Hey there fellers,
I will take my time to rant even though this might sound like childish. I am not here to debate, instead I’m here to get practical information. Before I go into the practical, I will write why I’m doing this.
Let me start off by saying as a person who knows nothing about firmware security, I learned a lot about it after I have dealt with it. Most people won’t even notice there’s a malware in their firmware and I would even say most wouldn’t care to do something about it unless it interferes with their games and overblown overclock values.
I am utterly dismayed by the lack of interest in firmware security all over the internet. Simple-mindedness and instant gratification is haunting our species like a plague.
Back in the day I could understand when we needed more efficient machines people focused on performace, but now it’s just silly when I see hundreds of people talking about overclocking a motherboard while there’s no word about the security of it. I want to quote one of my favourite bible verses here:
“Turning away of the simple will slay them and the complecancy of fools will destroy them.”
Enough rant because I know the lips of wisdom are closed except to the ears of understanding.
My understanding of security in simple terms:
1- It’s not about updating your bios or drivers, it has nothing to do with putting trust in a third party.
2- It’s about actively tweaking things, disabling unnecessary features you don’t need.(Primarily Intel AMT, preventing BIOS to update itself etc., but I go even as far as disabling possibly trivial things like PAVP, simply because it’s some kind of stupid ‘digital rights management’ thing that %99 of people never need)
3- It’s about activating security features (Secureboot, bios guard, bios lock etc)
4- It’s about taking precautions against the manufacturers themselves, simply because it’s best to put minimal trust in them.(Disabling ME, disabling ASUS online firmware update feature)
5- Minimizing interaction between bios and OS (I don’t have too many ideas, but disabling SGX which is useless, disabling vt-d which is vulnerable… Maybe even tweaking acpi in a way)
These are only the things that comes to my mind atm. I am by no means an expert, so I will listen to what people will have to say.
- How would you secure the firmware by using settings in AMIBCP?
- How would you secure it by other means?
(Perhaps removing unnecessary OROM’s and drivers? Making Bios Lock/Bios Guard visible in bios settings to easily turn them on/off? Taking away firmware’s ability to connect to internet if possible?
Bios file I will personally work on can be downloaded here:
www. asus. com/motherboards-components/motherboards/tuf-gaming/tuf-h310m-plus-gaming-r2-0/HelpDesk_BIOS/
Oldest one (Ver: 0603 Dated 2019)
I would appreciate it if I am given specific recommendations regarding my mobo, but more general answers are more than welcome!
Edit by Fernando: Thread title customized (to open this discussion for everyone)
@Salta.K : Welcome to the Win-RAID Forum!
Since your thoughts and questions are not related to a specific mainboard manufacturer and model, I have customized the thread title.
If you should not be satisfied with the new title, you can (re-)change it at any time by editing the start post.
Good luck!
Dieter (alias Fernando)
SGX is useless? haven’t seen SGX turned on by default on any pc btw
I usually see it as ‘software controlled’ and yes it has no use %99.99 of time, so I rather have it not listen to what’s happening inside the os.
I think if it has no memory assigned it does almost or completely nothing
Unless someone finds a way to make it do something. That’s why I disable or even better remove things when possible.
Off topic suggestion to readers: If you want to remove what bothers you from Windows images you should get NTLite.
with this I could add functions with not found in the ifr file in the bios such as disabling or decreasing the vram of the igpu?
If not found, then they do not exist in the code.
EDIT: Praying as nothing to do, with what to “Expect” from, not my kind of path for the “unknown”. Leave faith/religion out of this.
the only way is to put the BIOS of another computer and pray that it works?
we need to work on creating custom firmware. maybe edk 2 based? , we have the skillset amongst us, im sure of it. can we do it?