AMD SecureBoot on Deciso devices

[TommyTran732]

Hi,

I am looking to buy some Deciso appliances (mostly like the DEC695). I wonder if AMD SecureBoot is enabled on these devices? (Just to be clear, I am referring to the AMD Secure Boot that verifies the UEFI firmware, not UEFI Secure Boot).

I saw devices from other brands allowing users to just flash arbitrary boot firmware onto the devices and am not too happy about it, so I am hoping that Deciso devices will be different.

Thanks,
Tommy

[AdSchellevis]

Hi Tommy,

Our [2]600 series appliances use coreboot, the faster devices use an EFI payload (from insyde). I don't think you can actually fully guard the efi firmware without secure boot for the operating system to be honest.
Since FreeBSD/OPNsense secure boot is limited we're not offering/supporting it on our devices.

Best regards,

Ad

[TommyTran732]

Hi Schellevis,

Could you elaborate a bit more on this? What's stopping the EFI firmware from being verified regardless of the Secure Boot state of the operating system?

Thanks,
Tommy

[AdSchellevis]

Hi Tommy,

By my knowledge in (almost?) all systems the flash rom is connected to an spi controller which you can access from the operating system as well. Unless these addresses are protected, you can upload new firmware into the chip. When secure boot is properly configured, it should be able to prevent that, but in most systems I know of you can only load device drivers and low level code (which might break the chain of trust) from trusted (signed) sources.

If you are able to reach low level interfaces (on any platform), it's almost impossible to fully protect it further. Realistically on your firewall you do not want to offer shell access to anyone (but admins) to prevent bad things from happening.

I'm not sure what you mean by "...the EFI firmware from being verified..", the payload in the flash chip is more or less the only thing being executed during boot (which is in writable storage). For the [2]600 series coreboot is used, which is a regular bios type as I mentioned earlier.

Best regards,

Ad

[TommyTran732]

Hi Schellevis,

I meant that I want the boot to be rejected in case an attacker has somehow loaded firmware which does not match Deciso's signature into the flash chip (be it a through physical attack or some sort of exploit).

I am pretty sure that this can be set up by the OEM regardless of the UEFI Secure Boot state. Take a modern laptop for example - I don't think that anyone can just flash random boot firmware without bricking the device because of Intel Bootguard / AMD Platform Secure Boot. One can disable UEFI Secure Boot and use FreeBSD and their firmware will still be protected. It would really be nice if the Deciso devices have these.

Also, I am a bit confused by the notation "[2]600 series". Do you mean the DEC675 and DEC695? In any case, I ended up ordering a DEC750 so it should have UEFI, right?

[AdSchellevis]

DEC675, DEC695 and the rack model DEC2685 use coreboot as mentioned.

I'm not really into debate, but I'm quite sure if you can flash the chip, it's impossible to protect against that. Quite some laptops require the os to use secure boot by default to safeguard the (complete) process.  If you disable secure boot and boot into the os with the proper tools you are usually able to flash the chip in my experience.

Br,

Ad

[TommyTran732]

Hi,

Okay, I won't debate. I am just leaving some links here in case you guys revisit this in the future:

https://www.amd.com/system/files/documents/amd-security-white-paper.pdf
https://www.amd.com/en/technologies/pro-security
https://www.servethehome.com/amd-psb-vendor-locks-epyc-cpus-for-enhanced-security-at-a-cost/

Regards,
Tommy