[Cryptography] practical verifiable systems -- forensic and otherwise, cheap and otherwise

Wed Mar 4 05:44:48 EST 2015

On Mon, Mar 2, 2015 at 8:09 PM, John Denker <jsd at av8n.com> wrote:

> ...
> IMHO the next step is securing the BIOS.  Again
> the logic is simple:  If you can't trust the BIOS,
> you can't trust anything else.  Conversely, a
> trusted BIOS can vet the other components.  For
> starters, it can demand a valid cryptologic signature
> for BIOS updates.  Similarly it can demand a valid
> crypto sig on the software it reads from disk at
> boot time.  These things can be signed multiple
> times, once by each of the interested parties.
> This would make life noticeably more difficult for
> anybody who wants to bugger the firmware in your
> disk drives.
>
> Open-source auditable BIOS implementations exist.
>   http://www.openfirmware.info/Welcome_to_OpenBIOS
>   http://www.coreboot.org/

The process you are describing sounds like Secure Boot / Verified Boot /
Boot Guard.

When it comes to measured boots with Trusted Execution (TXT), the lack of
visibility into the BIOS is a big gap because of SMM. You can detect when
the BIOS has changed, but don't know that the SMM loaded by BIOS is
actually good.

I've talked to some platform vendors about this issue. Nobody has been able
to provide:
- A list of known BIOS measurements. A couple vendors mentioned NIST
800-155, but hadn't done anything.
- BIOS source access. One vendor said that the only people they provided
BIOS source access to were the US DoD and that was after a very long
negotiation. This is probably a non-starter.
- A SMM Transfer Montior implementation. Only one person I've spoken with
knew of an actual STM implementation, which was only for client systems
used by, again, the US DoD.

Some of the challenges I've run into:
- Platform vendors don't write their own BIOSes. They may get binary blobs
from one or more outside vendors. No single vendor seems to know what is
going on.
- SMM in server systems may actually provide complex functionality (e.g.
power management, memory hot swapping, etc). Implementing a meaningful STM
may not be possible without crippling that functionality. That's why the
only working STM is for more simple client systems which don't do much in
SMM.
- One platform vendor's BIOS measurement is different on each individual
machine. This is bizarre, makes the measurement worthless, and acts
effectively as a unique machine identifier. The good news is they are
fixing the issue.

I like Coreboot but support is still pretty limited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150304/05e1b1f9/attachment.html>