Re: What do Meltdown and Spectre mean for libreboot x200 user?

[Leah Rowe <info@gluglug.org.uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 19/01/18 14:26, Leah Rowe wrote:
> Hi Andy,
> 
> On 15/01/18 13:25, Andy Wingo wrote:
>> Greets,
> 
>> On Mon 15 Jan 2018 12:32, Leah Rowe <info@gluglug.org.uk>
>> writes:
> 
>>> The implications [of Meltdown/Spectre] at firmware level are 
>>> non-existent (for instance, these attacks can't, to my
>>> knowledge, be used to actually run/modify malicious code, just
>>> read memory, so it's not as if some evil site could install
>>> malicious boot firmware in your system).
> 
>> I agree that it's unlikely that a site could install boot
>> firmware, but AFAIU it's not out of the realm of possibility.
>> The vector I see would be using Meltdown/Spectre to read 
>> authentication/capability tokens which could be used to gain 
>> access, either via some other RCE vuln or possibly via remote 
>> access.  Maybe evil code could find an SSH private key in a
>> mapped page, for example, which the evil server could use to SSH
>> directly to your machine.  But I admit that it's a bit farfetched
>> :)
> 
> If the attack is used in order to gain access to GPG keys, it could
> be used to impersonate you. If it is used in order to read private
> SSH keys, then it could be used to log onto your servers for
> instance, and install malicious firmware.
> 
> Of course, this can be mitigated by write-protecting. Libreboot 
> systems support this, for the most part, though write protection
> of boot flash is not enabled by default, for ease-of-use reasons.
> 
> It is not far fetched at all. I highly recommend that you take care
> as to what code runs on your system, especially with things like
> web browsers. If you give someone SSH into a system (e.g. shared
> server) but they don't need code execution (e.g. the SSH daemon is
> there for them to have SCP access), make sure noexec is set on
> their directory's mountpoint. Things like that.

Do you use Google?
Do you use Twitter?
What about your bank?
Government website?

anything that serves you javascript is a potential threat. Even if an
organisation is benevolent, who is to say that they don't get
compromised at one point and start being used as a vessel for attack
at some point.

- -- 
Leah Rowe

Libreboot developer and project founder.

Use free software. Free as in freedom.
https://www.gnu.org/philosophy/free-sw.html

Use a free BIOS - https://libreboot.org/
Use a free operating system, GNU+Linux.

Support computer user freedom
https://fsf.org/ - https://gnu.org/

Minifree Ltd, trading as Ministry of Freedom | Registered in England,
No. 9361826 | VAT No. GB202190462
Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK |
Web: https://minifree.org/

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE+JRrnG26iGmvPhSA/0W3TPnRz5QFAlpiANAACgkQ/0W3TPnR
z5TI4gf/bpwmVhu+xCqp+y9+YEm9WVj8b8vGNIwE140uQMIbXY5Ck1lWiBwePJCb
HOa3Mi3zk+wd+JCiuilgmqz8wFyuOBMt+GeJ/w6Gh7WYTMxtHeYOTegMfpEclTLw
8w23UUG+j2zAoUMYoQSZJ7IG163wlSHrKSLMtdHEnktFGhX5qlYJVYeQfr3k2kc3
j/mJuvOEIjLZLPSJxiQvQAKBsdYPw1UFjrcsEcwe6AuPAXnHnmPuft7D1gc47F8g
STy+shxlvkggJAQY6/rdMMRPflC4c2/JU7NtsdexgRICHBs8Akj4h/gN763fsTR5
HSsNRusXUSkLrMYolY6hv9JbnEGBPA==
=PQ/l
-----END PGP SIGNATURE-----