Presented by:

Paul English is CEO of PreOS Security Inc, and has been working in firmware security for a few years. Paul has Bachelors in Computer Science from Worcester Polytechnic Institute, and Paul has been a UNIX & Linux system administrator and wearer of many other IT hats since 1996. From 2014-2017, Paul was a Board member for the League of Professional Systems Administrators (https://lopsa.org), a non-profit professional association for the advancement of the practice of system administration.

LinkedIn: https://www.linkedin.com/in/englishpaul/

Twitter: https://twitter.com/penglish_PreOS

Modern computer systems are comprised of many many microcontrollers, and any peripheral device typically also has at least one. This is often true even of devices designed for extremely low power operation such as IoT.

For all the same reasons you value open source software in your operating system and applications, you should also want open source for your platform firmware.

But even if you're content to run closed-source OS and applications, there is one compelling reason to insist on open source at the hardware level - security. By choosing to trust Microsoft, Apple or Google for software you are making a conscious choice of who to trust. By choosing a given computer, you're ALSO choosing to trust many, if not hundreds of additional parties!

This talk will cover:

  • A few minute recap of why open source matters
  • A longer explanation of the importance for open source in the security domain
  • Examples of platform firmware security and insecurity
  • A note on BSD vs GPL licensing in this domain: Intel ME
  • A discussion of the market dynamics
    • (extremely low) cost of microcontrollers and often the devices they compose
    • Perceived "proprietary value" and licensing issues - the "army of lawyers" problem eg: Intel & AMD microcode
    • Perceived security-through-obscurity
    • Perceived "high" cost of open source participation, and some examples of cheap/low end products not playing by the (GPL) rules
  • A review of some current efforts by large (Intel) and small (Purism) players
  • A discussion of firmware-adjacent software (eg: update mechanisms, certificate management (eg: SecureBoot), etc)

Date:
Duration:
45 min
Room:
Conference:
LinuxFest Northwest 2019
Language:
Track:
Open Source Firmware
Difficulty:
Medium