2023-10-11 –, Main Track
This talk is going to tell the tale of a critical security vulnerability that was found a year after launch on the RK3288 ("veyron") family of Chromebooks and allowed bypassing the entire secure boot stack. It will explain the technical details of this vulnerability, why it was overlooked in the first place, the tricky process to mitigate it, and finally give a real answer to this guy's stack overflow question: https://superuser.com/questions/1399681/what-is-the-gpt-header-signature-for
This talk is going to tell the tale of a critical security vulnerability that was found a year after launch on the RK3288 ("veyron") family of Chromebooks and allowed bypassing the entire secure boot stack. It will explain the technical details of this vulnerability, why it was overlooked in the first place, the tricky process to mitigate it, and finally give a real answer to this guy's stack overflow question: https://superuser.com/questions/1399681/what-is-the-gpt-header-signature-for
This is not really supposed to be an educational talk that teaches new concepts or presents new work. It's more of a "story time" talk that provides a cautionary tale about how even the slightest misunderstandings about hardware behavior and insufficient testing for new changes late in the product development cycle can have catastrophic effects on security guarantees. I hope attendees just might find it interesting to hear examples of how even at companies like Google we can make really bad mistakes from time to time and then have to scramble to deal with them with millions of users on the line.
I am a tech lead for Arm firmware and firmware security in Google's ChromeOS team and have been working on Chromebook firmware for over 10 years. I am also an active maintainer in the coreboot and Trusted Firmware projects.