How safe is custom BIOS?

[yha]

Hello,

I have seen practically zero complaints about custom BIOS images like Middleton's and TTav134's. And as much as I appreciate the great work these guys have done, how do I know their firmware doesn't do "evil stuff"? How do these mods work? Do they disassemble the original BIOS, modify, and rebuild? Or do they just look for clues in the images (like whitelisting tables for example, and then inject extra entries and whatnot)? If it's the former, can I get the source and try to build myself? I know I might sound paranoid, but how do I know there are no backdoors or such? (and yes, I know these exact questions apply to vendor images as well like Lenovo's BIOS images or Intel's ME, but at least these are the original manufacturers of the hardware, not some random guy on the internet). BY SAYING "SOME RANDOM GUY", I DO NOT MEAN ANY DISRESPECT TO THESE GUYS OR THE GREAT MODS THEY'VE CREATED. I just want to know if there is a way to verify that these mods are "clean".

Thanks.

[MikalE]

Risk management.

Do the benefits outweigh the possible risks?

If you are really paranoid flash Libreboot to a T500 and use Tor browser.

[dr_st]

Most of these custom BIOSes have been around for almost a decade, or even longer; if there have been no reports of dangers so far, it's likely they are safe and sound.

A lot of times you can do a byte-by-byte comparison with the original BIOS and see the differences. If you know how to decipher this, you can see exactly what what was changed. If not, you can consult someone who does.

If you don't trust closed source in principle, then MikalE's suggestion to use a completely open-source firmware is a good idea.

[atagunov]

I just want to know if there is a way to verify that these mods are "clean"

No. However in my view Intel Management Engine is a bigger risk.
Custom BIOS may have a backdoor. Intel ME does have it.

I'm running stock BIOS mainly because I'm lazy
I'm planning to use custom BIOS-es when there is a reason to (X220 kbd on X230, 4-core CPU on T61, etc)

On the subject of open source BIOS-es.. Libreboot is the more religiously strong version of Coreboot. Coreboot build process I think is:
- you extract stock closed source BIOS using a hardware programmer
- extract some closed source blobs from it like VGA driver
- build Coreboot for your laptop including those blobs
- flash it with a hardware programmer
You can choose to disable Intel ME in the process too. Libreboot is Coreboot without such closed source blobs. So Libreboot supports a very small set of machines. Those where BIOS has been completely reverse-engineered. Coreboot supports a larger set of machines - but still not to all of them.

I'd say that if
- Libreboot does not support your hardware
- you trust your stock BIOS
- Coreboot supports your hardware
then Coreboot may be a good option for you - it will be a combination of open source software with publicly visible source code on github and your stock closed source BIOS - which you already trust.

[cadillacmike68]

I never had any problem with Middleton's BIOS on a T61. I'm going to try the TTav134 BIOSs on a T43 and a T42/41 when the systems arrive and I can get a good battery for them. I don't think there is any backdoor in either of these BIOSs. We would have heard about it by now.

The only disaster I ever had on a BIOS flash was using a factory Lenovo BIOS on a T500, which I Still haven't fixed yet.