Seeking Clarification About Netgate SG-1100 Firmware Protection, and ARM Processor from hacking and any back doors
-
Hello fellow pfSense enthusiasts,
I hope you're all doing well. I have been thoroughly impressed by the capabilities of the Netgate SG-1100 router appliance. Today, I'm reaching out to our knowledgeable community to gain a better understanding of a few aspects related to the SG-1100's hardware and firmware.
1 Hardware Architecture and Firmware:
I've always been intrigued by the hardware that drives pfsense networking solutions. Specifically, I'm curious about the Netgate SG-1100's hardware architecture. Could anyone shed light on the specific components that facilitate the boot-up process and provide low-level control over the hardware? Is there a similarity to the BIOS in traditional PCs, or does the SG-1100 utilize alternative components for managing firmware functions?2 Firmware Protection and Microchip
CryptoAuthentication:
I've read about the Microchip CryptoAuthentication feature in the Netgate SG-1100, which enhances software verification and security. It's a great addition to ensure the validity of software. However, my inquiry pertains to the protection of the unaltered firmware itself. While CryptoAuthentication offers robust software validation, I'm interested in learning more about the mechanisms that safeguard the integrity and authenticity of the unaltered firmware before software validation. Are there specific measures in place to prevent unauthorized modification or tampering of the original firmware?3 ARM Processor and Remote Management:
Given that the Netgate SG-1100 is built around an ARM processor, I'm curious to know whether this processor architecture allows for remote management capabilities. Many processors, such as Intel and AMD comes with remote management features that might interact with the hardware firmware, potentially creating a backdoor unknown to the pfSense software. Can anyone shed light on whether the ARM processor in the SG-1100 poses any similar concerns for remote management?Thank you all for your time and expertise. Your insights would greatly contribute to enhancing our understanding of this remarkable piece of hardware.
Best regards,
-
Why did you take a SG-1100 as an example ?
Why not any ARM based device ? so take your phone.
And why ARM ? "Intel/AMD" : same story.
BIOS, or more general, firmware, can often (not always) be updated.Even today's processors can update their internal opcode-decode (== firmware) memory, so instruction set can get extended ? modified ?
How is this protected ?
You won't find that info here on this forum. You need an ARM or Intel hardware forum.
Btw : Am I the only one asking Ben Eater to do a video about a home build "Xeon" system (instead of a 6502) ?@JustCuriose said in Seeking Clarification About Netgate SG-1100 Firmware Protection, and ARM Processor from hacking and any back doors:
the Netgate SG-1100 is built ARM processor, I'm curious to know whether this processor architecture allows for remote management capabilities
"Remote management" has nothing to do with the processor choice.
I can remote manage my coffee machine also, don't know what processor it has.@JustCuriose said in Seeking Clarification About Netgate SG-1100 Firmware Protection, and ARM Processor from hacking and any back doors:
potentially creating a backdoor unknown
I've just enlarged you picture a "little bit", as nearly every device today (PC's, phones, cars, everything) has the possibility to upgrade it's firmware. "Because we love progress".
( and if this not possible, some nut will change the ROM chips over night, leaving you with the same issue )Back to "potential backdoor" issues : I advice you to check under what conditions firmware upgrading is possible, how it is done.
-
The 1100 is almost the same as the Espressobin which is well documented:
https://espressobin.net/tech-spec/Steve
-
Hello @Gertjan
You've brought up some excellent points and questions regarding firmware, processors, and remote management capabilities. Let's address them one by one:Choice of SG-1100 as an Example:
You asked why the Netgate SG-1100 was chosen as an example, and why ARM processors specifically. This choice was likely made because the SG-1100 is a well-known hardware appliance that runs pfSense. It serves as a practical example for discussing firmware and hardware-related topics. ARM processors are also widely used in embedded systems, making them relevant to this discussion.Firmware Updates: SAFE BOOT
You mentioned that even modern processors can update their internal opcode-decode memory (firmware) to extend or modify their instruction sets. This is indeed true. Firmware updates are common for both processors and other hardware components. However, the specifics of how firmware updates are protected and executed can vary between devices and manufacturers. In some PC their is something called as safeboot, Pfsense has a chip to protect the pfsense unalterably software but does it has a mechanism similar to safe boot ?Protection of Firmware Updates:
You rightly pointed out that discussing the detailed mechanisms for protecting firmware updates is beyond the scope of this forum. For in-depth information, it's often best to consult hardware-specific forums or the manufacturer's documentation. They can provide insights into the security measures in place to prevent unauthorized firmware modifications and potential backdoors.Remote Management and Processor Choice:
You clarified that remote management capabilities are not inherently tied to the choice of processor architecture. Indeed, remote management can be implemented on a wide range of devices, regardless of the processor used. It's more about the features and capabilities integrated into the device rather than the processor itself.Concerns About Backdoors:
Your point about the potential for backdoors due to firmware upgrades is valid. Firmware upgrades can introduce vulnerabilities if not handled properly. It's important for users to understand under what conditions firmware upgrades are possible and how they are carried out to mitigate potential security risks. -
Something popped up into my mind when I saw your post :
You didn't mention the 3 letter word that Microsoft now wants to be present : TPM. A physical chip on the motherboard.
Without it, there is no direct access to Windows 11.
Its all (among others) about protecting safe booting - and protecting the boot process.Checkout Youtube and look for Lojax. I didn't found any in-depth articles (videos) but it's pretty nasty.
On the other hand : if a boot virus is present on your system, some one had to have access to your system, with root rights, and install it. IMHO, the moment they login, the system is already considered 'dead'
