[coreboot] : AMT bug

Allen Krell allen.krell at gmail.com
Thu May 11 17:30:48 CEST 2017

On Thu, May 11, 2017 at 9:56 AM, Trammell Hudson <hudson at trmm.net> wrote:

> On Thu, May 11, 2017 at 07:01:47AM -0500, Allen Krell wrote:
> > One thing I am still confused about is the relationship between Intel
> Boot
> > Guard and the regions of flash.  My understanding is that Boot Guard only
> > applies to the legacy BIOS region of flash, not the ME/AMT region.
> It seems to be even more restricted than that -- the "hardware" part of
> Bootguard only applies to the startup ACM region in the FIT table
> of the BIOS region of the flash.  That ACM is what is responsible for
> implementing whatever policy for the rest of the flash.
> > [...]  So, if that is true, then is it possible to flash the ME/AMT
> > region of flash with any ME code module that has been signed with the
> Intel
> > signature?
> I think so, although I haven't looked at enough to determine if
> the different chipsets or CPU models are signed with different keys.
> Unlike the few startup ACM images that I've looked at have the same
> public key for their signature, despite being on very different
> CPU models and from different IBV.
> --
> Trammell
You are confirming how I "think" it works based off various lists and
documents I have found.

There are multiple keys
BIOS_ACM - public/private key pair - Fused in by Intel and checked by Intel
silicon.  May be common across all models.
ME -  public/private key pair - Fused in by Intel and checked by Intel
silicon - Probably different across models
Boot Guard public/private key pair - Fused by OEM (e.g., Dell, HP, Lenovo),
checked by BIOS_ACM.  Only checks Initial Boot Block (IBB) of legacy BIOS
region of flash.  IBB is responsible for extending policy from there.

So, back to AMT bug.   I believe Boot Guard (by itself) doesn't help.  An
exploiter "may" be able to reflash only the ME region and enable AMT even
if the OEM has disabled AMT and implemented Boot Guard.   Not confirmed,
just a educated hunch.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20170511/0353efe6/attachment.html>

More information about the coreboot mailing list