←back to thread

Intel OEM Private Key Leak: A Blow to UEFI Secure Boot Security

(securityonline.info)
658 points transpute | 1 comments | 06 May 23 17:39 UTC | HN request time: 0.212s | source
Show context
transpute ◴[06 May 23 20:25 UTC] No.35845073[source]
There is a better solution already designed into Intel Boot Guard, which avoids the problems of OEM "secrets" and allows an owner-defined firmware root of trust. As described in a 2017 MIT paper from Victor Costan, Ilia Lebedev and Srinivas Devadas, "Secure Processors Part I: Background, Taxonomy for Secure Enclaves and Intel SGX Architecture", https://www.nowpublishers.com/article/Details/EDA-051

> The TPM's measurement can be subverted by an attacker who can re-flash the computer's firmware .. the attack .. can be defeated by having the initialization microcode hash the computer's firmware (specifically, the PEI code in UEFI) and communicate the hash to the TPM module. This is marketed as the Measured Boot feature of Intel's Boot Guard.

> Sadly, most computer manufacturers use Verified Boot (also known as "secure boot") instead of Measured Boot (also known as "trusted boot"). Verified Boot means that the processor's microcode only boots into PEI firmware that contains a signature produced by a key burned into the processor's e-fuses. Verified Boot does not impact the measurements stored on the TPM, so it does not improve the security.

On a related note, some HP devices have a dedicated security co-processor (SureStart) to verify and/or fix system firmware, instead of relying on a CPU vendor root-of-trust like Intel BootGuard. Since HP's proprietary security co-processor can be disabled by a device owner, those HP devices may be amenable to OSS firmware like coreboot.

2017 HP Labs research paper, https://ronny.chevalier.io/files/coprocessor-based-behavior-...

> We apply this approach to detect attacks targeting the System Management Mode (SMM), a highly privileged x86 execution mode executing firmware code at runtime .. We instrument two open-source firmware implementations: EDKII and coreboot. We evaluate the ability of our approach to detect state-of-the-art attacks and its runtime execution overhead by simulating an x86 system coupled with an ARM Cortex A5 co-processor.

2021 HP marketing whitepaper, https://www8.hp.com/h20195/v2/GetPDF.aspx/4AA7-6645ENW.pdf

> Every time the PC powers on, HP Sure Start automatically validates the integrity of the firmware to help ensure that the PC is safeguarded from malicious attacks. Once the PC is operational, runtime intrusion detection constantly monitors memory. In the case of an attack, the PC can self-heal using an isolated “golden copy” of the firmware in minutes.

replies(1): >>35845389 #
fatfingerd ◴[06 May 23 21:10 UTC] No.35845389[source]
Measured boot is great in theory.. But it is only really practical to determine that your bios haven't changed at all. If you are going to trust updates you are ultimately going to have to make the same mistake as verified boot, just manually.
replies(1): >>35845438 #
1. transpute ◴[06 May 23 21:18 UTC] No.35845438[source]
The Measured Boot mode of Intel Boot Guard is about removing the need for an Intel/OEM private key and e-fuse to verify the initial code.

For OS-specific measured boot of coreboot open-source firmware with a reproducible build, there would be a 1:1 mapping between the measured firmware hash and the coreboot source code revision used to generate the firmware.

Separately, the issue of firmware blobs (Intel FSP, AMD AGESA) would remain, although AMD OpenSIL is promising to reduce those binary blobs by 2026.