OEMs: publish your platform firmware hashes [using codehash.db]

Dear @Dell, how can I verify authenticity & integrity of the BIOS updates for your XPS laptops you publish on your website?

Please note that publishing hashes on your http-only website is _not_ a solution! For more info, pls see: https://t.co/ZVkI3jTH0Q

Thanks!

— Joanna Rutkowska (@rootkovska) November 24, 2017

I have specifically asked about authenticity & integrity, not about trustworthiness/harmfulness. Please re-read my original tweet and the linked article. Thank you. https://t.co/Rq8pDi9Dph

— Joanna Rutkowska (@rootkovska) November 24, 2017

Always willing to have the conversation about how our BIOS updates are authenticated and verified. I even wrote a wp on the subject: https://t.co/iNjIZufby5 #iwork4dell

— Rick Martinez (@rickmartinez06) November 24, 2017

As a user what I would do today is pull .cab here: ftp://ftp.dell.com/catalog/DellSDPCatalogPC.cab (I know, ftp!), verify the cert/signature of the .cab, and verify the hashes for your XPS in the catalog .xml. Not ideal but I promise this is on our radar to improve! #iwork4dell pic.twitter.com/tEYJq3t724

— Rick Martinez (@rickmartinez06) November 24, 2017

Great… But is so sad, that almost all your efforts are in vain. Because there is no https on Dell download website, and any hash or signature is worthless on a plain channel pic.twitter.com/8yWfHttgs5

— Kevin Moraga (@kmoragas) November 24, 2017

Some high-level info about Dell BIOS updates in the paper (2013) linked below. Smbdy can please start gathering all the BIOS updates hashes and publish (e.g. as proposed here: https://t.co/kyyoypGjVo)? Thanks. https://t.co/kodHMaKeVe

— Joanna Rutkowska (@rootkovska) November 25, 2017