Security of firmware update process

Is the firmware update process pwnable by any certificate authority that ships with the laptop?

The firmware update utility is downloaded via wget over https: https://source.puri.sm/coreboot/utility#usage

https://puri.sm/coreboot/ says “The script uses only files available from public Purism repositories, and performs numerous checks to ensure the integrity of the downloaded/compiled firmware update all the way through the flashing process.” but I’m not sure what this means.

I saw this question about having a firmware write protect switch, but it doesn’t seem to answer the question, and in that case couldn’t malicious software just wait until you flipped the switch?

Perhaps I’m oversimplifying this, but I would think a checksum should be enough. Update coreboot then compare the actual hash sum with the expected one, no? Though I suppose that would assume one isn’t dual booting.

That’s my deduction. Please inform me if I’m wrong.

How do you get the checksum of PureBoot firmware without asking PureBoot itself?

I meant the computer could do that check itself when it updates. If you’re wanting to check it yourself then I suppose you’d have to ask purism

Since coreboot_util has the target hashes, and Matt Devillier signs the coreboot_util commits, it looks like I just need a way to verify Matt Devillier’s signature. Unfortunately I’m not sure how to do that.

Also it would be better to have a signature downstream of something more official.

But how could you trust that your method of verifying his signatures is legitimate?

Eventually you’re going to have to make an assumption that everything is ok, up to and including that you’re not currently the victim of a MITM attack. I think if you’re so concerned then you’d be better off building your own ISO, perhaps of another linux distro.

well Snowden released the documents about NSA’s TURMOIL and TURBINE … a much faster and elegant solution than what you are worried about …

  1. I’m experimentally trying to figure out best practices in a new space and I may as well see what the best I can do is. It’s a learning process.
  2. The set of all CAs is much larger than NSA&co and includes various non-US governments.
  3. Compromising a web server or dev laptop is way easier than compromising an airgapped dedicated signing computer whos fingerprint I can check on other websites.
  4. Qubes suggests you check their signature and fingerprint on multiple other websites and have a philosophy of not trusting the infrastructure, telling people not to trust the contents of their website, and in the spirit of using Qubes I also try their philosophy unless I find it impractical.
2 Likes

okay … now it’s clear why you asked … you can obtain the source code for the firmware can you not ? you can also re-flash yourself your own after you verified no ?

I misunderstood, git’s “signed off by” does not mean an actual cryptographic signature AFAICT.