Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to StuartMW
Re: AMIBIOS Source Code and AMI's UEFI Signing Key Leaked I doubt many have floppy drives anymore....even USB external ones.
Dell has a BIOS update for this computer and it says:
"Dell recommends applying this update during your next scheduled update cycle. The update contains feature enhancements or changes that will help keep your system software current and compatible with other system modules (firmware, BIOS, drivers and software).
Fixes & Enhancements
Update Dell diagnostic tool."
Then Dell goes on to give instructions on flashing through Windows (although at the top of the page Dell talks about using the internal floppy drive...geez...Dell hasn't sold computers with a floppy drive in about 6 years).
I think I will pass. Diagnostics is online now so I am not sure why I would need to update the BIOS for the online tool to work.
Dell doesn't explain that one should have a UPS if attempting BIOS update.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
 StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2
 ·CenturyLink
| reply to TheMG
said by TheMG:There's a very simple solution to prevent BIOS from being maliciously modified/replaced: a BIOS write-protect jumper on the motherboard. That worked back in the days when flash memory chips had a physical pin that supplied power for programming/erase/writing operations. The jumper/switch isolated the power so flash updating was impossible.
Flash chips nowadays do not require this separate pin for power which is why you no longer see the jumpers/switches. Instead the chips have an internal charge-pump (which is enabled by software) to allow writing.
--
Don't feed trolls--it only makes them grow! |
|
|
|
StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2 Reviews:
·CenturyLink
| reply to OZO
said by OZO:Or a BIOS option (preventing form overwriting the BIOS), that can't be changed from OS...
That wouldn't be possible.
BIOS update software operates by directly accessing the flash memory which the BIOS firmware resides in. On all the PC's I've ever flashed the updater I used was an MS-DOS (boot from floppy etc) program even when a Windows version was available.
Many flash chips have a key or series or keys that must be written in order for flash writes to work. The purpose of that is to reduce the risk of "run away" code from accidentally writing to flash. It is not a security feature as such.
BTW this is not theoretical. I've written code, that is software, to do all this for a variety of flash devices.
PS: Flash memories (chips) usually have a mechanism for software to identify them (manufacturer, device etc) so the appropriate programming/writing algorithm can be determined. That's why there are "generic" BIOS updaters,
--
Don't feed trolls--it only makes them grow! |
|
Reviews:
·WestNet Broadband
| reply to OZO
Avoiding 3rd party Windows utilities to do the job altogether would be a start.
A command in an O/S environment is not helping anyone other than possibly a few support headaches for the manufacturers to quickly remedy, if you call it a remedy.
This topic possibly would not have needed duplicating from the hardware forums to here, as there would not have the concern that it brings to the table due to the O/S environment being allowed to play with such a critical item and hence malware/exploit makers having an extra foot in the door.
I also understand that on reboot the possibility is still there, which isn't in the O/S environment and I don't have answers; but for such a critical item to be allowed though.....I'd hate to see secure-boot affect a bios update, now that would be a manufacturers nightmare.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
OZOPremium
join:2003-01-17
kudos:2 | reply to dib22
Or a BIOS option (preventing form overwriting the BIOS), that can't be changed from OS...
--
Keep it simple, it'll become complex by itself... |
|
 dib22
join:2002-01-27
Kansas City, MO
kudos:2 | reply to TheMG
said by TheMG:There's a very simple solution to prevent BIOS from being maliciously modified/replaced: a BIOS write-protect jumper on the motherboard.
Go for a switch instead of a jumper  |
|
Reviews:
·WestNet Broadband
| reply to TheMG
I've wondered on that one for some time now.
I can't for the life of me see why that isn't implemented.
Bios updates are considered a risk themselves, power failure being one.
A general user with no experience should flash bios, so a simple jumper would certainly seem a basic enough requirement that would not deter those that do play and hack with their own systems.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
TheMGPremium
join:2007-09-04
Canada
kudos:1 | reply to norwegian
There's a very simple solution to prevent BIOS from being maliciously modified/replaced: a BIOS write-protect jumper on the motherboard.
Unfortunately, that would just be too inconvenient and cumbersome for the end user trying to apply a BIOS update, so we can't have that. As a result, most motherboard lack such functionality.
Dump security out the window for the sake of convenience. |
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:7 | reply to kickass69
said by kickass69:Goes to show old school BIOS is still the better way to go.
As in "it doesn't have any protection so voiding the protection doesn't change anything"?
But you seem to be perpetuating a false dichotomy, in that the choice is not between "the old BIOS" and "UEFI with Secure Boot". There's "UEFI without Secure Boot", which has been showing up on motherboards for a few years now, without any fuss. |
|
| reply to norwegian
Goes to show old school BIOS is still the better way to go. |
|
Reviews:
·WestNet Broadband
| I just read about this Here »AMIBIOS Source Code and AMI's UEFI Signing Key Leaked in the hardware forum.
Thanks go to Octavean  for posting it.
»www.techpowerup.com/182484/AMIBI···ked.html
An FTP server in Taiwan that could be publicly accessed, leaked the source code of AMI Aptio UEFI BIOS, including AMI's unique UEFI signing test key.
Among the leaked bits of software include the source code of AMI BIOS, Aptio, and AMI's UEFI test signing key, which is used by all its clients to sign their BIOS updates.
•Recent disclosures via the personal blog site of an industry blogger and researcher detailed the discovery of a “leaky” FTP server from an unnamed Taiwan-based vendor containing AMI UEFI BIOS source code and suspected security key data among various internal data
•AMI would like to clarify that this leak is not the fault of AMI and is not a result of a security lapse on AMI’s behalf
•In response, AMI states that this is not a general security threat which could “create a nearly undetectable, permanent hole in a system’s security” if the manner in which production-level BIOS is signed and created uses a production key.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
