coreboot

Currently I’m looking for a topic to write a thesis about. One of the topics that came to my mind was coreboot. It happend some weeks ago during the presentation from Trammell Hudson about ‘Bootstraping a slightly more secure laptop’.

Knowing that coreboot is running very well on a Lenovo x230 devices and in general on x220/x210/x200 devices I was wondering if there might be any support for my x240? I went to the project page, there have a neat device list. However my x240 wasn’t listed. Why?

A search later I found some critical information. One post on phoronix. Next one on the blog of mjg.

Very simple: Intel added Hardware-based boot integrity protection. This ensure that only the manufacturer of the device can write new firmware to it. Intel Boot Guard (short: BG) is an extended security feature to ensure that security is working well with UEFI. It also prevent anyone to write custom firmware to it. coerboot is such custom firmware. So no coreboot on my x240….

Another idea was to look into the security bubble of the net to find some more information about BG. There is a quite interesting detail about BG. While Intel provides this function, it is not mandatory for a manufacture to enable it. However Lenovo seems to keep it quite tight. Almost, because they missed to enable BG on some of they devices correctly. An attack could add it’s own key to the hardware and create a persistent backdoor that wouldn’t allow any changes. Simple because Lenovo forgot to enable the hardware switch of BG. This switch fuses a key into the hardware. Something that can be done only once. In this presentation you can find some more details.

Unfortunately the x240 wasn’t on the list. So I might need to switch to another devices to do some work with coreboot.

best regards Akendo