Qubes AEM: write protecting BIOS is not possible
14 views
Skip to first unread message
tetra...@danwin1210.me
Mar 9, 2021, 3:34:01 AM3/9/21
to qubes...@googlegroups.com
The [Qubes AEM docs](https://github.com/QubesOS/qubes-antievilmaid)
recommend:
> Some hints: connect the write protect pin on BIOS flash chip to ground
> (prevents attacker from booting their own software which would bypass
> BIOS protections and overwrite it) and make sure physically accessing
> the chip will be tamper-evident by eg. covering the screws holding
> laptop body together in glitter and taking high-res photos, then
> examining before each use.
However, the given suggestion will do nothing on most laptops, providing
a false sense of security.
The reason is that many/most BIOS flash chips require the SRWD and block
protect bits to be set **in software** before the **hardware** write
protect pins will do anything.
Unfortunately, Flashrom does not currently support setting these bits,
though there is an open proposal to add support:
https://github.com/flashrom/flashrom/issues/142
https://github.com/flashrom/flashrom/issues/185
recommend:
> Some hints: connect the write protect pin on BIOS flash chip to ground
> (prevents attacker from booting their own software which would bypass
> BIOS protections and overwrite it) and make sure physically accessing
> the chip will be tamper-evident by eg. covering the screws holding
> laptop body together in glitter and taking high-res photos, then
> examining before each use.
However, the given suggestion will do nothing on most laptops, providing
a false sense of security.
The reason is that many/most BIOS flash chips require the SRWD and block
protect bits to be set **in software** before the **hardware** write
protect pins will do anything.
Unfortunately, Flashrom does not currently support setting these bits,
though there is an open proposal to add support:
https://github.com/flashrom/flashrom/issues/142
https://github.com/flashrom/flashrom/issues/185
Reply all
Reply to author
Forward
0 new messages