> Cryptographically signed firmwares are an Intel requirement and have been since Sandy/Ivy Bridge. Go look at Dell or HP and you'll find the exact same requirements for UEFI updates.
I wasn't faulting (or singling out) Lenovo for using a cryptographically-signed firmware at all, nor am I suggesting they break this mold as a potential resolution (and believe it or not, I'm well aware that this practice of crypto-signing firmware is pretty ubiquitous, regardless of how "required" or not it actually is).
However, I am faulting Lenovo for locking us out of AHCI mode in their BIOS.
I'm also using the cryptography as strong evidence that users cannot be reasonably expected to "support themselves" in this scenario -- them large semiprimes man, you guys should just factor them yourselves!
> Flashing a modified firmware via SPI is the only known method for newer Intel platforms due to the signature checks performed during a normal firmware update.
So you somehow think it's perfectly reasonable to expect users that want to set their RAID controllers to AHCI mode in order to install the operating system of their choice on the hardware that they paid for to have to flash a modified firmware via SPI?!
Some of the most highly skilled software engineers that I know don't even know how to solder...
You also mentioned that "flashing a modified firmware via SPI is the only known method for newer Intel platforms due to the signature checks performed during a normal firmware updates." That may be true, but it's not true for the affected Lenovo consumer ultrabooks in question -- Lenovo has already released BIOS updates that can be flashed by end users completely in software.
> Sometimes vendors are careless/lazy and people find other ways to flash modified firmwares.
So now it comes down to the "hail mary" of hoping there is some security hole or backdoor instead and that somebody puts in the time and effort to find it, so that we don't have to resort to chip programming? Ridiculous.
> "Go read about this yourself (free eBook on Intel platform security): www.apress.com/9781430265719"
I appreciate the reference, but it seems a little unrelated to the argument at hand, no? Just curious, did you read all 272 pages yourself?
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Re: DIY support
Date: 2016-09-22 03:31 am (UTC)I wasn't faulting (or singling out) Lenovo for using a cryptographically-signed firmware at all, nor am I suggesting they break this mold as a potential resolution (and believe it or not, I'm well aware that this practice of crypto-signing firmware is pretty ubiquitous, regardless of how "required" or not it actually is).
However, I am faulting Lenovo for locking us out of AHCI mode in their BIOS.
I'm also using the cryptography as strong evidence that users cannot be reasonably expected to "support themselves" in this scenario -- them large semiprimes man, you guys should just factor them yourselves!
> Flashing a modified firmware via SPI is the only known method for newer Intel platforms due to the signature checks performed during a normal firmware update.
So you somehow think it's perfectly reasonable to expect users that want to set their RAID controllers to AHCI mode in order to install the operating system of their choice on the hardware that they paid for to have to flash a modified firmware via SPI?!
Some of the most highly skilled software engineers that I know don't even know how to solder...
You also mentioned that "flashing a modified firmware via SPI is the only known method for newer Intel platforms due to the signature checks performed during a normal firmware updates." That may be true, but it's not true for the affected Lenovo consumer ultrabooks in question -- Lenovo has already released BIOS updates that can be flashed by end users completely in software.
> Sometimes vendors are careless/lazy and people find other ways to flash modified firmwares.
So now it comes down to the "hail mary" of hoping there is some security hole or backdoor instead and that somebody puts in the time and effort to find it, so that we don't have to resort to chip programming? Ridiculous.
> "Go read about this yourself (free eBook on Intel platform security): www.apress.com/9781430265719"
I appreciate the reference, but it seems a little unrelated to the argument at hand, no? Just curious, did you read all 272 pages yourself?