Comment by workrockin
7 years ago
First of all love it that someone is thinking about bootloaders. Thank you and I hope you're successful in this project.
I think that the article though is only targeted towards desktop PC/laptop/servers and mobile phones. Also not sure whether the it is talking about first level bootloader vulnerabilities or of second level bootloader vulnerabilities.
In the embedded world there often is no second stage loading, there are simply bootloaders. There are many, many bootloaders and opensource is the most popular option here, both first and second level.
Here's a table of hardware filtered by the booloaders used
https://openwrt.org/toh/views/toh_admin_bootloader
- around 800 device types use uboot
- around 200 use cfe
Both of them are opensource.
I think we can use the research done opensource router os like openwrt[1] to design a BIOS that works across all devices. One interesting point to note here is that in many routers entire bootloader can be replaced easily using network booting. It takes seconds to flash the ROM (network booting is in-secure in theory but secure in practical since you need physical connectivity to book via a network).
While many modern machines support network booting,replacing the first level bootloader (BIOS) is (impossibly) hard.
Distributions of linux use GRUB which is nice and also opensource. But again its a second stage bootloader that comes into play after BIOS (first stage bootloader) has been executed.
I'd love to see more development in u-boot as they have already done the hard work of supporting multiple devices [2] and amazingly they also support direct booting from an SD card (not an sd card adapter via a usb stick).
Here is the list of architectures supported
/arc
/arm
/m68k
/microblaze
/mips
/nds32
/nios2
/openrisc
/powerpc
/riscv
/sandbox
/sh
/x86
Another key point to note is as a user there is very little control that I have on my bootloader (first level). Since it is loaded from a ROM which I can't replace/rewrite even if opensource firmware exists I can't use it. While I can install a new operating system I have not found any easy way to switch firmwares. Unless a project like linux foundation takes it up and brings together the stake holders to use an opensource firmware I think it will be really difficult to get adoption.
On the other hand bootloader is probably the only piece of software left that gives device manufactures some kind of control over their hardware. What's in it for them to use a free opensource technology?
No comments yet
Contribute on Hacker News ↗