[cassidyjames]

System76 employee here. I suppose the "automatic" could be re-worded; the data is automatically pushed to the machine but then the user always opts into the actual install.

But on the other hand, System76 customers are trusting that System76 hasn't been hacked or coerced to ship malicious firmware from the factory in the first place. These updates are signed and verified with industry best practices.

jackpot51 (the System76 engineer currently working on this) could probably detail it better than I can, though.

[cjbprime]

This sounds pretty good. But just to finish exploring this:

> But on the other hand, System76 customers are trusting that System76 hasn't been hacked or coerced to ship malicious firmware from the factory in the first place

I think it's reasonable to feel differently about those two risks.

Most notably, you only get one chance to load malware at the factory, whereas you have an infinite number of chances to push malware as a software update after that. It's harder for you to avoid being compromised forever than to avoid it at one specific moment. One person on your team could probably get malware signed and distributed as an targeted update without anyone else knowing, whereas doing it in the factory might take more coordination.

It's also tidier from an attacker's perspective to deliver malware just-in-time to a specific user, rather than to everyone, or to a machine that you hope will end up in the hands of the target weeks/months later. It's less detectable.

If you have a way to avoid being able to infer (e.g. by their IP address, correlated with other records) which human is asking for a firmware update file (or any update file) at the time it's downloaded, I recommend taking steps to deny yourself that knowledge.

[mulmen]

Is the user intervention required to install the firmware or do you still have the capability to install it without asking? Just because you ask for permission now does not mean that you have to.

Why push the firmware before asking?

[cassidyjames]

I asked David Jordan, the engineer working on the firmware updater.

>Not only aren't updates initiated without permission, I wrote the code to make that literally impossible without changes to the installed python code.

The code is available at https://github.com/pop-os/system76-driver and https://github.com/system76/firmware-update

[mulmen]

Thanks for the reply! So you can push an update to the python code that allows you to push an update to the firmware without prompting? Sounds like we still rely on the security of your systems to prevent malicious firmware from being pushed.

[yjftsjthsd-h]

Well... yeah? They're the OS vendor; there is literally no way for them to do their job without having the ability to update the system.

[mulmen]

Yes they have to be able to update the system but in this case they are also able to update the firmware without asking which means anyone who can impersonate or coerce them can also update the firmware.

[ibotty]

If you control the OS, you also control the firmware (if you want a way to install new firmware from the OS). No way around.

[jdiez17]

Since the firmware updater is a Python program, you can audit the source code by looking at the relevant directory in site-packages before you accept. If you're really paranoid you can set up a periodic script that sends you an email if the contents of that directory change.

[floatboth]

How does this work anyway? Just a thing in the pre-installed OS that won't be there if a new OS is installed?

[alexktz]

How deep does the rabbit hole of trust go...

[jacquesm]

All the way to the mask set.