Linked by Thom Holwerda on Sun 29th Oct 2017 17:44 UTC
Google

Two weeks ago, security researchers managed to disable the Intel Management Engine, and last week, Google held a talk at the Open Source Summit (née LinuxCon) in which they unveiled their plans to completely (well, almost completely) replace every bit of code between the operating system you know about (Windows, Linux, BSD, whatever) and the bare metal x86 processor (Intel-only, for now).

With the WikiLeaks release of the vault7 material, the security of the UEFI (Unified Extensible Firmware Interface) firmware used in most PCs and laptops is once again a concern. UEFI is a proprietary and closed-source operating system, with a codebase almost as large as the Linux kernel, that runs when the system is powered on and continues to run after it boots the OS (hence its designation as a "Ring -2 hypervisor"). It is a great place to hide exploits since it never stops running, and these exploits are undetectable by kernels and programs.

Our answer to this is NERF (Non-Extensible Reduced Firmware), an open source software system developed at Google to replace almost all of UEFI firmware with a tiny Linux kernel and initramfs. The initramfs file system contains an init and command line utilities from the u-root project (http://u-root.tk/), which are written in the Go language.

Both the slides from the talk and the video are available.

Permalink for comment 650421
To read all comments associated with this story, please click here.
Brendan
Member since:
2005-11-16

Hi,

I think the larger problem is, how do you verify that the firmware code is actually compiled from that particular source? If you cannot load your own firmware (I know, a pipe dream) how is this different than the current situation? Not just that, if a vulnerability in the current code is found, can you actually update it yourself?


The other problem is that if you want to do something else (e.g. boot Haiku from USB, boot MS-DOS from CD-ROM, boot FreeBSD from hard drive, etc) you're screwed because they stripped out all of the "non essential" functionality, and if you want to change your hardware (e.g. upgrade the video card) you're also screwed because that'd require a little extensibility.

Mostly it sounds like they're using "open source" as yet another form of vendor lock-in; to make sure the computer will only ever be able to run one specific OS and nothing else (e.g. maybe a special Linux distro created by Google, for Google's benefit and not yours).

- Brendan

Reply Parent Score: 3