Is it worth figuring out how to externally re-flash grey market "intel" nics - or is the onboard NVM flash unable to do anything too terrible? In the newer (the 3 digit i/x series like i350, x540 etc) nics intel has added a "security" flash write protect feature so I imagine their flash stuff isn't as potentially innocent as in the older chips. If so does anyone how to do this?
How is this dealt with from a coreboot onboard NIC perspective?
Obvious stuff applies, such as a general NIC exploit leading to a WAN>LAN pivot bypassing IOMMU if both WAN and LAN are processed on the same chip but that isn't what I am referring to.
You may find this interesting: https://www.servethehome.com/investigating-fake-intel-i350-network-adapters/
When this news first came out there was a conspiracy theory started on the pfsense forums and a lot of smart people bought in to the idea that they were some kind of foreign intelligence agency scheme to spy on american companies (I myself know a few important corps that use DIY routers, so it could be true)
Hi Taiidan!
Is it worth figuring out how to externally re-flash grey market "intel" nics - or is the onboard NVM flash unable to do anything too terrible? In the newer (the 3 digit i/x series like i350, x540 etc) nics intel has added a "security" flash write protect feature so I imagine their flash stuff isn't as potentially innocent as in the older chips. If so does anyone how to do this?
I only had a look at the i210 NIC and it can have settings like the MAC address, an x86 option ROM for network boot, a firmware area (IIRC that was ARCompact code) and a segment for some sort of provisioning data in the external flash chip: https://www.intel.com/content/dam/www/public/us/en/documents/datasheets/i210... (section 3.3)
To get code execution on the host, the option ROM would be the easiest option.
The network card will probably still work if only the section containing the configuration and MAC address is there; it would be interesting if you tried that and report back the result. It would also be interesting if you can prevent writes to the then unused parts of the flash so that the now missing sections can't be added without an external programmer (IIRC you need to desolder the flash chip in order to read/write it with an external programmer).
Regards Felix
-
Felix Held -
Taiidan@gmx.com