[coreboot] [Resend] Tapping into the core (33C3)

Shawn citypw at gmail.com
Thu Jan 19 05:10:07 CET 2017


Adding notes: If ioperm/iopl are necessary to enable DCI on GNU/Linux,
two tiny features from PaX/Grsecurity can mitigate such attack:
CONFIG_GRKERNSEC_KMEM, CONFIG_GRKERNSEC_IO

On Wed, Jan 18, 2017 at 9:08 PM, Denis 'GNUtoo' Carikli
<GNUtoo at no-log.org> wrote:
> On Tue, 17 Jan 2017 11:11:38 +0000
> Maxim Goryachy <mgoryachy at ptsecurity.com> wrote:
>
> [...]
>> If I understand correctly, when DCI is disabled in the flash
>> descriptor, such attacks are not possible and the computer is safe.
>>
>> Unfortunately no, DCI can be activated through P2SB device at any
>> time.  We checked it on Skylake and Kabylake.
> As I understand from the datasheet screenshot on the slides, the P2SB
> device is a PCIe device, and to enable DCI you have to:
> - Write to the DCI IO port. Under GNU/Linux you typically need to be
>   root to write to IO ports (man 2 iopl).
> - Write to to the P2SB SBREG BAR. Under GNU/Linux probably needs
>   root too.
>
>   I don't know well enough the datasheet of x86 chipsets to be able
>   to tell if there are more ways to restrict that access than using the
>   CPU's privileges rings. If there are such ways, it might be possible
>   to make use of them with Coreboot.
>
> Since I didn't understand what "PCH sideband interface" is, so I cannot
> tell if the ways mentioned above (IO port and BAR) would be accessible
> form other devices than the CPU, if it does, to have a secure laptop you
> would need:
> - Not to have the PCIe bus exposed on any external connector (no
>   thunderbolt).
> - Not to have any malicious PCIe device, or PCIe device that can be
>   abused to write to the register of the P2SB device by either
>   malicious hardware or non-privileged code. I wonder if protecting
>   against such attacks is even possible if we use modern GPUs.
>
> So to summarize:
> ---------------
> If DCI is disabled on the flash descriptor:
> - On skylake hardware, if you have root, you can, with a simple USB3
>   cable you can:
>   - (1) Execute code in kernel mode.
>   - (2) Execute code in hypervisor mode.
>   - (3) Execute code in SMM.
> - An attacker that is sitting in front of your laptop[1][2] can't
>   magically take control of your computer by plugging an USB device in
>   it. The attacker first needs to enable DCI, and that requires root
>   privileges under GNU/Linux (for access to the IO space or to the
>   PCI BARs address space).
>
> So if an attacker need both root and physical access to be able to do
> some privilege escalation, it shouldn't be a big issue.
>
> An attacker then might try to do remote privilege escalation, for
> instance by:
> - Programming that USB device with kernel privileges to send DCI
>   commands.
> - Programming any USB device on the same bus to send DCI commands
> - Programming any nearby devices to do spoofing and send DCI commands.
>
> However, as far as I understand:
> - There are other ways than SMM to protect the boot flash and prevent
>   the OS from reflashing it. I'd guess that if the boot firmware is
>   written correctly, and that there are no huge hardware flaws, such
>   ways are reliable, but I don't know everything.
>   One way would be, to ask the flash chip to do it, that is to prevent
>   writing until the next reboot.
>   There are patches for flashrom to support such features.
>   It is also possible to add support for theses in Coreboot.
> - Practical virtual machine escape is not possible that way either,
>   because you need either access to the PCIe bus or the P2SB PCIe
>   device, and users, distribution maintainers and virtual machine
>   providers typically won't export the P2SB PCIe device in a virtual
>   machine, right?
>
>> Some questions:
>> - Can the debug port be used as an usb device controller?
>>
>> Sorry? I don't understand the question.
> "USB devices controller" are called by many different names, so it
> doesn't help clarity, so I'll rephrase.
> Can the USB debug port be used as an USB OTG port, like on
> Android smartphones, where you can make the smartphone appear as a mass
> storage device, serial port, Ethernet card and so on.
>
> References:
> -----------
> [1] Here I assume that the attacker has no way to disassemble the
>     laptop without being noticed.
> [2] The laptop could be on, off, or in suspend-to-ram.
>     If the laptop is on or suspended, the attacker might have better
>     chances trying to bypass the screensaver for instance.
>
> Denis.
>
> --
> coreboot mailing list: coreboot at coreboot.org
> https://www.coreboot.org/mailman/listinfo/coreboot



-- 
GNU powered it...
GPL protect it...
God blessing it...

regards
Shawn



More information about the coreboot mailing list