I'm very curious about this too. I'm going to build my own workstation computer, or perhaps buy one from a boutique computer manufacturer, but I'd very much like BootGuard to raise the bar so total system compromise is not as simple as buying an SPI flasher. I wish I knew how to even tell if it is enabled.
If I cannot do this, I've got two questions which I hope someone can answer:
1) is buying an SPI reader and verifying the BIOS manually enough, or is there extra firmware which BootGuard verifies that an SPI reader would miss?
2) Is there any risk at all of a Linux system being compromised if the BIOS is modified at runtime? In other words, does Linux execute AML, or read anything from the actual BIOS flash chip while it is running?
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Re: DOS?
Date: 2016-02-29 11:26 pm (UTC)If I cannot do this, I've got two questions which I hope someone can answer:
1) is buying an SPI reader and verifying the BIOS manually enough, or is there extra firmware which BootGuard verifies that an SPI reader would miss?
2) Is there any risk at all of a Linux system being compromised if the BIOS is modified at runtime? In other words, does Linux execute AML, or read anything from the actual BIOS flash chip while it is running?