[coreboot] Is Goryachy's JTAG hack a chance for free firmware ?

Igor Skochinsky skochinsky at mail.ru
Thu Nov 30 20:51:20 CET 2017

Hello Enrico,

Thursday, November 30, 2017, 6:54:50 PM, you wrote:

EWmIc> Can we completely replace UEFI w/o any signatures ?

Yes, unless your PC uses Boot Guard (so far it's been only enabled in
a small percentage of enterprise laptops because it ties together CPU and PCH -
you can't replace one without having to replace the other). Without
Boot Guard active, the CPU will execute whatever you place in the flash, and it's
up to you whether to implement signing checks or not.

EWmIc> And what about ME ? I've read that the cpu itself verifies the
EWmIc> signature of ME firmware, so we cant completely replace it.
EWmIc> If it would be possible to read out the privkey or burn in another
EWmIc> one, that blockade would be fallen.

The private key does not exist anywhere in the firmware or in the chip, only somewhere
in Intel's HSM (I assume).

The firmware's manifest is signed with the private key at Intel[1], and
the *public key* is placed next to the manifest. Only the public key is
necessary for verifying the signature, and you can't patch the public key
with your own because its hash is checked against a short list of
accepted hashes in ME's boot ROM. So the only ways to make ME accept
custom firmware would be:

 1) factor the public key (RSA-1024)
 2) find a pair of keys where the pubkey hash matches one of those
 accepted by the ME (the hash is SHA512 in the latest versions, was
 SHA-1 before).

[1] http://info.meshcentral.com/downloads/ActivePlatformManagementDemystified/APMD-Chapter14.pdf

 Igor                            mailto:roxfan at skynet.be

More information about the coreboot mailing list