No.
Can you please explain in more details why no?
How a SATA firmware on HostB (in a disk controller or disk) can influence HostA if I have a chain like this:
HostA ZFS over local LUKS (cryptsetup) -> iSCSI over Ethernet -> HostB -> SATA -> Disk
What HostB can do bad to HostA RAM? Does it have any access to HostA RAM?
The only bad thing seems to be just damaging data on the disk by the disk itself? But it will be instantly indicated by ZFS on HostA.
If iSCSI is not secure enough we still have many other network block and file protocols even like SSHFS,
and still no?
ToxicExMachina wrote:If you want affordable computer with blobless firmware - go buy Thinkpad T60 and flash libreboot.
The hard drive controller in that machine contains embedded firmware which is powerful enough to pwn the device.
Would iSCSI or NFS help if using such a chain of connection to disks:
T60 -> iSCSI (IP over Ethernet) -> OrangePI -> SATA
?
]]>If you want affordable computer with blobless firmware - go buy Thinkpad T60 and flash libreboot.
The hard drive controller in that machine contains embedded firmware which is powerful enough to pwn the device.
Coreboot don't mention this on their site, strangely. Neither do Raptor. But then I suppose they have businesses to run...
]]>2. Older ARM versions - older than modern ARM.
Please recommend an example of such an ARM board.
]]>alupoj wrote:ToxicExMachina wrote:BIOS is opensource: https://www.seabios.org/
UEFI is also opensource: https://www.tianocore.org/SeaBIOS originally looks like a BIOS for virtual machine guests.
Can SeaBIOS be used directly on any physical motherboard without Coreboot hack which I already mentioned?
Is not SeaBIOS just one of many other possible payloads like GRUB or KEXEC, etc. for Coreboot/Libreboot?Where would be SeaBIOS without Coreboot/Libreboot projects which actually are apposite of what was intended for "openness" (actually lack of openness) of X86 boot loader?
It doesn't matter. Every vendor had own BIOS implementation because it totally depends on hardware by design. BIOS is a part of MS-DOS designed to provide abstraction layer for compatibility purposes. SeaBIOS is another implementation. In this case Coreboot+SeaBIOS == BIOS.
The problem with X86 BIOS as already mentioned earlier is the whole thing about X86 initialization process is proprietary unlike ARM where initialization of several popular (not all boards of course, especially proprietary are Mobile ARMs) development single boards is documented and even with an official open source uboot.
]]>alupoj wrote:While Raptor motherboard is probably free of proprietary blobs, the POWER9 CPU is most likely not?
And all of them are not affordable for me.If you want affordable computer with blobless firmware - go buy Thinkpad T60 and flash libreboot.
I have it, but CPU itself does not seem to be trustworthy.
IMHO Pentium 1 + OpenBSD looks more interesting even without Libreboot. I have a couple of them too, just wonder how to combine all these things together to produce a more secure working place.
Anyway all DMA extension boards shall be moved to another host and connected via IP to avoid DMA attacks from firmwares of attached devices like SATA storage, USB dongles, PCI expansion cards, etc.
]]>While Raptor motherboard is probably free of proprietary blobs, the POWER9 CPU is most likely not?
And all of them are not affordable for me.
If you want affordable computer with blobless firmware - go buy Thinkpad T60 and flash libreboot.
]]>I agree with you that X86 standard is versatile and open for vendors to produce X86 hardware, but is the most unfriendly for people who would like to write their own open source boot loader, that is what I primary meant under open source.
One word: coreboot
]]>ToxicExMachina wrote:BIOS is opensource: https://www.seabios.org/
UEFI is also opensource: https://www.tianocore.org/SeaBIOS originally looks like a BIOS for virtual machine guests.
Can SeaBIOS be used directly on any physical motherboard without Coreboot hack which I already mentioned?
Is not SeaBIOS just one of many other possible payloads like GRUB or KEXEC, etc. for Coreboot/Libreboot?Where would be SeaBIOS without Coreboot/Libreboot projects which actually are apposite of what was intended for "openness" (actually lack of openness) of X86 boot loader?
It doesn't matter. Every vendor had own BIOS implementation because it totally depends on hardware by design. BIOS is a part of MS-DOS designed to provide abstraction layer for compatibility purposes. SeaBIOS is another implementation. In this case Coreboot+SeaBIOS == BIOS.
]]>ToxicExMachina wrote:different MIPS cores
Can routers running LibreCMC be treated more secure in terms of my control over their boot loader?
Bootloader is not the thing you should worry about right now.
]]>ToxicExMachina wrote:OpenRISC, RISC-V, old ARM versions implementation, different MIPS cores, etc. You can check some of them at opencores.org
RISC-V is promising project because large organizations decided to support it.I would be glad to try RISC-V, but where to get an affordable board?
What do you mean under old ARM version? Is Cortex A7 old enough to be secure enough?
I was looking for a board with open source boot loader when it would be difficult to inject an invisible and undetectable virtualization trojan on the factory or by a third party blobbed software which could reflash firmwares silently.
1. The most affordable RISC-V board is any cheap devkit with FPGA and i/o ports. You can flash RISC-V based SoC.
2. Older ARM versions - older than modern ARM.
3. Buy board or laptop compatible with upstream coreboot.
]]>the POWER9 CPU is most likely not?
IBM's servers run proprietary firmware for the CPU but Raptor use open source versions:
https://wiki.raptorcs.com/wiki/OpenPOWER_Firmware
And all of them are not affordable for me.
+1
]]>The POWER9 microarchitecture is open source and Raptor's offerings are blob-free but it's aimed at high TPD servers rather than low power hacker boards.
While Raptor motherboard is probably free of proprietary blobs, the POWER9 CPU is most likely not?
And all of them are not affordable for me.