16 gennaio 2017 necstlab me
play

16 Gennaio 2017 NECSTLab Me Federico Izzo - PowerPoint PPT Presentation

Dec 13, 2022 •488 likes •1.24k views

16 Gennaio 2017 NECSTLab Me Federico Izzo federico.izzo42@gmail.com github.com/Nimayer A thanks to Nicola Corna Who introduced me to coreboot and did the great part of the work on Intel ME nicola@corna.info github.com/corna Index What is

  1. 16 Gennaio 2017 NECSTLab

  2. Me Federico Izzo federico.izzo42@gmail.com github.com/Nimayer

  3. A thanks to Nicola Corna Who introduced me to coreboot and did the great part of the work on Intel ME nicola@corna.info github.com/corna

  4. Index What is coreboot? How do I install it? Intel ME

  5. What is coreboot? coreboot is a project meant to replace the proprietary �rmware (BIOS or UEFI) present in most computers We could say that coreboot is an open source BIOS

  6. However coreboot is not a proper BIOS A BIOS �rmware: performs hardware initialization provides runtime calls for the OS coreboot does just the hardware initialization Modern Windows versions and Linux don't use BIOS calls anymore You can still run DOS using SeaBIOS on coreboot

  7. Benefits FOSS software Safer Hackable BIOS backdoor free Very fast! (0.5/1 s from o� to Linux kernel boot) Written almost completely in 32-bit C language Unlike commercial BIOSes that are written in 16-bit assembler Follows the rule " initialize the hardware, then get out of the way "

  8. Downsides Few hardware supported Complex compilation Hard to install New CPU generations make development and installation harder Intel Boot Guard

  9. How does it work? coreboot code is split in four main stages: Bootblock Romstage Ramstage Payload

  10. Bootblock In this stage coreboot: Reads CMOS con�guration Decides in which mode to start ( Normal or Fallback )

  11. Romstage This is the most critical stage, here coreboot initializes RAM memory and Intel ME. Initializes debugging peripherals Initializes the chipset Con�gures the memory Allocates the shared memory Intel ME requires

  12. Ramstage During this stage coreboot initializes the remaining peripherals and then jumps into the payload. After this stage coreboot has done its work and won't execute any code until suspension or shutdown .

  13. Payloads Now that the hardware is initialized we can let another software continue the boot process. The most interesting payloads are: SeaBIOS Tianocore (UEFI) GRUB Linux

  14. Payloads There are also secondary payloads that can be booted: nvramcui: con�guration utility coreinfo: information dump Memtest86+: memory test Tint: tetris GRUB invaders: you get the idea

  15. SeaBIOS

  16. SeaBIOS A complete x86 BIOS implementation. coreboot + SeaBIOS provides you a complete BIOS system , good starting point for a coreboot setup.

  17. Tianocore

  18. Tianocore Tianocore is Intel's UEFI reference implementation , released under open source licenses. Duet is part of Tianocore, it should give you UEFI support on coreboot if you are able to make it work, I failed. Tianocore can also include SeaBIOS as CSM, to get an UEFI + BIOS system.

  19. GRUB

  20. GRUB You already know GRUB. Probably you don't know that GRUB can be run directly from coreboot, without a BIOS. This is due to the fact that Linux does not use BIOS legacy calls.

  21. GRUB It has some advantages with respect to SeaBIOS: Faster Has less code Built-in crypto Can unlock LUKS volumes Can verify kernel/initramfs signatures

  22. Linux

  23. Linux coreboot can boot directly a Linux Kernel from the onboard ROM. Has some drawbacks: you need to �ash again the ROM each time you want to update the kernel or even change the cmdline. It gives you even more flexibility than GRUB, For example look at the HEADS bootloader which uses tpm for �rmware and �lesystem measurement .

  24. nvramcui An utility to change CMOS con�guration.

  25. coreinfo An utility to view system info.

  26. Memtest86+ A tool to check the RAM health.

  27. TinT (Tint is not Tetris) TETRIS!!!

  28. GRUB invaders Space invaders!!!

  29. coreboot: how do I install it?

  30. The installation is divided into four steps: Prepare the building environment Dump your original BIOS Compile coreboot Flash the coreboot image

  31. The building environment here you can �nd the o�cial guide, that follows a questionable order. What you have to do is: Clone the coreboot repository $ git clone --recursive http://review.coreboot.org/p/coreboot $ cd coreboot Compile the cross-compiler , coreboot runs in 32bit mode make crossgcc-i386 CPUS=4 Con�gure coreboot make menuconfig

  32. Try it with QEMU! It is possible to try coreboot+payload on QEMU before messing with the hardware Do make menuconfig to con�gure coreboot check that the Mainboard menu looks like this: vendor: Emulation model: QEMU x86 q35/ich9 Leave the menucon�g and do make -jN to compile The coreboot.rom �le inside the build subfolder is your image You can run QEMU using qemu-system-x86_64 -M q35 -bios build/coreboot .rom

  33. To build an image for your laptop you will need a dump of the �ash content, to extract: Intel Flash Descriptor Intel ME Firmware Gigabit Ethernet Firmware Intel GPU VBIOS (optional)

  34. What there is inside an Intel PC flash: The Intel ME region is accessible only by ME itself , also, the BIOS region can be write-protected . However it is possible to read or write the entire �ash by connecting an external programmer to the �ash chip.

  35. Dumping the hard way The �ash chip uses the SPI protocol, So we can read its content using the SPI interface of a Raspberry Pi or a similar board with 3.3V GPIO

  36. Find the flash SOIC-8 SOIC-16 DIP-8 PLCC-32

  37. Clips! You can �nd the �ash chip pinout inside its datasheet You can use these to connect the chip SOIC-8 testclip SMD clips I found the SMD clips more reliable

  38. Connect the wires First of all unplug your charger and remove the battery Raspberry Pi pins to be connected in this order RPi Flash GND GND CS0 CS SPI0 SCLK CLK 3.3V PWR 3.3V SPI0 MISO MISO SPI0 MOSI MOSI

  39. Flashrom Compile �ashrom from the github repo or install it from your package manager The Raspberry Pi command is: flashrom -p linux_spi:dev=/dev/spidev0.0 -r dump.bin Flashrom may ask you to specify your chip model if he cannot detect it automatically, you can use the option -c <chipname> (e.g. on a Thinkpad X220 the option would be -c W25Q64.V ) A good practice is to make two dumps and compare the results (using diff ) to be more safe

  40. Extract the blobs The utility ifdtool included in the coreboot tree can be used to extract our dump Compile the utility cd coreboot/util/ifdtool make Extract the �ash regions mkdir extracted_dump cp dump.bin extracted_dump/ ./util/ifdtool/ifdtool -x extracted_dump/dump .bin You will �nd the extracted �ash regions in the folder: BIOS ME blob GbE blob Flash Descriptor

  41. Configuration coreboot uses a Linux kernel like con�guration Use make menuconfig to open the con�guration tool and the help button to get a description of the elements. I will show you a standard con�guration, it's up to you to try the other settings (hint: normal/fallback)

  42. Configuring coreboot pt.I The main options to set are: Mainboard Mainboard vendor: your computer brand Mainboard model: your computer model Rom chip size: the �ash chip size Chipset Include microcode in CBFS: Generate from tree Add Intel descriptor.bin �le: we extracted it before Add Intel ME/TXT �rmware: same thing Add gigabit ethernet �rmware: same thing

  43. Configuring coreboot pt.II Devices Use native graphics initialization: usually works Enable PCIe Clock Power Management: good idea Display Keep VESA framebu�er: graphical mode instead of text Generic Drivers Enable TPM support Payload Add a payload: SeaBIOS or one of your choice Secondary Payloads: see here

  44. Compiling To compile run make -jN The resulting image will be in coreboot/build/coreboot.rom

  45. Flashing coreboot To �ash the image the �rst time we need to use the SPI connection, as we did for the dump From the next time we can �ash directly from linux because in coreboot the write protection of the BIOS/ME blob is optional The command to �ash using a Raspberry Pi is: flashrom -c <chipname> -p linux_spi:dev=/dev/spidev0.0 -w coreboot.rom

  46. force_I_want_a_brick Once you have booted Linux, you can update coreboot using: flashrom -c <chipname> -p internal:laptop=force_I_want_a_brick -w coreboot .rom After updating coreboot, the best thing is to turn o� completely your computer in order to run the newly �ashed BIOS/ME blob

  47. Intel ME

  48. Intel ME Intel Management Engine is a secondary processor integrated in all Intel motherboard chipsets from 2008 onwards. It is mainly used for Intel AMT (Advanced Management Technology) on CPUs with vPRO enabled. Intel AMT is an out-of-band management technology, o�ering: network tunnel over untrusted network remote power control remote KVM network packet �lter PAVP for DRM media more ...

  49. Intel ME

  50. Intel ME

  51. ME capabilities Intel ME has access to: Any memory region The PCI bus The GPU Wired and wireless NIC (with dedicated MAC address) more ...

  52. The firmware Its �rmware is proprietary, so not security auditable, and it's signed with RSA by Intel It's not encrypted but a lot of modules are Hu�mann compressed with unknown hardware dictionary, so their code cannot be easily accessed.

  53. How do I disable it?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NUOVI FARMACI E TRAPIANTO Udine 21-22 gennaio 2016 Integrazione dei nuovi farmaci nel programma

NUOVI FARMACI E TRAPIANTO Udine 21-22 gennaio 2016 Integrazione dei nuovi farmaci nel programma

NUOVI FARMACI E TRAPIANTO Udine 21-22 gennaio 2016 Integrazione dei nuovi farmaci nel programma trapiantologico della leucemia linfoblastica acuta: UN CASO CLINICOPEDIATRICO Which ALL is eligible for HSCT? 10% of children with

372 views • 36 slides
CAPTO Gennaio 2010 1 The problem to solve Nowadays information published on internet is

CAPTO Gennaio 2010 1 The problem to solve Nowadays information published on internet is

CAPTO Gennaio 2010 1 The problem to solve Nowadays information published on internet is not manageable any more; the consequence is that any internet search is not precise. Due to the overwhelming amount of information and the

317 views • 11 slides
Ernesto U. Savona Direttore e Professore di Criminologia Universit Cattolica del S. Cuore

Ernesto U. Savona Direttore e Professore di Criminologia Universit Cattolica del S. Cuore

24 gennaio 2017 Modulo Jean Monnet III ed. Universit di Catania conferenza su Nuove Competenze per Nuove Sfide: politiche nazionali ed europee per la lotta alla Criminalit Organizzata MAFIE IN EUROPA E NON SOLO: LE INFILTRAZIONI DELLA

283 views • 27 slides
M. Seri marco.seri@unibo.it Bologna 24 Gennaio 2009 Definitions Definitions Gene Gene :

M. Seri marco.seri@unibo.it Bologna 24 Gennaio 2009 Definitions Definitions Gene Gene :

M. Seri marco.seri@unibo.it Bologna 24 Gennaio 2009 Definitions Definitions Gene Gene : Introduced by Johansson in : Introduced by Johansson in Copenhagen for Mendels unit of inheritance Copenhagen for Mendels unit of inheritance

287 views • 16 slides
Quaderni del Dipartimento di Matematica e Informatica Universit` a degli Studi di Parma

Quaderni del Dipartimento di Matematica e Informatica Universit` a degli Studi di Parma

Quaderni del Dipartimento di Matematica e Informatica Universit` a degli Studi di Parma Gianfranco Rossi 1 , Federico Bergenti 2 Nondeterministic Programming in Java with JSetL 29 gennaio 2013 n. 510 Il presente lavoro ` e stato finanziato

325 views • 30 slides
The Role of Information and Communication Technologies in the Development of Inclusive Society for

The Role of Information and Communication Technologies in the Development of Inclusive Society for

The Role of Information and Communication Technologies in the Development of Inclusive Society for Persons with Disabilities Sub-ti Belgrade, 8-9 October 2015 1 www.FRED.fm ROMA, gennaio 2011 THE FRED AT SCHOOL PROJECT Sub-ti 3 THE

347 views • 22 slides
1 LN LNF DAFNE-light DAFNE BTF SPARC FLAME 2 DANE 3 F.Riggi, Microcosmo e macrocosmo,

1 LN LNF DAFNE-light DAFNE BTF SPARC FLAME 2 DANE 3 F.Riggi, Microcosmo e macrocosmo,

1 LN LNF DAFNE-light DAFNE BTF SPARC FLAME 2 DANE 3 F.Riggi, Microcosmo e macrocosmo, Vacanze studio Gennaio 2002 ATLAS experiment at LHC CERN e Athena 0.5 g of matter &amp; 0.5 g of antimatter -&gt; Hiroshima bomb E=mc 2 1 g of

1.07k views • 53 slides
LO SVILUPPO DELLOTTICA QUANTISTICA IN ITALIA ______ OTTICA QUANTISTICA E INFORMAZIONE

LO SVILUPPO DELLOTTICA QUANTISTICA IN ITALIA ______ OTTICA QUANTISTICA E INFORMAZIONE

LO SVILUPPO DELLOTTICA QUANTISTICA IN ITALIA ______ OTTICA QUANTISTICA E INFORMAZIONE QUANTISTICA Francesco De Martini Universita di Roma La Sapienza LEOS, Roma, 30 gennaio 2008 GLI ANTESIGNANI* F. Tito Arecchi, A. Sona CISE

397 views • 25 slides
Entry regulations and labour market outcomes: Evidence from the Italian retail trade sector

Entry regulations and labour market outcomes: Evidence from the Italian retail trade sector

La valutazione dellimpatto di interventi pubblici: metodi e studi di caso Firenze, 18-19 Gennaio 2007 Entry regulations and labour market outcomes: Evidence from the Italian retail trade sector Eliana Viviano Bank of Italy Introduction:

456 views • 26 slides
THE X-RAY VIEW OF MISALIGNED AGNs Eleonora Torresi INAF/IASF Bologna, ITALY with many thanks to

THE X-RAY VIEW OF MISALIGNED AGNs Eleonora Torresi INAF/IASF Bologna, ITALY with many thanks to

THE X-RAY VIEW OF MISALIGNED AGNs Eleonora Torresi INAF/IASF Bologna, ITALY with many thanks to Paola Grandi INAF/IASF Bologna Fermi and Jansky: Our Evolving Understanding of AGN, St. Michaels, MD luned 9 gennaio 12 MISALIGNED AGN (MAGN)

904 views • 35 slides
3/3/2017 Rick Guidotti 1 3/3/2017 2 3/3/2017 ALBINISM 3 3/3/2017 4 3/3/2017 5

3/3/2017 Rick Guidotti 1 3/3/2017 2 3/3/2017 ALBINISM 3 3/3/2017 4 3/3/2017 5

3/3/2017 Rick Guidotti 1 3/3/2017 2 3/3/2017 ALBINISM 3 3/3/2017 4 3/3/2017 5 3/3/2017 6 3/3/2017 MARFAN Syndrome Billy 7 3/3/2017 Dr. Nadia Caleb living with Achondroplasia Lily living with 4P-/ Wolf- Hirschshorn

566 views • 11 slides
Global and regional prospects 7 6.5 2017 (Jan16) 6.2 2017 (Apr16) 6 2017 (Jul16) 2017

Global and regional prospects 7 6.5 2017 (Jan16) 6.2 2017 (Apr16) 6 2017 (Jul16) 2017

19/09/2017 Global and regional prospects 7 6.5 2017 (Jan16) 6.2 2017 (Apr16) 6 2017 (Jul16) 2017 (Oct16) 4.7 5 2017 (Jan17) 2017 (Apr17) 4 3.6 3.5 By Klaus Schade 2017 (Jul17) 2.7 2.6 3 2.1 1.9 1.8 1.7 1.7 2 19 September

543 views • 4 slides
Normal 1 24/05/2017 We now think of it as normal 2 24/05/2017 3 24/05/2017 4

Normal 1 24/05/2017 We now think of it as normal 2 24/05/2017 3 24/05/2017 4

24/05/2017 What is Zero Carbon? Normal 1 24/05/2017 We now think of it as normal 2 24/05/2017 3 24/05/2017 4 24/05/2017 - but theres a Catch-22 5 24/05/2017 A plan that delivers what the physics &amp; the ambition of

648 views • 54 slides
6/12/2017 1 6/12/2017 2 6/12/2017 3 6/12/2017 1. To attract, manage and monitor tourism for

6/12/2017 1 6/12/2017 2 6/12/2017 3 6/12/2017 1. To attract, manage and monitor tourism for

6/12/2017 1 6/12/2017 2 6/12/2017 3 6/12/2017 1. To attract, manage and monitor tourism for the benefit of residents, industry and visitors 2. To make visiting Sedona a positive and seamless process 3. To sustain a reasonable balance

742 views • 24 slides
1 9/6/2017 Whats going on here? From America to Zanzibar exhibit 9/6/2017 4 Change the

1 9/6/2017 Whats going on here? From America to Zanzibar exhibit 9/6/2017 4 Change the

9/6/2017 Guided Play in Early Education: Becoming Brilliant Kathy Hirsh-Pasek, Ph. D . 9/6/2017 1 What do you hear? Repeat after me 9/6/2017 2 Now change the lens Collaboration (Following others) Repeat after me 9/6/2017 3 1

589 views • 26 slides
V1a 4/29/2017 Statistical Literacy: 2017 V1A 2017 CME 1 V1A 2017 CME 2 . Audience .

V1a 4/29/2017 Statistical Literacy: 2017 V1A 2017 CME 1 V1A 2017 CME 2 . Audience .

V1a 4/29/2017 Statistical Literacy: 2017 V1A 2017 CME 1 V1A 2017 CME 2 . Audience . 40%: School teachers: Current or previous 30%: College faculty: Current or previous 20%: Education, non-profit 10%: Industry, commercial V1A 2017

880 views • 55 slides
Testi ting an and Evol olving g TypeScr Script De Declaration on Files with P Progr

Testi ting an and Evol olving g TypeScr Script De Declaration on Files with P Progr

Testi ting an and Evol olving g TypeScr Script De Declaration on Files with P Progr ogram An Analysi sis s Erik Krogh Kristensen joint work with Anders Mller C ENTER FOR A DVANCED S OFTWARE A NALYSIS http://casa.au.dk/

850 views • 22 slides
Bridging social and physical measurement: measurement is not scale construction; measurement is

Bridging social and physical measurement: measurement is not scale construction; measurement is

Bridging social and physical measurement: measurement is not scale construction; measurement is not quantification Luca Mari Universit Cattaneo LIUC, Italy lmari@liuc.it Arctic Workshop on Measurement in Economics 14-15 December

822 views • 38 slides
Turning Your Facilities into High-Performance Assets and How to Pay For It Presented by:

Turning Your Facilities into High-Performance Assets and How to Pay For It Presented by:

Turning Your Facilities into High-Performance Assets and How to Pay For It Presented by: &amp; Agenda Introductions Challenges You Face Financing Overview Case Studies Selling Your Vision,

659 views • 27 slides
Designing Applications that See Lecture 6: Processing Dan Maynes-Aminzade 30 January 2007

Designing Applications that See Lecture 6: Processing Dan Maynes-Aminzade 30 January 2007

stanford hci group / cs377s Designing Applications that See Lecture 6: Processing Dan Maynes-Aminzade 30 January 2007 Designing Applications that See http://cs377s.stanford.edu Reminders Assignment #2 due Thursday in lecture Assignment

1.05k views • 51 slides
Concepts of programming languages Lecture 10 Wouter Swierstra Faculty of Science Information

Concepts of programming languages Lecture 10 Wouter Swierstra Faculty of Science Information

Faculty of Science Information and Computing Sciences 1 Concepts of programming languages Lecture 10 Wouter Swierstra Faculty of Science Information and Computing Sciences 2 Last time How do other (typed) languages support

882 views • 65 slides
Outline VXD concept based on CMOS Pixel Sensors (CPS) Status of CPS development for running

Outline VXD concept based on CMOS Pixel Sensors (CPS) Status of CPS development for running

High Precision Flavour Tagging at the ILC : Perspectives offered by CMOS Pixel Sensors M. Winter (PICSEL &amp; ALICE teams of IPHC-Strasbourg) - Sensor design : contrib. from Y.Degerli (AIDA/Saclay) - V ERTEX -13, Lake Starnberg 17 Sept. 2013

522 views • 20 slides
Last weeks message: A huge step backward Exodus 32:1-33:6 The consequences of sin (part two)

Last weeks message: A huge step backward Exodus 32:1-33:6 The consequences of sin (part two)

Last weeks message: A huge step backward Exodus 32:1-33:6 The consequences of sin (part two) Exodus 32:27 33:6 4 When the people heard these distressing words, they began to mourn and no one put on any ornaments. 5 For the L ORD had said

1.01k views • 54 slides
a legal case study P e r f o r m a n c e : L y r i c s : P h i l K e a g g y M a r k L a n i

a legal case study P e r f o r m a n c e : L y r i c s : P h i l K e a g g y M a r k L a n i

Paul: a legal case study P e r f o r m a n c e : L y r i c s : P h i l K e a g g y M a r k L a n i e r ( a n d G e n e A u t r y ) ( a n d P h i l K e a g g y ) Back in the saddle again - Back in the saddle again - a study of

794 views • 64 slides

More recommend