no, it's possible to overwrite the BIOS chip without an external programmer on some devices
Comrade, it has not been possible to overwrite a bios chip without an external programmer since like 2006. When you update your BIOS's firmware, the existing BIOS verifies the new BIOS file using a PGP signature to check if the file has been approved by the manufacturer. This is in some ways a good thing because otherwise getting a computer virus would brick your PC by hijacking your BIOS.
2006 was a date from my own personal experience. However, here is a document from the National Institute of Standards and Technology (NIST) US government agency. The document is called 800-147 Bios Protection Guidelines, published in April 2011. I am not positive that every manufacturer follows these guidelines but I did see that Dell and ASUS say on their website that all products comply with this document. It is at the very least an industry standard.
If you go to page 6 of the document, it says "Unauthorized modification of BIOS firmware by malicious software constitutes a significant threat because of the BIOS’s unique and privileged position within the PC architecture. A malicious BIOS modification could be part of a sophisticated, targeted attack on an organization—either a permanent denial of service (if the BIOS is corrupted) or a persistent malware presence (if the BIOS is implanted with malware)."
The document then recommends the following guidelines for computer manufacturers to secure the BIOS, which as I mentioned in my previous post, prevents the installation of bios files which do not match the manufacturer's digital signature.
Security guidelines are specified for four system BIOS features:
• The authenticated BIOS update mechanism, where digital signatures prevent the installation of BIOS update images that are not authentic.
• An optional secure local update mechanism, where physical presence authorizes installation of BIOS update images.
• Integrity protection features, to prevent unintended or malicious modification of the BIOS outside the authenticated BIOS update process.
• Non-bypassability features, to ensure that there are no mechanisms that allow the system processor or any other system component to bypass the authenticated update mechanism.
So yes, I am claiming that is impossible to flash a third-party BIOS without an external programmer on most computers. Considering this was the industry standard in 2011, many computers had this protection before 2011, and even more protections have been added since then.
your argument wasn't that it was impossible on most computers (I've already agreed that it's only possible on certain devices released after the point where BIOS flashing protection became widespread), it was that
it has not been possible to overwrite a bios chip without an external programmer since like 2006
and even if you update that to 2011, it's entirely possible to do on certain systems manufactured after that date using exploits
your argument wasn't that it was impossible on most computers
No. This is not at all what I have been speaking about. In my original post I said that most computers have hardware backdoors and that IME is one example. You said that IME can be neutered. I have been describing to you why that is impractical. I also said that we don't know if the ME neuter is even safe. I have been speaking in terms of practicality. My post from the very start describes how difficult it is to use me_cleaner. I mentioned that it was something that I have actually done myself using an external flasher. I spoke from my own personal experience to say how impractical it would be to expect any other person to use me_cleaner. It is extremely difficult to use me_cleaner by an external flasher. It is extremely difficulty or impossible in most circumstances to use me_cleaner by internal flasher. I would be surprised if there was 1 other person on hexbear who has actually used me_cleaner. I hope you try it.
No. This is not at all what I have been speaking about.
I quoted you directly claiming that it was impossible; I'm not sure how else to interpret "it has not been possible to overwrite a bios chip without an external programmer since like 2006"
we don’t know if the ME neuter is even safe
no, but it's certainly worth noting that various US three-letter agencies seem to think so, considering they told Intel to include a hidden kill switch
I hope you try it
I have, without using an external programmer, on a computer released after 2011
Comrade, it has not been possible to overwrite a bios chip without an external programmer since like 2006. When you update your BIOS's firmware, the existing BIOS verifies the new BIOS file using a PGP signature to check if the file has been approved by the manufacturer. This is in some ways a good thing because otherwise getting a computer virus would brick your PC by hijacking your BIOS.
are you claiming that it's impossible to flash a third-party BIOS on post-2006 systems without an external programmer?
2006 was a date from my own personal experience. However, here is a document from the National Institute of Standards and Technology (NIST) US government agency. The document is called 800-147 Bios Protection Guidelines, published in April 2011. I am not positive that every manufacturer follows these guidelines but I did see that Dell and ASUS say on their website that all products comply with this document. It is at the very least an industry standard.
https://www.nist.gov/publications/bios-protection-guidelines
If you go to page 6 of the document, it says "Unauthorized modification of BIOS firmware by malicious software constitutes a significant threat because of the BIOS’s unique and privileged position within the PC architecture. A malicious BIOS modification could be part of a sophisticated, targeted attack on an organization—either a permanent denial of service (if the BIOS is corrupted) or a persistent malware presence (if the BIOS is implanted with malware)."
The document then recommends the following guidelines for computer manufacturers to secure the BIOS, which as I mentioned in my previous post, prevents the installation of bios files which do not match the manufacturer's digital signature.
So yes, I am claiming that is impossible to flash a third-party BIOS without an external programmer on most computers. Considering this was the industry standard in 2011, many computers had this protection before 2011, and even more protections have been added since then.
your argument wasn't that it was impossible on most computers (I've already agreed that it's only possible on certain devices released after the point where BIOS flashing protection became widespread), it was that
and even if you update that to 2011, it's entirely possible to do on certain systems manufactured after that date using exploits
No. This is not at all what I have been speaking about. In my original post I said that most computers have hardware backdoors and that IME is one example. You said that IME can be neutered. I have been describing to you why that is impractical. I also said that we don't know if the ME neuter is even safe. I have been speaking in terms of practicality. My post from the very start describes how difficult it is to use me_cleaner. I mentioned that it was something that I have actually done myself using an external flasher. I spoke from my own personal experience to say how impractical it would be to expect any other person to use me_cleaner. It is extremely difficult to use me_cleaner by an external flasher. It is extremely difficulty or impossible in most circumstances to use me_cleaner by internal flasher. I would be surprised if there was 1 other person on hexbear who has actually used me_cleaner. I hope you try it.
I quoted you directly claiming that it was impossible; I'm not sure how else to interpret "it has not been possible to overwrite a bios chip without an external programmer since like 2006"
no, but it's certainly worth noting that various US three-letter agencies seem to think so, considering they told Intel to include a hidden kill switch
I have, without using an external programmer, on a computer released after 2011