Hello Enrico,
Thursday, November 30, 2017, 6:54:50 PM, you wrote:
EWmIc> Can we completely replace UEFI w/o any signatures ?
Yes, unless your PC uses Boot Guard (so far it's been only enabled in a small percentage of enterprise laptops because it ties together CPU and PCH - you can't replace one without having to replace the other). Without Boot Guard active, the CPU will execute whatever you place in the flash, and it's up to you whether to implement signing checks or not.
EWmIc> And what about ME ? I've read that the cpu itself verifies the EWmIc> signature of ME firmware, so we cant completely replace it. EWmIc> If it would be possible to read out the privkey or burn in another EWmIc> one, that blockade would be fallen.
The private key does not exist anywhere in the firmware or in the chip, only somewhere in Intel's HSM (I assume).
The firmware's manifest is signed with the private key at Intel[1], and the *public key* is placed next to the manifest. Only the public key is necessary for verifying the signature, and you can't patch the public key with your own because its hash is checked against a short list of accepted hashes in ME's boot ROM. So the only ways to make ME accept custom firmware would be:
1) factor the public key (RSA-1024) 2) find a pair of keys where the pubkey hash matches one of those accepted by the ME (the hash is SHA512 in the latest versions, was SHA-1 before).
[1] http://info.meshcentral.com/downloads/ActivePlatformManagementDemystified/AP...