Searching_ _ _
March 17th, 2009, 03:41 PM
-{ Quote: "Intel EFI is just a DRM BIOS.
Newer BIOSes have unlimited control of your memory and I/O cycles.
The Chips in all of your machines nowadays, the bios can set a bit, set an address range, and any I/O within a certain address range will get trapped to a system memory management handler.
At that point the BIOS can decide to veto your I/O.
They also implement a full network stack.
It is in the realm of possibility that a BIOS can look at the kinds of things your writing to disk from the OS using the IDE I/O ports. The BIOS might get upset about the kind of data you're writing to disk and send network packets somewhere. It's all Possible.
How do you know what it is doing?
You don't and you can't by design.
According to Intel the cool aspects of EFI:
Things could get intercepted and EFI could take action for us. In fact, EFI could go out, find a server, download a new version of EFI, burn it to flash, all with out us knowing or intervening.
The BIOS is able to go off and do things without us knowing." }- http://www.youtube.com/watch?v=QsW88Efgmlk&feature=channel_page
-{ Quote: "What a lot of people don't know is that a lot of the BIOS is operational and can run once you've booted your OS. That should scare people who really care about security. There is a binary thing in there. You don't know where it came from, who wrote it or what it does and it is running while you're running. And that binary thing is happily able to read any piece of memory, any block on disk and do anything it wants with the network." }- http://www.youtube.com/watch?v=X72LgcMpM9k&feature=related
-{ Quote: "In other words, under EFI, there is no guarantee that the OS owns the platform.
Accesses to IDE I/O addresses, or certain memory addresses, can be trapped to EFI code and potentially examined and modified or aborted. Many see this as an effort to build a "DRM BIOS".
I am not sure what the real intent of this design is, but is is a real concern in secure environments (such as those found in governments, banks, and large search engine companies). A number of vendors and users have told me that they are not sure they can ship an EFI system they are willing to trust in a secure environment." }- http://archive.fosdem.org/2007/interview/ronald+g+minnich
Those interested in a fix for this situation should look into Coreboot.
It is currently limited in it's support for mainboards, currently 200.
http://www.coreboot.org/Welcome_to_coreboot
Newer BIOSes have unlimited control of your memory and I/O cycles.
The Chips in all of your machines nowadays, the bios can set a bit, set an address range, and any I/O within a certain address range will get trapped to a system memory management handler.
At that point the BIOS can decide to veto your I/O.
They also implement a full network stack.
It is in the realm of possibility that a BIOS can look at the kinds of things your writing to disk from the OS using the IDE I/O ports. The BIOS might get upset about the kind of data you're writing to disk and send network packets somewhere. It's all Possible.
How do you know what it is doing?
You don't and you can't by design.
According to Intel the cool aspects of EFI:
Things could get intercepted and EFI could take action for us. In fact, EFI could go out, find a server, download a new version of EFI, burn it to flash, all with out us knowing or intervening.
The BIOS is able to go off and do things without us knowing." }- http://www.youtube.com/watch?v=QsW88Efgmlk&feature=channel_page
-{ Quote: "What a lot of people don't know is that a lot of the BIOS is operational and can run once you've booted your OS. That should scare people who really care about security. There is a binary thing in there. You don't know where it came from, who wrote it or what it does and it is running while you're running. And that binary thing is happily able to read any piece of memory, any block on disk and do anything it wants with the network." }- http://www.youtube.com/watch?v=X72LgcMpM9k&feature=related
-{ Quote: "In other words, under EFI, there is no guarantee that the OS owns the platform.
Accesses to IDE I/O addresses, or certain memory addresses, can be trapped to EFI code and potentially examined and modified or aborted. Many see this as an effort to build a "DRM BIOS".
I am not sure what the real intent of this design is, but is is a real concern in secure environments (such as those found in governments, banks, and large search engine companies). A number of vendors and users have told me that they are not sure they can ship an EFI system they are willing to trust in a secure environment." }- http://archive.fosdem.org/2007/interview/ronald+g+minnich
Those interested in a fix for this situation should look into Coreboot.
It is currently limited in it's support for mainboards, currently 200.
http://www.coreboot.org/Welcome_to_coreboot