes I also try their philosophy unless I find it impractical.