[coreboot] [Resend] Tapping into the core (33C3)
Trammell Hudson
hudson at trmm.net
Mon Jan 16 16:54:39 CET 2017
On Mon, Jan 16, 2017 at 04:40:33PM +0100, Denis 'GNUtoo' Carikli wrote:
> [...]
> As I understand from the slides DCI can be activated trough:
> - The flash descriptor
> - UEFI
> - The P2SB register
Aren't there two different things being discussed here?
There is DCI, which requires BIOS or firmware support, and
SVT, which works even if if DCI is disabled and the system
is powered down. According to Intel's site:
https://designintools.intel.com/product_p/itpxdpsvt.htm
> > The [SVT] tool enables closed-chassis use-cases where
> > USB3-hosted DCI is limited, intermittent, or unavailable
> > and includes initial cold boot, suspend-state operation
> > and survival, Reset-flows, and USB3 or IOSF path
> > failures.
During the 33c3 talk, the presenters mentioned that SVT
provides its own power to the chipset and the protocol is
undocumented (but perhaps could be reverse engineered).
> [...] It might also be possible to run coreboot on laptops
> with bootguard: Some programable[1] USB3 device controller
> exist, if a tiny enough USB key can be made, it might be
> possible to bypass bootguard this way. Users doing that
> would then be able to use coreboot on more recent
> computers.
This is an interesting idea. If you can enable debugging
during the BIOS or Startup ACM execution, an external device
should be able to change the code execution path. I'm doubtful
DCI will make it possible, however, since it seems that
enabling DCI is something the firmware sets up after the ACM
has run. SVT on the other hand...
--
Trammell
More information about the coreboot
mailing list