OEMs still not shipping golden image hashes

OEMs: you need to ship hashes of your golden images. Read NIST SP 147 (and 193). You should be OpenPGP-signing them, as well.

I want to update the BIOS on my <OEM> motherboard as this hopefully solves a problem. However, the archive containing the BIOS update and flashing tool can only be downloaded over http and there is no way to verify it’s integrity as neither signed or non-signed checksums are available. I’m extremely uncomfortable with just installing the update without being able to verify it’s integrity, as I would forever think about if the BIOS has been modified in case the download server has been compromised or by MITM attack while I’m downloading. What can I do?



Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s