On Thu, May 11, 2017 at 9:56 AM, Trammell Hudson hudson@trmm.net wrote:
On Thu, May 11, 2017 at 07:01:47AM -0500, Allen Krell wrote:
One thing I am still confused about is the relationship between Intel
Boot
Guard and the regions of flash. My understanding is that Boot Guard only applies to the legacy BIOS region of flash, not the ME/AMT region.
It seems to be even more restricted than that -- the "hardware" part of Bootguard only applies to the startup ACM region in the FIT table of the BIOS region of the flash. That ACM is what is responsible for implementing whatever policy for the rest of the flash.
[...] So, if that is true, then is it possible to flash the ME/AMT region of flash with any ME code module that has been signed with the
Intel
signature?
I think so, although I haven't looked at enough to determine if the different chipsets or CPU models are signed with different keys.
Unlike the few startup ACM images that I've looked at have the same public key for their signature, despite being on very different CPU models and from different IBV.
-- Trammell
You are confirming how I "think" it works based off various lists and documents I have found.
There are multiple keys BIOS_ACM - public/private key pair - Fused in by Intel and checked by Intel silicon. May be common across all models. ME - public/private key pair - Fused in by Intel and checked by Intel silicon - Probably different across models Boot Guard public/private key pair - Fused by OEM (e.g., Dell, HP, Lenovo), checked by BIOS_ACM. Only checks Initial Boot Block (IBB) of legacy BIOS region of flash. IBB is responsible for extending policy from there.
So, back to AMT bug. I believe Boot Guard (by itself) doesn't help. An exploiter "may" be able to reflash only the ME region and enable AMT even if the OEM has disabled AMT and implemented Boot Guard. Not confirmed, just a educated hunch.
Allen
-
Allen Krell