Re: What do Meltdown and Spectre mean for libreboot x200 user?

[Leah Rowe <info@gluglug.org.uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Andy,

On 15/01/18 13:25, Andy Wingo wrote:
> Greets,
> 
> On Mon 15 Jan 2018 12:32, Leah Rowe <info@gluglug.org.uk> writes:
> 
>> The implications [of Meltdown/Spectre] at firmware level are 
>> non-existent (for instance, these attacks can't, to my knowledge,
>> be used to actually run/modify malicious code, just read memory,
>> so it's not as if some evil site could install malicious boot
>> firmware in your system).
> 
> I agree that it's unlikely that a site could install boot firmware,
> but AFAIU it's not out of the realm of possibility.  The vector I
> see would be using Meltdown/Spectre to read
> authentication/capability tokens which could be used to gain
> access, either via some other RCE vuln or possibly via remote
> access.  Maybe evil code could find an SSH private key in a mapped
> page, for example, which the evil server could use to SSH directly
> to your machine.  But I admit that it's a bit farfetched :)

If the attack is used in order to gain access to GPG keys, it could be
used to impersonate you. If it is used in order to read private SSH
keys, then it could be used to log onto your servers for instance, and
install malicious firmware.

Of course, this can be mitigated by write-protecting. Libreboot
systems support this, for the most part, though write protection of
boot flash is not enabled by default, for ease-of-use reasons.

It is not far fetched at all. I highly recommend that you take care as
to what code runs on your system, especially with things like web
browsers. If you give someone SSH into a system (e.g. shared server)
but they don't need code execution (e.g. the SSH daemon is there for
them to have SCP access), make sure noexec is set on their directory's
mountpoint. Things like that.

Also make sure that your distro supports reproducible builds, and make
sure that your package manager is configured to retrieve packages
through the Tor network.

The attack can be performed from user space, so make sure that you
have nothing in userspace that could possibly pull off the attack.

- -- 
Leah Rowe

Libreboot developer and project founder.

Use free software. Free as in freedom.
https://www.gnu.org/philosophy/free-sw.html

Use a free BIOS - https://libreboot.org/
Use a free operating system, GNU+Linux.

Support computer user freedom
https://fsf.org/ - https://gnu.org/

Minifree Ltd, trading as Ministry of Freedom | Registered in England,
No. 9361826 | VAT No. GB202190462
Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK |
Web: https://minifree.org/

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE+JRrnG26iGmvPhSA/0W3TPnRz5QFAlpiACYACgkQ/0W3TPnR
z5RJegf/cyj9BMUixI1OW1iR7UrRjcAyIQoG5dzQ/FvG79w63/PYU+E1OtVa3k3C
c7Wzqn2NSBJKCZOM6JtgMM5J0E7vXCAtUn8r3i+LzjKrKuQUb77GiST5clmELVj1
OzW4ELR9xoSvU8b7RGxwG2TuJ2qoUfZcKQr2b03E9zsn2D8mdYRiWjbsmLh7SfA8
5qq8Ti1eFJnaLq+r4UbvkUfB2FS6U5q5MAq+8yDhOIoLpHFwso/GVMrpujzGmn7F
30pO5xbw99aIgNMMZuGRwuQ8ZsshbUwzJ4WSsgEoZ1+PZrvKRsJgUsAeNPRIdTKO
LJfi9IbmgvipISOoBpj1bIPlt1DOvA==
=bBs6
-----END PGP SIGNATURE-----