You're being paranoid as hell. Here's a nice, secure solution: PUT A BLOODY JUMPER ON THE MOTHERBOARD! OR HOLD A PIN HIGH FOR X PERIOD OF TIME OR SOMETHING. Modern processor sockets have a metric ton of pins, some of which are just there to be pretty. Surely Intel could have left a pin in there to do this. I understand you're being really really REALLY anal about security, but think of how ridiculous it sounds for someone to open up your laptop, solder a jumper on the board, close it without damage(modern shitty laptop designs with clips make it impossible) and then somehow make a patch for the bios. Not to bloody mention there's really no standard way of flashing bioses nowadays. Not even standard tools are guaranteed to do it and chances are they won't. It's far more common to have to do some soldering to even get Coreboot on. How about the other way around? Have a special, security hardened laptop for a bit more money which is unflasable. There. All's fine with the world. There's a ton of options and yet you display a bit of sympathy for the vendor/Intel. Also Secure Boot has yet to be used as it was intended to be used as a security feature. Right now it's just an annoyance.
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
no subject
Date: 2015-02-16 11:45 pm (UTC)I understand you're being really really REALLY anal about security, but think of how ridiculous it sounds for someone to open up your laptop, solder a jumper on the board, close it without damage(modern shitty laptop designs with clips make it impossible) and then somehow make a patch for the bios.
Not to bloody mention there's really no standard way of flashing bioses nowadays. Not even standard tools are guaranteed to do it and chances are they won't. It's far more common to have to do some soldering to even get Coreboot on.
How about the other way around? Have a special, security hardened laptop for a bit more money which is unflasable. There. All's fine with the world.
There's a ton of options and yet you display a bit of sympathy for the vendor/Intel. Also Secure Boot has yet to be used as it was intended to be used as a security feature. Right now it's just an annoyance.