Linked by Thom Holwerda on Sun 29th Oct 2017 17:44 UTC
Google

Two weeks ago, security researchers managed to disable the Intel Management Engine, and last week, Google held a talk at the Open Source Summit (née LinuxCon) in which they unveiled their plans to completely (well, almost completely) replace every bit of code between the operating system you know about (Windows, Linux, BSD, whatever) and the bare metal x86 processor (Intel-only, for now).

With the WikiLeaks release of the vault7 material, the security of the UEFI (Unified Extensible Firmware Interface) firmware used in most PCs and laptops is once again a concern. UEFI is a proprietary and closed-source operating system, with a codebase almost as large as the Linux kernel, that runs when the system is powered on and continues to run after it boots the OS (hence its designation as a "Ring -2 hypervisor"). It is a great place to hide exploits since it never stops running, and these exploits are undetectable by kernels and programs.

Our answer to this is NERF (Non-Extensible Reduced Firmware), an open source software system developed at Google to replace almost all of UEFI firmware with a tiny Linux kernel and initramfs. The initramfs file system contains an init and command line utilities from the u-root project (http://u-root.tk/), which are written in the Go language.

Both the slides from the talk and the video are available.

Thread beginning with comment 650419
To read all comments associated with this story, please click here.
am i missing something
by codifies on Sun 29th Oct 2017 21:42 UTC
codifies
Member since:
2014-02-14

coreboot, libreboot, openbios...

there are alternatives already... auditable alternatives....

Reply Score: 3

RE: am i missing something
by The1stImmortal on Sun 29th Oct 2017 22:01 in reply to "am i missing something"
The1stImmortal Member since:
2005-10-20

coreboot, libreboot, openbios...

there are alternatives already... auditable alternatives....

And none of those seem to address the Intel IME/AMD PSP security coprocessor issue. This one at least plans to, though how successful it can be I don't know.

Edited 2017-10-29 22:01 UTC

Reply Parent Score: 4

RE[2]: am i missing something
by FlyingJester on Mon 30th Oct 2017 20:34 in reply to "RE: am i missing something"
FlyingJester Member since:
2016-05-11

Why wouldn't you just put that into one of the existing (shipping) solutions, like Coreboot?

Reply Parent Score: 3

RE: am i missing something
by zima on Tue 31st Oct 2017 23:58 in reply to "am i missing something"
zima Member since:
2005-07-06

I'm partial to the Open Firmware (of which openbios, which you mention, seems to be an implementation) - used in many ~alternative systems (like Pegasos for MorphOS) or in the One Laptop Per Child XO-1 ...not chosen over UEFI seemingly because it just wasn't done by Intel.

And written in Forth... (one day I'll learn it, I promise ;) )

Edited 2017-11-01 00:06 UTC

Reply Parent Score: 3