[HN Gopher] What can we learn from leaked Insyde's BIOS for Inte... ___________________________________________________________________ What can we learn from leaked Insyde's BIOS for Intel Alder Lake Author : hardenedvault Score : 139 points Date : 2022-10-08 15:00 UTC (8 hours ago) (HTM) web link (hardenedvault.net) (TXT) w3m dump (hardenedvault.net) | userbinator wrote: | I wonder why it seems to be mostly the new stuff that's getting | leaked, and not the old out-of-support platforms that are long | out of production, since the latter would be of value to BIOS- | modders trying to add features and the like. | | I agree with the other comment here that this stuff should've | been open-source in the first place, but more than that, I wish | Intel would just release all the detailed documentation on their | products. They used to be far better about that --- I believe you | can still find reference schematics and such for Pentium II/III- | era chipsets on their site, or in the Internet Archive thereof. | | The latter part of the article is more "open source bad" | fearmongering, sadly common these days in that part of the | software industry. | [deleted] | mgaunard wrote: | I mostly learned that people make such intrusive ads nowadays | that I won't be reading this article. | 2Gkashmiri wrote: | matheusmoreira wrote: | Could be using a mobile browser. Chrome's Google account | integration makes it really annoying to switch. | 2Gkashmiri wrote: | use firefox focus for casual link openining, firefox | mobile+ublock for the rest. | azinman2 wrote: | Not always feasible, but pi hole makes all devices and | software magically ad blocking. Just works! | 2Gkashmiri wrote: | why? what website works on chrome and fails on both | firefox focus and firefox mobile + ublock origin? i have | been using this setup since focus was introduced and it | has worked 100% for me. there are bugs but what software | doesnt so can you give me some concrete examples when | this wouldn't? | azinman2 wrote: | I'm just providing an alternative. Not everyone wants to | use Firefox, and many apps have use built in browsers for | links like Reddit and TikTok. | 1123581321 wrote: | This page looks clean with Wipr on iOS. No empty ad cells | or anything. | gtirloni wrote: | Wrong thread maybe? I'm on mobile and didn't see a single ad. | changler wrote: | Original thread announcing the leak: | https://boards.4channel.org/g/thread/89060767 | | Internet Archive link to .zip file snapshot of files from GitHub | (but no git commit history): | https://web.archive.org/web/20221007235925if_/https://codelo... | | Also mirrored here: https://git.tcp.direct/TheParmak/ICE_TEA_BIOS | | The git bundle for that mirror is also on the Internet Archive: | https://web.archive.org/web/20221008155117if_/https://git.tc... | (which can be restored via the instructions at https://git- | scm.com/book/en/v2/Git-Tools-Bundling) | | Note that downloading the git bundle (from the link on | git.tcp.direct or its mirror on Internet Archive) is the most | space-efficient download, as there are many large identical files | in the repo that git deduplicates but the zip file format does | not. | matheusmoreira wrote: | Thanks. Funny how stuff like this always gets leaked on chans. | throwaway12245 wrote: | Their lollygagging on "moderation" is a feature. | cowtools wrote: | well, each thread basically has a time limit before it gets | archived and removed, so the users know to keep making | threads if they want to keep their topic alive. | | So if someone comes and makes a DMCA claim on a thread, the | moderators can just ignore it and wait for the thread to | time out or they delete it and the users just make another | thread. | | As long as the moderators wait a couple hours or so to | respond to legal threats, and maintain a semblance of "low | moderation" they pretty much have plausible deniability to | void copyright. It's sort of genius. | mardifoufs wrote: | That security pledge from the insyde CTO is just the cherry on | top of this. Especially since it was published back in February | boreboot wrote: | > Individuals or organizations that are not eligible to sign CNDA | with Intel, such as open source firmware maintainers. | | Many of them do actually have CNDAs signed with Intel, at least | those employed to work on commercial products based on Intel's | chips. You'll see tons of references to NDA-only datasheet in | coreboot's commit history. | userbinator wrote: | _You 'll see tons of references to NDA-only datasheet in | coreboot's commit history._ | | Isn't that really against the principles of open-source (and | possibly the NDA itself)? It's a strange situation and why I'd | rather manufacturers release datasheets instead of contributing | to OSS. The source is technically "open" in the latter case, | but in practice it's not much more informative than what you'd | get if you just decompiled the binary. | csdvrx wrote: | It's a slightly biased analysis: | | > _Can open source firmware projects benefit from leaked | content?_ | | > _Unfortunately, no or rarely._ | | > _Individuals or organizations that are not eligible to sign | CNDA with Intel, such as open source firmware maintainers. Please | note that open source firmware projects cannot directly benefit | /reuse from leaked content due to legal risks_ | | A direct reuse of everything is unlikely, but access to the | material might lead to many interesting tools. | | Simple example: undervolting (to save battery and reduce heat) | was taken away by intel because plundervolt allowed attacks | against the SGX enclave. | | SGX has now been abandoned by Intel, but undervolting remains | impossible. | | If I ever get an Alder Lake, would I look for a way to enable | that on my laptop? Yes! | | Do I fear legal risks of altering the functionality of the | hardware I purchased? No, thanks to the consequences of the first | sale doctrine. | | > _Binary blobs: It's worth noting that in addition to the binary | blobs required by various devices (Bluetooth BLE, WiFi, Ethernet, | etc.), there are three different ACMs for security features: | BiosGuard, BootGuard, and TXT_ | | > _In addition, one thing should be noted that the key pairs | required by BootGuard during provisioning stage is also included | in the leaked content_ | | So there's everything I would need to understand, patch then | flash my own alterations? Great! I'm even more interested now!! | | > _the data center should prepare_ | | > _Short-term plan:_ | | > _Security team and patch management team should work together | to ensure critical devices are upgraded to the latest version_ | | And IMHO the individual interested in future attempts to reclaim | full ownership of their hardware should prepare in a very | different way, by: | | - downloading a copy of the current BIOS binary update (and the | last few versions, just to be on the safe side) | | - blocking BIOS updates ("capsules" etc) in the BIOS | | - in the OS, uninstalling the tools that allow such updates (ex: | Lenovo Vantage) | | - ideally, even switching to Linux, as Microsoft can package | drivers updates with the BIOS, and if it's that big one of these | drivers may include code from Intel using unusual ways to | forcefully apply upgrades, that would bypass the methods you can | control if the binary is delivered and run on your hardware (ex: | Intel ME) | | I really like Windows, and "security" in general, but I like the | idea of having features like Undervolt even more! | amluto wrote: | > SGX has now been abandoned by Intel, but undervolting remains | impossible. | | SGX only really appears to be abandoned on client chips. SGX is | a critical part of TDX, which is brand new. | j-bos wrote: | For someone with a passing curiosity, but limited time and | skill atm. Where would we download the source code and previous | updates? | matheusmoreira wrote: | It's insulting enough that Intel can "take away" features... | And we can't even replace their code with our own. | userbinator wrote: | You mean security, not "security". The former is securing your | own hardware against others, the latter is others securing the | hardware against you. Unfortunately the corporates are more | interested in promoting the latter than the former. | djhope99 wrote: | I don't know who leaked it but I'd say it was an Insyde job. ;) | pferdone wrote: | > I don't know who leaked it but I'd say it was an Insyde job. | ;) | | This is something I expect on reddit. A supposedly funny | comment with no real value at the top... | | edit: quoted the original comment | marginalia_nu wrote: | Something something insensitive clod. | DominoTree wrote: | I'd suggest considering how much value the comment you just | posted adds | pferdone wrote: | I couldn't hide my dislike for it and commented. Maybe it | was unnecessary to draw comparisons to reddit and it'd be | better to just state HN rules. I will try to consider this | next time. Thank you. | _zoltan_ wrote: | You could have of course chosen not to comment. | jpgvm wrote: | If a chuckle isn't of value I don't know what is. | pferdone wrote: | You are right, it isn't of any value to me on HN. | Additional information on the topic or a discussion with | arguments is. Now you know what is. | mynameisvlad wrote: | This is such as self-centered view. In reality, nobody | really cares what is of value _to you_ on HN, and your | values are certainly not indicative of every other person | on this site, either. | | Speaking of HN rules, though, you may want to read up on | them in the future: | | > Please don't post comments saying that HN is turning | into Reddit. It's a semi-noob illusion, as old as the | hills. | stirfish wrote: | I'd argue that threads like this are why interesting | leaks show up on 4chan first and not hacker news. | bheadmaster wrote: | _You goofy reddit kids, get off my lawHN!_ | belter wrote: | It's allowed on weekends...casual HN day... | gtirloni wrote: | Thanks for adding value to this discussion. /s | [deleted] | somat wrote: | It is unfortunate that this stuff is not open source in the first | place. | | the pcengines apu2 is currently my preferred small system. one of | the things I really like about it is that the firmware is open | source. I will probably never need to build my own firmware, but | I like knowing that I could. | | https://pcengines.github.io/ | | Having said that, I think there is still a big ol black box of | AMD secret sauce in there, sigh, so close yet still so far. why | so secretive? what are you trying to hide? | smoldesu wrote: | It might not even be legal to ship motherboards with fully | open-source firmware, especially if it has WiFi/Bluetooth baked | in. Once you add anything related to networking in your stack, | the chance of running FOSS firmware goes out the window. It's | all very lock-and-key stuff, according to... _< squints at | piece of paper>_ ...the United States Government. | paulryanrogers wrote: | Why? Because of FCC requirements around radio emissions? | runnerup wrote: | Yeah the firmware can control the gain/broadcast power and | exceed FCC limits. It can be open source still, but | modifying it and running the modified version would | invalidate the FCC certification and running non certified | transmitters is generally frowned upon, often illegal, | depending on precise circumstances. | AngryData wrote: | And yet I can buy a Microtik router that just has | dropdown boxes for selecting options that would get the | FCC to bust down my door. I think it is far more likely | that they just don't want to expose what would then be | obvious security vulnerabilities and/or built-in | backdoors. | MrDOS wrote: | Doesn't Mikrotik have US-specific part numbers that have | hardware locks around particular RF features? | RF_Savage wrote: | Not even the running, but sale of. If it's too easy to | modify then FCC will make it's sale illegal. | | Nobody wants that risk for their product. | somat wrote: | And yet I can buy an sdr 400mhz-6ghz no problem? | | sigh, whatever, things are never fair. | | I will say the thing that pisses me off about thinkpads | is their use of a whitelist to limit radios. their | justification for this was the same. "it's certified as a | radio antenna pair, the fcc will not let us let you | install whatever radio you want" which is bullshit. | wildzzz wrote: | The price of an SDR is usually much more than a basic | WiFi card so that's kind of the justification for why an | SDR doesn't require an FCC license since it's for | experimental purposes and that you probably have a good | reason to be using one. If you use one outside what you | are licensed to do so, then expect the FCC to come down | on you. The FCC license for consumer goods is a way for a | manufacter to say that the product conforms to the | applicable rules so that the FCC doesn't have to worry | about every end-user fucking around with the spectrum. | mmis1000 wrote: | Actually linux distro package repo have the list and the | way to compile and load into system for obvious reasons. | (Otherwise how do they compile the wifi drivers for | themselves?) | | But no one is even going to say how to actually do it | publicly because it is illegal to do (and probably also | unsafe to do). | dylan604 wrote: | Would there be any traction with a mobo that did not have any | of that stuff built-in? There's a lot of advantages to no | longer needing expansion cards for networking, so I seriously | doubt anyone wants to go back to that. A laptop with a bunch | USB dongles connected to a hub could be a doable solve to | keep that gear off the mobo. | p1necone wrote: | Could you leave an empty socket for a wifi controller chip | but still build in the antennas? Although that would likely | lock you into whatever chip had the right pin out which | seems a bit pointless. | dylan604 wrote: | Seems like this kind of radio chip would be standard pin | out in 2022. Could you not just put one of those chips | like Broadcom makes that has all the radio formats on it? | Even sell it as a "kit" so that it comes with it but you | have to install yourself to meet "regulations" or | licensing terms. The first gen of Thunderbolt add-on came | as PCIe due to some sort licensing issue instead of on | the mobo directly | yakak wrote: | Tivoization features have to prevent you from running other | code. Anyone relying on preventing the reading of source to | avoid modifications is living on the knife's edge with | regulators. | russdill wrote: | Apu2 is starting to get rather long in the tooth. Hope there is | a refresh soon because it's a great little piece of hardware | [deleted] ___________________________________________________________________ (page generated 2022-10-08 23:00 UTC)