NSA Starts Contributing Low-Level Code to UEFI BIOS Alternative
The NSA has started assigning developers to the Coreboot project, which is an open source alternative to Windows BIOS/UEFI firmware. The NSA's Eugene Myers has begun contributing SMI Transfer Monitor (STM) implementation code for the x86 processor. Myers works for NSA’s Trusted Systems Research Group, which according to the agency’s website, is meant to “conduct and sponsor research in the technologies and techniques which will secure America's information systems of tomorrow.”
Myers published a paper about STM last year on how NSA’s STM implementation could work. All Coreboot code, including all the STM contributions from the NSA, are open source, so anyone could verify that there is no backdoor in there -- in theory.
In practice, the NSA could have also written the code in a less-than-secure way with vulnerabilities that are hard to detect without more experienced security researchers. Alternatively, the NSA could also update this implementation years later, when there are less eyes on the STM implementation and the update would no longer make headlines.
Better to avoid coreboot and feel secure that the hardware could never subvert my expectations of security and privacy. /s
(Score: 3, Interesting) by Anonymous Coward on Tuesday June 25 2019, @03:21AM
So, do not use a free and open firmware, and instead use a closed firmware from random vendor that is near guaranteed to include exploitable bugs, if not intentional back-doors (even if innocent, like some debugging back-door left in the production builds)?
Yes, NSA touching the code leaves a taint, but free and open code still beats proprietary for being trustworthy.
Maybe NSA taking interest in core boot will lead to more systems where you can flash core boot and get rid of the proprietary firmware. A deal with the devil-- but, at least, we might get something good out of it.