FlashKeeper: where SpiSpy meets Stateless Laptop jaded dreams: A retrofit plan first
09-20, 15:10–15:40 (Europe/Berlin), Social Hub Main Room

Flashkeeper: a device that can be permanently installed on common SOIC-8/WSON flash chips.

It attaches to the chip either by being soldered or with a peel-and-stick layer and spring-loaded contacts/low-profile solder-down flex cable (solderless), interfacing with the SPI flash pins for easy PCH<->SPI introspection, write protection, and external reprogramming (unbricking).

For users concerned with physical attacks on their systems, for whom easy access to SPI flash pins may be seen as a risk, a variant including a microcontroller (MCU/FPGA) will also be developed, allowing authenticated external reprogramming and Write Protection (WP) control; independently verifying the SPI flash image/bootstream against a user-controlled detached signature of it at each boot, prior of the platform owner typing any requested secret leading to booting the Operating System (OS): trusting the state of the bootchain.

An Nlnet funded project.


Direct presentation link


References:

See also: Slides (LibreOffice Presenter ODP) (1.3 MB)

Heads maintainer, Accessible Security evangelist, full time Open Source Firmware, linux plumber by need.

This speaker also appears in: