OEMs: publish your platform firmware hashes [using codehash.db]

Reminder to OEMs: publish the hashes of your platform firmware. Hopefully using codehash.db.

In below twitter thread, Joanna asked Dell support for hashes for their firmware. Eventually, Rick Martinez of Dell got involved, so this is a good example of a conversation on this topic by two who understand the issues.


It looks like Dell needs to use HTTPS:


Joanna announces codehash.db, a software/firmware code hash database

Joanna Rutkowska of Invisible Things Lab posted a message to the Secure Desktops list, announcing a new public hash database for software and firmware! lightly-edited announcement below, see the list archive for full announcement:

Introducing a public db for software and firmware hashes:
I’ve recently created this simple repo which is an attempt to somehow addresses a problem of software and firmware “verifiability” (the word is somehow loaded, hence in quotation marks).  I imagine that once more and more vendors, such as e.g. Tails or Subgraph, or secure messenger app devs, or various firmware projects (coreboot, Trezor, OpenWRT, etc) agreed to stick to this format, we could expect each of them to submit hashes + signatures with each new release of their software.  These hashes would then be subsequently verified and submitted by other witnesses.  Each person or organization will be free to host a repo similar to the one above, only with the “proofs” from the select witness they consider somehow trusted or meaningful.


(Now if OEMs and IBVs would only publish their golden image hashes, including after each update….)