You could have a physical switch on the device that lets it accept firmware, full stop. How often does a drive's firmware get updated during its lifetime? Very slightly more than zero times on average, I would imagine.
I can assure you it would be an operational nightmare for many medium to large companies to have to have technicians open up computers to flip a switch on the hundreds or thousands of harddrives whenever they need a firmware upgrade (and it's more common than you think).
See https://laur.ie/blog/2015/06/ssds-a-gift-and-a-curse/ for an example of the pain of being unable to flash yourself: "An awesome contractor for Samsung agreed that if we drove over batches of drives (luckily, they are incredibly close to our datacenter) they would flash them and return them the next day."
What happens when companies get sick of having to flip the switch? They would leave it in the insecure position all the time.
> What happens when companies get sick of having to flip the switch? They would leave it in the insecure position all the time.
Okay, but how is that worse than now?
That situation sounds strictly better: things like user work stations, which tend to be the entry points to corporate network for malware stay in a higher security mode and have their HDD firmware updated less often; things like servers in racks are in the same situations, and ops continues on just live they have been.
only if the idea of locked hardware you can't control doesn't bother you. I'd rather use open hardware and rely on a simple physical interlock for security. Different customers have different needs, so it would be appropriate that different products might have different security features.
What I suggested isn't locked since there is a manual override. The button is meant to allow unsigned patches, while signed patches are accepted by default. Give it three states if you want: deny all, signed only, accept all. Ship it set on "signed only" which is the default 99% of buyers want.
The switch would need to be connected directly to the hardware that allows writing. Unfortunately I think disk drives keep their firmware on the media itself, so any attack that allows you to write on the hidden area of the disk will be bypassing the switch automatically.
That would surprise me. I have no experience with storage devices, but I used to write firmware for other embedded devices, and in my experience firmware was always stored on the NAND flash integrated into the microcontroller. Most microcontrollers either can't run code from external storage, or can't do so with any efficiency, and most microcontrollers don't have anything like enough RAM to store the whole program text.
It wouldn't surprise me to see a mechanism allowing a drive controller to reflash itself from its own storage media, but I would expect the actual stored code to live in the controller chip. Even if the storage device is an SSD, the NAND-flash chips used for storage won't be visible in the controller's address space the same way its own flash is.
Read the slides. There is a "service area" on the drive that contains additional firmware modules loaded and executed by the microcontroller: http://malwaretech.net/MTSBK.pdf
The manufacturer may need to push updates to consumers who aren't comfortable opening their computer. The set of people who want to install alternate firmware is however included in the set of people willing to physically open a computer.
The switch could be extended to the outside of the box - shock/horror.
How hard a single pin/paper-clip button that protects all critical files unless it's depressed and when it's depressed let's you install new firmware, OS and whatever else.
It would make me feel a lot better to know that there was no mechanism by which the manufacturer (or some entity which has hacked or coerced the manufacturer) could conceivably push updates to my computer without my knowledge and consent. Write-protecting the drive controller with a physical switch would be very reassuring.
