BIOS updates in qubes

90 views
Skip to first unread message

Buck Smith

unread,
Jun 2, 2016, 7:54:28 PM6/2/16
to qubes-users
With a Dell laptop  running qubes, presumably no BIOS updates happen, right?  One could still get attacked via BIOS is some had physical access to machine to swap out a part.  But not over internet.  Agree?  Disagree?

Chris Laprise

unread,
Jun 2, 2016, 8:30:35 PM6/2/16
to Buck Smith, qubes-users
> --

That is one of Qubes' reason of existence and why it uses Xen: To
prevent remote attacks against the most trusted parts of the system,
like BIOS.

Also, Qubes anti-evil maid package can detect BIOS tampering at boot
time, which helps against both remote and physical attacks against your
firmware.

Chris

Andrew David Wong

unread,
Jun 3, 2016, 5:33:38 PM6/3/16
to Buck Smith, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-06-02 16:54, Buck Smith wrote:
> With a Dell laptop running qubes, presumably no BIOS updates
> happen, right?

Do you mean automatically? If so, correct. (But I think that's true of
most OSes.)

> One could still get attacked via BIOS is some had physical access
> to machine to swap out a part.

Correct. (Swapping out a part is one way, but there are potentially
"easier" ways too.)

> But not over internet. Agree? Disagree?

Depends on what you mean by "over internet." I've noticed that UEFI on
recent motherboards typically has the ability to update itself over
the internet from within the UEFI itself. Qubes can't prevent that,
because Qubes isn't even running at that point (though AEM should
detect such changes after the fact.)

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXUfeqAAoJENtN07w5UDAwE3EP/ROVVHDzgGzCssJWbbRGBmbI
EEh7ZbMUzewofNjnYjsBA80QuhF8j+q/55Ofpb57vRdMJ400EtqABLachxgjjNwo
VsahIcvkV0HSM+AZ3ObRwPcd4iRkcmzgfSXueLmoO7oAETpSWTqp5yweF/NUzTwo
WcnilgajdJE7fI51jADltelqD3eGURC/pMbV5E6KUDFoLWG+zZULPKTaFimQDLz5
17dqTJ5MMwv5DrwFEXI2pgd6PxohPfOs4qGarCAw4/e8NIQyJ4IJ5vfcvN5GS2w1
NcJ/8k9rhI9pUxlufUhRdriDop793p5fjICWYTeUPGzziYLLA/KwE0hIYr1U5yg6
Rny7V+52FQ5BkmrpmYatMksmojHJzOdcLdEh5drHHxjx1FEKTtbkV39ud4Dl7GMh
PmsyKRbDo/29uiXCuvjYENQ9PcaSxh3HSANXzo7GbFGy1RIwAK/CO9Wag9uadBHf
NNui9Ta9JOCPpN0VV8RHAUuQJyRnB9a5XWuBcg3T6CKvWN5zOw7UqPV94A6jOwUL
BvV9tjAHV6LSPPpLocDHbltsRGtDUCi+jITGOMmHK7O9mWP4MsCoqvys7oFw4FTN
T1CqHAWcsYh2moX26x3EtW80vCO0rwr5wd5umX0QvrmAMXJLzWhAvF8oTlWdQ+fm
5GgaxByyNYg8JU1LXn20
=5r4k
-----END PGP SIGNATURE-----

Zrubi

unread,
Jun 6, 2016, 9:46:38 AM6/6/16
to Buck Smith, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Modern BIOS/EFI systems may have a remote management interface. (Dell
and Lenovo business models surely has) This feature is nice to have in
a corporate environment, where your machine is managed by your company.

If it is not disabled and/or not protected then your BIOS may be
reached from the internet (but at least from your LAN) in that case no
matter what OS are you running, the "boss" is the one who controlling
your BIOS.

I'm the one who not even believe that a disable feature in BIOS is
even real ;) So you can be never know until you prove it. The same
apply for ~all the Intel v-pro features.


A standard manual BIOS update really depends on you. Some are
following the "do not repair it if it's not broken" process. Some will
update immediately after release.

You must trust the provider of your BIOS fully. Lenovo at least
providing hashes for their firmware. Others may not even care about
such thing...



- --
Zrubi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXVX6tAAoJEC3TtYFBiXSv9CkQALCwk/aBqpuu9zHatqJzUFn+
3byLbx5Gu1wNEE8cna8huJdatU5Uo7V8pRmBzIFHmjqER7HavDjS3tHXwnkeikwX
iiOW29pu2nPuYwQlWYf/yZlWKgtmjt4Zhc3VL0evdQCDyqqEpVKuKSs5GDQjtYRe
6bNe3gRrLnQ/PGE2aR5mW1WxRkTkBi6h7l2ubyhRrbcW3qxYnDG0xL5sDkL1MD7g
gNSkAPUiFmFV6LjsxGqYeGNBB8xmXqbI27+vGkQAP9M+DdRUw++dXf9Fp94sGYSL
M74CM6MZaXEJfMd2+NHuebYkkXSoKEp+dVk363najm3nVXWpCl21v1sj4xgeK+zp
7x7pnqaZOYibXCOC1PIFRFuMYvHyxFezXUGmCYcRmGHZzpsmvhqcIX7c8TBh/jqD
0qIbfg+iAgWN4yPMH6uOWT6Tt8MDjHWuEKk+8+U66zTgs38Sn5KZ706865EuP63U
TIVi9xDqdlNY7BMF75JUs2YjkVP3/f3gjFevjwbPsuXmTs2VKFmWa6UYHAIouAHR
0HrQEvv9Uk5DHsCu8G8UvqKlxnx/1Rq4WNaXXjDnzAgW5BbKLiTq+AeA2wcIGmPU
lUkm6qAzWKDvxmxe837bwjIxNyeL57avVLnqcB9ilZy1cyeqZOdEBjjmNoCtKjxM
7l3C350tdoZRNwqg6ojw
=PCUc
-----END PGP SIGNATURE-----

Achim Patzner

unread,
Jun 9, 2016, 5:13:13 PM6/9/16
to qubes...@googlegroups.com
Am 06.06.2016 um 15:46 schrieb Zrubi:
> Modern BIOS/EFI systems may have a remote management interface. (Dell
> and Lenovo business models surely has)

At least in the case of Lenovo that is not necessarily true. Even the P
series can be ordered in non-vPro configuration. And even if you did you
will find FRU numbers for replacement parts that are lacking vPro
capabilities. You can reduce the attack surface by actually configuring
that stuff (thus generating keys of appropriate sizes) instead of having
to trust the firmware to correctly disable it.

> The same apply for ~all the Intel v-pro features.

The vPro features need support from peripherals. If you don't use an
Intel NIC it won't work.


Achim

FRU... I really like that mainframe tech-speak -- Field Replacable Unit,
something that was probably invented when the Druids built Woodhenge and
had to bring in new stones.
Reply all
Reply to author
Forward
0 new messages