Author Topic: Tutorial: Howto install opensource bios on a cheap and fast laptop  (Read 2820 times)

0 Members and 1 Guest are viewing this topic.

Offline yorijori

  • Newbie
  • *
  • Posts: 11
    • View Profile
hey, can you please check the link? cannot open it, thanks

Offline CastAway33

  • Newbie
  • *
  • Posts: 16
    • View Profile

Offline JoeyD

I put some links at the start of the tutorial. Also check out the libreboot website for more info on the subject. Also you could just do an online search with some keywords like "bios" and "exploit" and you run into things like this. I don't believe that other manufacturers are not doing similar shady stuff.

Intel-me is part of a remote management system that all Intel systems have since 2006. It is like a little second computer living hidden inside your pc, that has free access to (among other things) everything that goes through your system RAM and your network. It's just like a little gremlin, nothing to fear as long as you don't feed it after midnight. AMD has a similar system in place, with as far as I know no way to clean or isolate, so that won't help you either.

Another problem is with bios being a blackbox with who-knows what kind of hidden features and relies security through obscurity. The latter has proven to be unreliable time and again. So while I don't dare to say that opensource bios is not exploitable, there at least things are out in the open and I can download a fix as soon as it is available, instead of being at the mercy of the manufacturers. Btw besides bios there are many more ways a manufacturer could build in exploits, but open-hardware is just not getting the same traction as opensource software is.

Usb is another completely open avenue. Usb-sticks also are like little programmable computers and can be used to do all kinds of nasty stuff. With tools for it available online. The usb thing is especially nasty because there is no way to protect yourself from it through software. Well maybe the Qubes-OS-way could work kinda, as they isolate all usb-hardware in it's own virtual machine box, where you have to manually direct all the devices. But again, who checks if the firmware on their usbsticks has been compromised? Still there is no point in isolating it, if you are just going to pass it through anyway. At least qubes-os offers you some ways to deal with the problem, as long as you adapt your behavior and are aware of the risks.

As an example of having to adapt your behavior in qubes-os: Instead of passing through usb-devices, you should open the untrusted usb-stick in an untrusted or temporary qube(as they seem to like to call it), and only copy the files from the stick to another qube. E-mails or files from an untrusted source could be handled similarly. Only open and edit them in a temporary or untrusted qube and once done, destroy the untrusted qube (that's done automatically for the temporary ones) and there is less change of opening or running a malicious program affecting your trusted qubes.

EDIT
Exploit of Intel-AMT confirmed.
« Last Edit: June 13, 2017, 09:43:37 am by JoeyD »

Offline EH1985

  • Newbie
  • *
  • Posts: 1
    • View Profile
    • www.whai.ie
Hey,

Never heard about "insecure BIOS" issues before, is that a real concern? I mean I'm not doing anything illegal on my computer, but still, privacy is privacy... Should have gotten a PC with an AMD processor, heard these are a bit less powerful, but at least spy-free.

Offline JoeyD

Hello guys,

Recently I was asked to make some laptops more secure by installing coreboot on them and removing most of Intel-ME crap. It took me a while to figure out and cost me a whole lot more than the 30 to 60 minutes I had planned, but to prevent you from running into the same issues I've published a tutorial about it  steemit: https://steemit.com/tutorial/@JoeyD/run-don-t-walk-from-the-blob

Once I finally figured out the missing bits,  it was just a matter of following the steps as I've written down in that tutorial. The things that take the most time during the whole process are installing the software and the compile phase of the coreboot toolchain. But having a little more peace of mind is worth it in my opinion.
« Last Edit: June 11, 2017, 11:13:34 pm by JoeyD »