I think I've seen this before in an HPC context. But they've build a firmware distribution called Heads. It boots using coreboot then fires up a Linux kernel from flash.
The kernel is then used as a second stage bootloader. It takes about 2 seconds to get Linux booted from flash.
They can then boot the system OS, optionally using kexec to smoothly transition to the system kernel.
Very neat! Along the way they've also done other important work, like put together a minimal firmware for the Management engine (a second CPU in Intel system with its own OS, and many many issues).
The biggest problem here is same issue that coreboot has. Coreboot support is really limited. I think it down supports Lenovo X220s, but late time I looked not much modern hardware.
> put together a minimal firmware for the Management engine
I thought that management engine CPU was still a black box, and the best anyone has done is neuter the firmware running there by judiciously zeroing bits out.
What would be really interesting is to use this with a UAF/U2F. The TPM produces a value, this value could be used the same way the domain name gets used in 'normal' UAF/U2F (as the AppID). The UAF/U2F authenticator would only sign the challenge if the TPM is correct, saving you from the Evil Maid attack. This the same mechanism that protect from phishing in the web.
Then you can validate the signed token, and if everything is correct you can use the TPM value to decrypt the harddisk.
Right now I am using my remembered password plus static password mode of my Yubikey to have a fake 2FA decryption requirement on boot but UAF/U2F would be way cooler.
An unrelated but interesting point he noted was that Apple are one of the only vendors that provide long term firmware updates (he mentioned 8 years). It's a shame nobody else really does this.
Does that even work? Have they got some code on the back end that alerts as soon as an admin name is mentioned? Or do you just assume they read everything? (Do they!?)
Please don't post on HN to ask or tell us something (e.g. to ask us
questions about Y Combinator, or to ask or complain about moderation).
If you want to say something to us, please send it to hn@ycombinator.com.
But the title of the talk is actually "Bootstraping [sic] a slightly more secure laptop." Look at the first slide.
I think I've seen this before in an HPC context. But they've build a firmware distribution called Heads. It boots using coreboot then fires up a Linux kernel from flash.
The kernel is then used as a second stage bootloader. It takes about 2 seconds to get Linux booted from flash.
They can then boot the system OS, optionally using kexec to smoothly transition to the system kernel.
Very neat! Along the way they've also done other important work, like put together a minimal firmware for the Management engine (a second CPU in Intel system with its own OS, and many many issues).
The biggest problem here is same issue that coreboot has. Coreboot support is really limited. I think it down supports Lenovo X220s, but late time I looked not much modern hardware.