[personal profile] mjg59
According to the update here, the signing keys are supposed to be replaced by the hardware vendor. If vendors do that, this ends up being uninteresting from a security perspective - you could generate a signed image, but nothing would trust it. It should be easy enough to verify, though. Just download a firmware image from someone using AMI firmware, pull apart the capsule file, decompress everything and check whether the leaked public key is present in the binaries.

The real risk here is that even if most vendors have replaced that key, some may not have done. There's certainly an argument that shipping test keys at all increases the probability that a vendor will accidentally end up using those rather than generating their own, and it's difficult to rule out the possibility that that's happened.

Serial numbers

Date: 2013-04-06 06:43 am (UTC)
From: [identity profile] https://www.google.com/accounts/o8/id?id=AItOawlLs9iS_3tD66RyXW7fqCuH718SofieGu8
A good heuristic is to check the serial number of your BIOS and any other hardware IDs you can find. Is it something random-looking, something serial-number-ish like 1000056420, or an obviously-fake entry like 1000000001 or 123456789?

If it looks random, search the web: if Google finds one of "your" UUIDs, it's hardly unique and the vendor is a lazy bastard who should know better.

Re: Serial numbers

Date: 2013-04-06 06:45 am (UTC)
From: (Anonymous)
Apparently, logging in with OpenID is not exactly well-supported here …

Date: 2013-04-11 01:27 am (UTC)
From: (Anonymous)
The PK cert that comes with the Z77 I have is issued by "DO NO TRUST - AMI Test PK"


Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at CoreOS. Member of the Linux Foundation Technical Advisory Board and the Free Software Foundation board of directors. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Expand Cut Tags

No cut tags