On Sat, 2011-08-27 at 11:18 -0700, Li, David wrote:
We can't prevent others from tempering the firmware. That's
a
requirement.
I'm not sure what that means. Do you mean that you aren't allowed to
employ physical anti-tamper mechanisms at all?
What if the firmware update (e.g. BIOS or UEFI) has to be
cryptographically verified? For example the new firmware has to be
hashed and signed by the authorized vendor. The existing firmware has
the capability to verify the hash and signature during the upgrade.
Is this strong enough to prevent firmware tempering?
That only helps with firmware update via software mechanism, not via
direct re-flashing or replacement of the BIOS flash chip. And it only
helps if that software update mechanism is itself trustworthy and
unbypassable.
--
Stephen Smalley
National Security Agency