Firmware privacy

Has there been any discussion about privacy of firmware? E.g: Intel Management Engine, AMD Secure Technology, and Libreboot?


This can also include Apple Secure Boot which make sure that the lowest levels of software aren’t tampered.
The process include Boot ROM

The very first code executed by a device’s processor when it first boots. As an integral part of the processor, it can’t be altered by either Apple or an attacker.

and iBoot

The stage 2 boot loader for all Apple devices. Code that loads XNU, as part of the secure boot chain. Depending on the system on chip (SoC) generation, iBoot may be loaded by the Low Level Bootloader or directly by the Boot ROM.


1 Like

There generally isn’t anything to worry about here. This mostly stems from the “if its not open source must be spyware” crowd. While it would nice if the platform was completely open source that isn’t the case presently, and there isn’t much you can do about it. Some laptops support Coreboot which is about the best you can do.

Intel ME does have a lot issues and quite covered by media. For AMD, the processor uses Arm trust zone technology, security wise idk but network attacks are not possible due to the lack of network access from the secure processor. Intel ME does have access to the network.

Only if the machine has Intel Active Management Technology, and it’s only present on machines that have vPro support. Regardless there has never been any evidence it has been used for anything harmful or damaging to a user’s privacy. Generally in business environment out of band management is in it’s own VLAN. What is conspiracy bullshit is that it is “a backdoor”.

1 Like

This is a question I had, specifically in relation to Wi-Fi firmware. Of course, it’s not true that if software/firmware is open source, it is private. But, if software/firmware is proprietary, it makes it harder to tell if it’s private.

Since all or almost all Wi-Fi card firmware is proprietary, and therefore hard to audit, is it possible that manufacturers could spy on you through this firmware, in the hopes no one would notice? Is this more likely to be an issue with smaller companies, that have been less vetted, or with companies from countries with mass surveillance laws?

It is possible but imagine the firestorm of hatred for your motherboard firmware if caught. Gigabyte certainly knows this now with their recent firmware issue. You can be sure the infosec people are looking at this closely.

Ironically, a certain degree of capitalist monetary greed prevents this from happening. Not intentionally, of course. If the APTs put it inside there, it is another matter altogether.

In addition to what @dngray said, IIRC you also need an Intel LAN for this to complete the 3 requirements for these. System76 sells laptop with coreboot.

Does anybody know of a consumer latest gen motherboard that has also coreboot?

They are and that’s how things like this are discovered:

1 Like