Security: Patches, BIOS and EC Write Protection, Reproducible Builds (DiffoScope) and Coreboot
-
Security updates for Friday
Security updates have been issued by Debian (qemu), Fedora (java-11-openjdk, mod_authnz_pam, podofo, and python27), openSUSE (cni-plugins, tomcat, and xmlgraphics-batik), Oracle (dbus and thunderbird), SUSE (freerdp, kernel, libraw, perl-YAML-LibYAML, and samba), and Ubuntu (libvncserver and openjdk-lts).
-
Librem 14 Features BIOS and EC Write Protection
We have been focused on BIOS security at Purism since the beginning, starting with our initiative to replace the proprietary BIOS on our first generation laptops with the open source coreboot project. This was a great first step as it not only meant customers could avoid proprietary code in line with Purism’s social purpose, it also meant the BIOS on Purism laptops could be audited for security bugs and possible backdoors to help avoid problems like the privilege escalation bug in Lenovo’s AMI firmware.
Our next goal in BIOS security was to eliminate, replace or otherwise bypass the proprietary Intel Management Engine (ME) in our firmware. We have made massive progress on this front and our Librem laptops, Librem Mini, and Librem Server all ship with an ME that’s been disabled and neutralized.
After that we shifted focus to protecting the BIOS against tampering. We started by adding TPM chips to our laptops and began work on integrating the Heads tamper-evident firmware project into our overall boot security package we call PureBoot. Now customers can choose between our default coreboot BIOS or our “PureBoot Bundle” when they place an order. The PureBoot Bundle also enabled us to enhance our anti-interdiction services and change it from a secret menu option to a drop-down choice both for customers facing stronger threats and those who just want more peace of mind.
-
Reproducible Builds (diffoscope): diffoscope 153 released
The diffoscope maintainers are pleased to announce the release of diffoscope version 153. This version includes the following changes:
[ Chris Lamb ] * Drop some legacy argument styles; --exclude-directory-metadata and --no-exclude-directory-metadata have been replaced with --exclude-directory-metadata={yes,no}. * Code improvements: - Make it easier to navigate the main.py entry point. - Use a relative import for get_temporary_directory in diffoscope.diff. - Rename bail_if_non_existing to exit_if_paths_do_not_exist. - Rewrite exit_if_paths_do_not_exist to not check files multiple times. * Documentation improvements: - CONTRIBUTING.md: - Add a quick note about adding/suggesting new options. - Update and expand the release process documentation. - Add a reminder to regenerate debian/tests/control. - README.rst: - Correct URL to build job on Jenkins. - Clarify and correct contributing info to point to salsa.debian.org.
-
There's An Effort By A System76 Engineer To Bring Coreboot To Newer AMD Platforms
With System76 working towards offering more AMD Linux laptop options as well as continuing to expand their line-up of AMD desktop offerings, it appears their next hurdle is on bringing Coreboot to these current-generation AMD platforms.
System76 principal engineer Jeremy Soller who is also known for his work on the Rust-written Redox OS has initiated the effort on porting Coreboot to AMD Matisse and Renoir platforms.
[...]
In any case, we are eager to see Coreboot support eventually come to these modern AMD platforms so stay tuned to Phoronix for reports on the progress.
-
- Login or register to post comments
- Printer-friendly version
- 497 reads
- PDF version
More in Tux Machines
- Highlights
- Front Page
- Latest Headlines
- Archive
- Recent comments
- All-Time Popular Stories
- Hot Topics
- New Members
Craig Small: 25 Years of Free Software
So you have written something you think others might like, what software license will you use to distribute it? In 1995 it wasn’t that clear. This was the era of strange boutique licenses including ones where it was ok to run the program as a hamradio operator but not a CB radio operator (or at least they tried to work it that way). A friend of mine and the author of the Linux HAM HOWTO amongst other documents, Terry Dawson, suggested I use GPL or another Free Software license. He explained what this Free Software thing was and said that if you want your program to be the most useful then something like GPL will do it. So I released axdigi under the GPL license and most of my programs since then have used the same license. Something like MIT or BSD licenses would have been fine too, I was just not going to use something closed or hand-crafted. That was a while ago, I’ve written or maintained many programs since then. I also became a Debian maintainer (23 years so far) and adopted both procps and psmisc which I still maintain as both the Debian developer and upstream to this day.
Devices: Raspberry Pi and Beyond
Security: Patches, BIOS and EC Write Protection, Reproducible Builds (DiffoScope) and Coreboot
today's howtos
Recent comments
1 hour 54 min ago
2 hours 7 min ago
2 hours 10 min ago
2 hours 19 min ago
2 hours 26 min ago
6 hours 54 min ago
7 hours 10 min ago
8 hours 59 min ago
9 hours 1 min ago
9 hours 6 min ago