[coreboot] [Resend] Tapping into the core (33C3)

Denis 'GNUtoo' Carikli GNUtoo at no-log.org
Mon Jan 16 16:40:33 CET 2017 

Hi,

I saw your presentation "Tapping into the core"[1] that you gave at the
last CCC.

As I understand from the slides DCI can be activated trough:
- The flash descriptor
- UEFI
- The P2SB register

Are skylake platform safe if:
- DCI is disabled in the flash descriptor.
- DCI is not activated by the boot firmware(UEFI or coreboot).
- DCI is not activated troug the P2SB register.

All the above require either code execution on the machine or to open
the machine with a screwdriver and reprogram the flash with an external
flash programmer.

If DCI is enabled in the flash descriptor, then the following attacks
can benefit from an enabled-by-default DCI:
- Malicious USB devices trying to take over the computer.
- Evil maid attacks when trying to bypass the TPM. This might or might
  not work depending on how the TPM application inside the Management
  engine works.

If I understand correctly, when DCI is disabled in the flash
descriptor, such attacks are not possible and the computer is safe.

Since skylake computer can be secured, the feature would become an
enormous advantage: Coreboot developers might be able to use that
feature to make debugging and replacing intel blobs faster and easier.
Having more information on the protocol or free software and open
source tools would help. This might also be useful for debugging the
Linux kernel or other hardware related projects.

It might also be possible to run coreboot on laptops with bootguard:
Some programable[1] USB3 device controller exist, if a tiny enough USB
key can be made, it might be possible to bypass bootguard this way.
Users doing that would then be able to use coreboot on more recent
computers.

Some questions:
- Can the debug port be used as an usb device controller?
- What is the relationship between DCI and the Management Engine?
  Can the Management Engine be controlled trough DCI?
- Do you have more documentation on the protocol? Is it possible to
  have the slides?

By the way, coreboot and libreboot have several utilities related to
the flash descriptor:
- ifdtool[3]
- ich9gen[4]

PS: Sorry for the inconvenience, due to bad exim configuration which
will hopefully be fixed now, I've to resend the mail.

References:
-----------
[1]https://media.ccc.de/v/33c3-8069-tapping_into_the_core
[2]http://www.cypress.com/products/ez-usb-fx3-superspeed-usb-30-peripheral-controller
[3]utils/ifdtool in coreboot sources.
[4]resources/utilities/ich9deblob in libreboot sources.

Denis.

More information about the coreboot mailing list