Supposing there is private/secret data on a machine (i.e a x86 arch) the most reasonable thing to me would be to encrypt this data, so to protect it.
I understand that the purpose of secured,safe,untampered & secret data is only served when the key/passphrase is kept safe. Also I know that, as there is software necessary for the de-/encryption I have to some degree trust this software (i.e. need to trust linux kernel, gnu software, LUKS framework for linux-based disk encryption. etc.). Being mostly open source an autid of the software mentioned above might seem at least possible.
Still what is with the PC BIOS software? The most common thing is that it is a proprietary (closed source) peace of code. Theoretically and I think practically there is a good change that some malware in the PC BIOS is setting up a keylogger --> passphare is captured --> data safety is nil. (right?)
Also I have just started hearing (with some shock) about the x86 feature of the Secured Management Mode SMM which it seems can be exploited to work in a bluepill fashion with some rootkit. Also again this could do arbitrary mischief and of course seems to break my encryption purpose by logging the keys.
Even worse I wonder about the optionrom thing in the BIOS. To what I understand the PC Bios would load and execute code from a device (like a network card chip) and execute(!!!) it. So at worst a chinese/american/german (name any other untrusted country/organisation of your choice) could manifacture devices as some kind of computer virus (using this optionrom feature).
With all that I really wonder about the value of disk encryption if there is so much unkown and danger before the (maybe trusted - because open source) linux kernel runs.
Honestly if I was to create a rootkit I would also seek to put(or anchor) it somewhere in the TPM, PCBIOS, optionroms, kernel etc. Only for the kernel there is some trust.
I would be very happy to hear your thoughts.
Good questions like:
- How to check the integrity of my BIOS? or
- Tamper-proof BIOS password & settings storage with Trusted Platform Module?
give insight mostly about how to keep PC BIOS free/save from malware? etc, but my paranoia is also to not know what the BIOS does (closed source) in the first place.
some Update
About the threat from changing/tampering the BIOS code I wonder if the linuxBIOS or coreboot(www.coreboot.org) projects do not show both the possibility to modify bios by (also malware) own code and the option to do this on purpose for security reasons. After all a selfwritten or at second best open source BIOS seems doable as the things BIOS do are not "the world" (just some initialization work). So I still fear that -given the hardware documentation or reverse engineering- it is doable to create a malware bios and deploy it (see flashrom.org tool)
Update: Another source showing the problem of proprietary firmware/hardware is http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/