Security: Patches, BIOS and EC Write Protection, Reproducible Builds (Diffoscope) and Coreboot

Published on Tux Machines (http://www.tuxmachines.org)

Home > content > Security: Patches, BIOS and EC Write Protection, Reproducible Builds (DiffoScope) and Coreboot

Security: Patches, BIOS and EC Write Protection, Reproducible Builds (DiffoScope) and Coreboot

By Roy Schestowitz Created 25/07/2020 - 1:48am Submitted by Roy Schestowitz on Saturday 25th of July 2020 01:48:23 AM Filed under Security [1]

Security updates for Friday [2]

Security updates have been issued by Debian (qemu), Fedora (java-11-openjdk, mod_authnz_pam, podofo, and python27), openSUSE (cni-plugins, tomcat, and xmlgraphics- batik), Oracle (dbus and thunderbird), SUSE (freerdp, kernel, libraw, perl-YAML-LibYAML, and samba), and Ubuntu (libvncserver and openjdk-lts).

Librem 14 Features BIOS and EC Write Protection [3]

We have been focused on BIOS security at Purism since the beginning, starting with our initiative to replace the proprietary BIOS on our first generation laptops with the open source coreboot project. This was a great first step as it not only meant customers could avoid proprietary code in line with Purism?s social purpose, it also meant the BIOS on Purism laptops could be audited for security bugs and possible backdoors to help avoid problems like the privilege escalation bug in Lenovo?s AMI firmware.

Our next goal in BIOS security was to eliminate, replace or otherwise bypass the proprietary Intel Management Engine (ME) in our firmware. We have made massive progress on this front and our Librem laptops, Librem Mini, and Librem Server all ship with an ME that?s been disabled and neutralized.

After that we shifted focus to protecting the BIOS against tampering. We started by adding TPM chips to our laptops and began work on integrating the Heads tamper-evident firmware project into our overall boot security package we call PureBoot. Now customers can choose between our default coreboot BIOS or our ?PureBoot Bundle? when they place an order. The PureBoot Bundle also enabled us to enhance our anti-interdiction services and change it from a secret menu option to a drop-down choice both for customers facing stronger threats and those who just want more peace of mind.

Reproducible Builds (diffoscope): diffoscope 153 released [4]

The diffoscope maintainers are pleased to announce the release of diffoscope version 153. This version includes the following changes:

[ Chris Lamb ] * Drop some legacy argument styles; --exclude-directory-metadata and --no-exclude-directory-metadata have been replaced with --exclude-directory-metadata={yes,no}. * Code improvements: - Make it easier to navigate the main.py entry point. - Use a relative import for get_temporary_directory in diffoscope.diff. - Rename bail_if_non_existing to exit_if_paths_do_not_exist. - Rewrite exit_if_paths_do_not_exist to not check files multiple times. * Documentation improvements: - CONTRIBUTING.md: - Add a quick note about adding/suggesting new options. - Update and expand the release process documentation. - Add a reminder to regenerate debian/tests/control. - README.rst: - Correct URL to build job on Jenkins. - Clarify and correct contributing info to point to salsa.debian.org.

There's An Effort By A System76 Engineer To Bring Coreboot To Newer AMD Platforms [5]

With System76 working towards offering more AMD Linux laptop options as well as continuing to expand their line-up of AMD desktop offerings, it appears their next hurdle is on bringing Coreboot to these current-generation AMD platforms.

System76 principal engineer Jeremy Soller who is also known for his work on the Rust- written Redox OS has initiated the effort on porting Coreboot to AMD Matisse and Renoir platforms.

[...]

In any case, we are eager to see Coreboot support eventually come to these modern AMD platforms so stay tuned to Phoronix for reports on the progress.

Security

Source URL: http://www.tuxmachines.org/node/140260

Links: [1] http://www.tuxmachines.org/taxonomy/term/59 [2] https://lwn.net/Articles/826965/rss [3] https://puri.sm/posts/librem-14-features-bios-and-ec-write-protection/ [4] https://diffoscope.org/news/diffoscope-153-released/ [5] https://www.phoronix.com/scan.php?page=news_item&px=System76-New-Coreboot-AMD