[coreboot] : AMT bug

Igor Skochinsky skochinsky at mail.ru
Thu May 11 22:08:12 CEST 2017


Hello Trammell,

Thursday, May 11, 2017, 5:42:38 PM, you wrote:

TH> On Thu, May 11, 2017 at 10:30:48AM -0500, Allen Krell wrote:
>> [...] There are multiple keys
>>
>> ME -  public/private key pair - Fused in by Intel and checked by Intel
>> silicon - Probably different across models

It's a little simpler than that: the ME ROM has a hardcoded list of
pubkey hashes and accepts ME manifests signed by any of them. I think
(but haven't checked) that the keys change with each major ME version.


TH> If an attacker can sign an ME binary, they can provide invalid fuses to
TH> the CPU microcode so that it won't check the ACM key (or provide their
TH> own bootguard key so that the TPM locality will be set for the IBB
TH> measurement).

I'm don't think this is possible. the OEM keys (or rather, their hashes)
are set in the data area of ME and are copied to the PCH/MCH fuses on
first boot. These fuses are one-time programmable so can't be
overwritten (supposedly) even if you manage to get ME codeexec.

TH> If the attacker can sign the ACM, they can ignore the bootguard key on
TH> the IBB and provide invalid measurements to the CRTM.
TH> And if they can sign an IBB they can implement their own policy (but
TH> not avoid TPM measurement of the IBB by the ACM).

This sounds correct (I did not look into BootGuard in much
detail).

>> So, back to AMT bug.   I believe Boot Guard (by itself) doesn't help.  An
>> exploiter "may" be able to reflash only the ME region and enable AMT even
>> if the OEM has disabled AMT and implemented Boot Guard.   Not confirmed,
>> just a educated hunch.

TH> That might be possible, although ideally the startup ACM or IBB can
TH> ensure that the ME region is included in its measurements and this would
TH> cause key unsealing or remote attestation to fail.  That's one of
TH> the reasons that I recommend changing the flash descriptor to allow
TH> the host CPU to read the ME region.

In fact I think this is exactly the reason why flashing cleaned ME
fails on BootGuard-protected systems - they check ME's hash (which ME provides
in the PCI register space) and fail when it changes. Though that makes
me wonder how they handle ME firmware updates...



-- 
WBR,
 Igor                            mailto:skochinsky at mail.ru




More information about the coreboot mailing list