Why no firmware blob audits?


Recently, Kaspersky has had some trust issues with their OS-present binaries. Now they’re opening up their sources to 3rd party auditors. When I hear this, I wonder why we IT industry doesn’t have something like this in place for ALL criticial closed-source binaries, OS-present as well as firmware binaries. Most firmware binaries by vendors are closed-source, not bothering to audit the firmware yet being concerned about some OS-present software seems like wasted effort. I’d love to see an international group of security researchers, from commercial, academic, and government sectors, who have regular/ongoing audits of the closed-source firmware of Intel/ARM/AMD/etc. as well as all OEMs/ODMs/IHVs. Multiple overlapping audits, with some mechanism — like a WoT — to get aggregated results of each of these audits. All SMM code, any IPMI, Redfish, iLo, etc code, all AMT firmware, the ME sources (the Minix team should be one of the ME source reviewers), Intel FSP, AMD AGESA should be high on the list of audited code. If I have to trust the international vendor supply chain for hardware, I’d like to have some method to better trust the blobs on my system. If there is no open source firmware solution, where I can re-build my blobs from sources that I can audit, then I’d like some third parties to help add trust to the current closed-source blob situation. It is not just free-as-in-Freedom people that care about blobs anymore, it is a base security concern. Given how the military of some countries already ban hardware from other countries, you’d think these governments would have required some firmware auditing procedure like this already. Today, you don’t even get hashes of the blobs from the vendors. No third party audits. Code signing, and trusting a CA is best you can hope for, if at all. The recent downstream issues of Infineon’s TPM firmware, the password issues with Intel AMT, do you think a third party security audit could have helped with those issues?


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s