On 30.11.2017 07:40, Zoran Stojsavljevic wrote:
You can fully use UEFI BIOS without any signatures. With so-called slim TXE engine.
Can we completely replace UEFI w/o any signatures ?
And what about ME ? I've read that the cpu itself verifies the signature of ME firmware, so we cant completely replace it. If it would be possible to read out the privkey or burn in another one, that blockade would be fallen.
--mtx
Hello Enrico,
Thursday, November 30, 2017, 6:54:50 PM, you wrote:
EWmIc> Can we completely replace UEFI w/o any signatures ?
Yes, unless your PC uses Boot Guard (so far it's been only enabled in a small percentage of enterprise laptops because it ties together CPU and PCH - you can't replace one without having to replace the other). Without Boot Guard active, the CPU will execute whatever you place in the flash, and it's up to you whether to implement signing checks or not.
EWmIc> And what about ME ? I've read that the cpu itself verifies the EWmIc> signature of ME firmware, so we cant completely replace it. EWmIc> If it would be possible to read out the privkey or burn in another EWmIc> one, that blockade would be fallen.
The private key does not exist anywhere in the firmware or in the chip, only somewhere in Intel's HSM (I assume).
The firmware's manifest is signed with the private key at Intel[1], and the *public key* is placed next to the manifest. Only the public key is necessary for verifying the signature, and you can't patch the public key with your own because its hash is checked against a short list of accepted hashes in ME's boot ROM. So the only ways to make ME accept custom firmware would be:
1) factor the public key (RSA-1024) 2) find a pair of keys where the pubkey hash matches one of those accepted by the ME (the hash is SHA512 in the latest versions, was SHA-1 before).
[1] http://info.meshcentral.com/downloads/ActivePlatformManagementDemystified/AP...
On 30.11.2017 20:51, Igor Skochinsky wrote:
The private key does not exist anywhere in the firmware or in the chip, only somewhere in Intel's HSM (I assume).
hmm, could there be an jtag access part to it ?
- factor the public key (RSA-1024)
- find a pair of keys where the pubkey hash matches one of those
accepted by the ME (the hash is SHA512 in the latest versions, was SHA-1 before).
maybe we should ask our friends @google, whether they could spend enough computing power to crack it ;-)
--mtx
Enrico, Do you know what is an HSM and how public-key cryptography works? Sorry for the sarcasm, but I can assure you that no-one without VERY HIGH security clearances from Intel would ever approach at less than 1 yard from an Intel HSM containing ME signing keys.. So for the jtag acess..... Regards, Florentin
----- Mail d'origine ----- De: Enrico Weigelt, metux IT consult info@metux.net À: Igor Skochinsky skochinsky@mail.ru Cc: coreboot coreboot@coreboot.org, Zoran Stojsavljevic zoran.stojsavljevic@gmail.com Envoyé: Thu, 30 Nov 2017 23:38:45 +0100 (CET) Objet: Re: [coreboot] Is Goryachy's JTAG hack a chance for free firmware ?
On 30.11.2017 20:51, Igor Skochinsky wrote:
The private key does not exist anywhere in the firmware or in the chip, only somewhere in Intel's HSM (I assume).
hmm, could there be an jtag access part to it ?
- factor the public key (RSA-1024)
- find a pair of keys where the pubkey hash matches one of those
accepted by the ME (the hash is SHA512 in the latest versions, was SHA-1 before).
maybe we should ask our friends @google, whether they could spend enough computing power to crack it ;-)
--mtx
Can we completely replace UEFI w/o any signatures ?
You addressed the right crowd. Coreboot.
And what about ME ? I've read that the cpu itself verifies the signature of ME firmware, so we cant completely replace it.
As I said/wrote, previously. And Igor confirms my thoughts:
IgorS>> Yes, unless your PC uses Boot Guard (so far it's been only enabled in IgorS>> a small percentage of enterprise laptops because it ties together CPU and PCH - IgorS>> you can't replace one without having to replace the other). Without IgorS>> Boot Guard active, the CPU will execute whatever you place in the flash, and it's IgorS>> up to you whether to implement signing checks or not.
Thank you, Igor, for chime-in/participating! :-)
Zoran _______
On Thu, Nov 30, 2017 at 6:54 PM, Enrico Weigelt, metux IT consult < info@metux.net> wrote:
On 30.11.2017 07:40, Zoran Stojsavljevic wrote:
You can fully use UEFI BIOS without any signatures. With so-called slim
TXE engine.
Can we completely replace UEFI w/o any signatures ?
And what about ME ? I've read that the cpu itself verifies the signature of ME firmware, so we cant completely replace it. If it would be possible to read out the privkey or burn in another one, that blockade would be fallen.
--mtx
-- Enrico Weigelt, metux IT consult Free software and Linux embedded engineering info@metux.net -- +49-151-27565287
-
echelon@free.fr -
Enrico Weigelt, metux IT consult -
Igor Skochinsky -
Zoran Stojsavljevic