Re: [Libreboot] Password protected Grub entries

[Beni]

> 
> On 20/05/15 11:30, Beni wrote:
>> To replace a hard drive in a laptop you need to open up at least
>> one screw. If you don't seal your screws and let people open up
>> your laptop, you've got a problem anyway. Everyone can read your
>> libreboot rom and reflash another rom, e.g. one that logs your
>> passphrase somewhere. So that's dangerous anyway.
> 
> You can write-protect the flash chip, in a way that then requires
> external flashing (SPI programmer needed, in other words). This also
> isn't perfect because the attacker can probably use a SPI flasher, but
> with a randomized seal as you have pointed out, you can detect if this
> has occurred.
> 

I still don't get why a seal prevents someone from flashing the chip but
not from replacing the hard drive. You could also check your hard drive
ID to make sure it has not been replaced.

In my opinion the danger of hard drive replacement is the same as
re-flashing the rom.