31
Hardware and Performance / Re: AMD SecureBoot on Deciso devices
« on: July 17, 2023, 09:00:10 am »
Hi Tommy,
By my knowledge in (almost?) all systems the flash rom is connected to an spi controller which you can access from the operating system as well. Unless these addresses are protected, you can upload new firmware into the chip. When secure boot is properly configured, it should be able to prevent that, but in most systems I know of you can only load device drivers and low level code (which might break the chain of trust) from trusted (signed) sources.
If you are able to reach low level interfaces (on any platform), it's almost impossible to fully protect it further. Realistically on your firewall you do not want to offer shell access to anyone (but admins) to prevent bad things from happening.
I'm not sure what you mean by "...the EFI firmware from being verified..", the payload in the flash chip is more or less the only thing being executed during boot (which is in writable storage). For the [2]600 series coreboot is used, which is a regular bios type as I mentioned earlier.
Best regards,
Ad
By my knowledge in (almost?) all systems the flash rom is connected to an spi controller which you can access from the operating system as well. Unless these addresses are protected, you can upload new firmware into the chip. When secure boot is properly configured, it should be able to prevent that, but in most systems I know of you can only load device drivers and low level code (which might break the chain of trust) from trusted (signed) sources.
If you are able to reach low level interfaces (on any platform), it's almost impossible to fully protect it further. Realistically on your firewall you do not want to offer shell access to anyone (but admins) to prevent bad things from happening.
I'm not sure what you mean by "...the EFI firmware from being verified..", the payload in the flash chip is more or less the only thing being executed during boot (which is in writable storage). For the [2]600 series coreboot is used, which is a regular bios type as I mentioned earlier.
Best regards,
Ad