digging into the core of boot
play

Digging Into The Core of Boot Yuriy Bulygin @c7zero Oleksandr - PowerPoint PPT Presentation

Nov 22, 2022 •163 likes •641 views

Digging Into The Core of Boot Yuriy Bulygin @c7zero Oleksandr Bazhaniuk @ABazhaniuk Agenda Intro Recap of MMIO BAR Issues in Coreboot & UEFI Coreboot ACPI GNVS Pointer Issue SMI Handler Issues in Coreboot Write Protections Conclusions

  1. Digging Into The Core of Boot Yuriy Bulygin @c7zero Oleksandr Bazhaniuk @ABazhaniuk

  2. Agenda Intro Recap of MMIO BAR Issues in Coreboot & UEFI Coreboot ACPI GNVS Pointer Issue SMI Handler Issues in Coreboot Write Protections Conclusions

  3. Intro to Coreboot

  4. Coreboot • Coreboot is GPLv2 firmware implementation • Started as LinuxBIOS in 1999 and renamed to Coreboot at 2008 • Supports x86, ARM, MIPS, POWER8, RISC-V • Mostly in C, with some ASM. ASL for ACPI tables • Support multiple payloads (“bootloaders”) to boot Chrome OS, Linux… • Depthcharge, SeaBIOS, TianoCore, FILO • Modular arch to support many CPUs, SoCs, chipsets, devices • Supports verified boot rooted in hardware write protected firmware

  5. Coreboot Stages Read-Only Read-Write Cache-as-RAM PCIe enum, TPM, SPI Init MemInit, SPD, Vboot kernel, (NEM) SMM, Option Vboot Ucode update EC FW ROMs, ACPI CPU Reset Boot Block Verstage ROMStage RAMStage Payload

  6. Chrome OS Boot Applications Chrome OS Kernel -A Kernel -B VB_Kernel-A VB_Kernel -B Read-Write Payload Recover System from Verified USB Recovery Mode Coreboot RAM stage Coreboot Boot Block and Verstage (ROM stage before SKL) Read-Only SoC / CPU

  7. Verified Boot • Verified Boot established signature validation mechanism for Chrome OS • Root of trust is in read-only initial part of Coreboot firmware protected by /WP pin on SPI devices • Verstage starting Skylake to reduce amount of read-only ROM stage firmware (as vulnerabilities in RO firmware cannot be patched w/o voiding warranty) • Read-only firmware verifies RW firmware (new ROM stage & RAM stage) • Read-write firmware verifies Chrome OS kernel • Root public key in read-only flash verifies signature of RW firmware keyblock • Can be disabled in developer mode (requires physically present user)

  8. Recovery and Developer Modes Recovery Mode • RO firmware boots signed image on a USB • Security or hardware failures trigger entering into recovery mode Developer Mode • Prior to entering Dev mode, the system erases local state in TPM and on a hard drive • Root shell is available in Dev mode • crossystem dev_boot_usb=1 (boot from USB device) • crossystem dev_boot_signed_only=0 (load unsigned binaries) • crossystem dev_boot_legacy=1 (allow boot any payloads including MBR systems)

  9. Read-Only Firmware Chromebook firmware uses Write Protect pin (/WP) on SPI device to protect RO FW Winbond W25Q64BV spec # flashrom – wp-status WP: status: 0x0094 WP: status.srp0: 1 WP: status.srp1: 0 WP: write protect is enabled. WP: write protect range: start=0x00600000, len=0x00200000

  10. SPI Chip Layout in Acer C720 Chromebook # futility dump_fmap – h /tmp/c720_spi_dump.bin Read-Only

  11. SPI Chip Layout in Acer C720 Chromebook Read-Write

  12. Recap of MMIO BAR Issues in Coreboot & UEFI

  13. Recap: “MMIO BAR” Issues Phys Memory Firmware configures chipset and devices MMIO range through MMIO (registers) SMI handlers communicate SMI Handlers in SMRAM with devices via MMIO registers OS Memory Device PCI CFG Base Address (BAR)

  14. Recap: “MMIO BAR” Issues Phys Memory Exploit with PCI access can modify BAR register and relocate MMIO range MMIO range (registers) On SMI interrupt, SMI handler firmware attempts to communicate with device(s) SMI Handlers in SMRAM SMI It may read or write “registers” within relocated MMIO OS Memory Device PCI CFG Base Address (BAR)

  15. Recap: “MMIO BAR” Issues in Coreboot bar pointer points to MMIO range of device B1:D0.F0 which can be modified by an attacker SMI handler then uses bar pointer to write to LVTMA_BL_MOD_LEVEL offset (when adjusting brightness level) SMI handler can be invoked by properly configuring I/O Trap hardware with BRIGHTNESS_UP/DOWN function

  16. Coreboot ACPI GNVS Pointer Issue

  17. Coreboot x86 SMI Handlers SLEEP SMI smm_handler_start APMC SMI smi_obtain_lock PM1 SMI cpu_smi_handler GPE0 SMI GPI SMI GFX MBI northbridge_smi_handler MC SMI southbridge_smi_handler TCO SMI PERIODIC SMI smi_release_lock MONITOR SMI smi_set_EOS

  18. ACPI Global NVS (GNVS) Area Stores data used to communicate with ACPI and SMM including across S3 sleep: • SMM interface buffer typedef struct { • EC Lock function /* Miscellaneous */ u16 osys ; /* 0x00 - Operating System */ • Thermal thresholds u8 smif ; /* 0x02 - SMI function call ("TRAP") */ u8 prm0 ; /* 0x03 - SMI function call parameter */ • ... Fan speed u32 cmem ; /* 0x18 - 0x1b - CBMEM TOC */ ... • USB power controls /* ChromeOS specific (0x100 - 0xfff) */ chromeos_acpi_t chromeos ; • ChromeOS Vboot data ... } __attribute__ (( packed )) global_nvs_t; • …

  19. ACPI DSDT • GNVS area is also defined in DSDT ACPI table • GNVS layout is platform (SoC/southbridge) specific • BDW/SKL: CBMEM TOC address at offset 0x18

  20. How do we find CBMEM and ACPI tables?

  21. Coreboot is allocating GNVS area… Allocate GNVS area in CBMEM Create GNVS structure Save pointer to GNVS in GNVS_PTR CBMEM area Add GNVS area to DSDT ACPI table

  22. Searching for GNVS in ACPI tables… • GNVS area is allocated in CBMEM backed by in-memory database (IMD) with CBMEM_ID_ACPI_GNVS • Pointer to GNVS area is stored in DSDT ACPI table in NVSA field • The table can be found with chipsec_util acpi list or manually in “Tables” area of Coreboot memory map • After decompiling DSDT, NVSA field contains GNVS address ( 0xBFF2D000 )

  23. Searching for GNVS in CBMEM… CBMEM_ID_ACPI_GNVS entry in in-memory database (IMD) IMD Root Signature IMD Entry Signature Data start offset IMD Entry ID “GNVS”

  24. So why are we interested in GNVS area? • GNVS area is allocated during “Write ACPI Tables” boot stage ( bs_write_tables ) • A pointer to GNVS area (GNVP) is also stored in CBMEM_ID_ACPI_GNVS_PTR area allocated in CBMEM (on Broadwell based systems and above?) src\arch\x86\acpi.c

  25. When resuming from S3 Sleep… Find GNVS_PTR in CBMEM & read GNVP pointer Update GNVP pointer restored from CBMEM in SMM (if SMI handler exists) Jump to OS Waking Vector in FACS table

  26. Updating SMM copy of GNVP pointer… APM_CNT_GNVS_UPDATE SMI updates SMM copy of GNVP from EBX restored from CBMEM

  27. SMI handlers never check GNVS pointer • GNVS pointer is stored in CBMEM area of DRAM which is preserved across S3 • During S3 resume, the pointer is restored from CBMEM in SMM • SMI handlers use GNVS as a communication buffer with OS (read settings, write results) • E.g. IOTRAP SMI handler writes byte 0x0 to gnvs  smif (if SMIF value is already 0x32 )  Limited write primitive in SMM (with controlled address but not the value)

  28. That leads to potential vulnerability on S3 resume • Attacker could modify GNVS pointer in ACPI_GNVS_PTR area in memory (to e.g. overlap with SMRAM) & cause system to enter S3 • Firmware would restore modified GNVS pointer in SMM upon resuming from S3 state • Attacker then could trigger SMI (e.g. IOTRAP) forcing SMI handler to write/modify memory at controlled GNVS address • So far only 0x32  0 and 0x99  0 write primitives found • Only some systems have this issue: • Not all systems with Coreboot store GNVS_PTR (some just store GNVS pointer in SMM once at normal boot like our IVB based Lenovo x230) • Not all systems support S3 state

  29. Mitigation Options • One option is to always store GNVS pointer (GNVP) in SMRAM and not restore from CBMEM as SMRAM is also preserved in S3 • In general, SMI handlers have to check all pointers/addresses for overlap with SMRAM just like EDKII does

  30. SMI Handler Issues in Coreboot

  31. SMM/GPU MBI Interface in i82830 SMI Handler Read SWSMI code from CPU MMIO register 0xE0

  32. GPU-SMM MBI Interface in i82830 SMI Handler Read base address of GPU MMIO range

  33. GPU-SMM MBI Interface in i82830 SMI Handler Read base address of GPU MMIO range Write “CTNI” magic to offset 0x71428 in GFx MMIO (address controlled by exploit)

  34. Calling MBI functions… Read the value from offset 0x71428 in GFx MMIO and pass it as an argument to MBI function call

  35. Calling MBI functions… • SMI handler reads argument for MBI from SWF16 (SW Flags) register at offset 0x71428 in Graphics MMIO (VGA Display) • That GPU register is not locked so attacker can control its contents • The value of the register is an address to banner_id_t structure

  36. Unchecked banner_id pointer… 1/3 • Writes at the controlled address pointed to by version

  37. Unchecked banner_id pointer… 2/3

  38. Unchecked banner_id pointer… 3/3

  39. Write Protections

  40. What about write protections? • Read-Only part of Coreboot firmware in SPI flash devices is hardware write protected in Chromebooks Yes, with a screw asserting /WP in SPI! • What if you manually flash Coreboot on a random system?

  41. After flashing Coreboot on Lenovo x230…

  42. To summarize • SMM based firmware write protection is off • SPI protected range registers are disabled • TCO and Global SMI are not locked down • SPI config is not locked • SMRAM can be DMA’d into • And the system doesn’t use /WP pin on SPI device like in Chromebooks  S uper Crazy Developer Mode

  43. That’s the protection…

  44. What about Libreboot? From https://libreboot.org/faq.html#how-do-i-program-an-spi-flash-chip

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

RE-FRAME LET'S MAKE A CLOCK (WOW!) TO UNDERSTAND RE-FRAME, YOU MUST BE ABLE TO LIVE WITHOUT IT.

RE-FRAME LET'S MAKE A CLOCK (WOW!) TO UNDERSTAND RE-FRAME, YOU MUST BE ABLE TO LIVE WITHOUT IT.

RE-FRAME LET'S MAKE A CLOCK (WOW!) TO UNDERSTAND RE-FRAME, YOU MUST BE ABLE TO LIVE WITHOUT IT. BOOT https://github.com/boot-clj/boot BOOT TEMPLATES boot -d seancorfield/boot-new new -t tenzing -n <name> [+a <option>]* $ cd

566 views • 22 slides
Secure Boot mistakes Jasper van Woudenberg (Job de Haas) jasper@riscure.com @jzvw 1 Secure

Secure Boot mistakes Jasper van Woudenberg (Job de Haas) jasper@riscure.com @jzvw 1 Secure

Top 10 Secure Boot mistakes Jasper van Woudenberg (Job de Haas) jasper@riscure.com @jzvw 1 Secure Boot Theory Internal boot ROM 1 st stage boot loader N th stage Verify signature Optional decrypt boot loader OS / Application 2

517 views • 25 slides
I Boot when U-Boot @bernardomr (MIA) @_evict 1 / 44 Agenda 1. Introduction 2. The target device

I Boot when U-Boot @bernardomr (MIA) @_evict 1 / 44 Agenda 1. Introduction 2. The target device

I Boot when U-Boot @bernardomr (MIA) @_evict 1 / 44 Agenda 1. Introduction 2. The target device 3. The bootkit 4. Defending / Detecting 2 / 44 Introduction Vincent Works at KPN REDteam Likes Linux and low-level stu Located in Amsterdam

792 views • 44 slides
Trending Boot Technology The Most Determinate Piece of Equipment in Skiing is the Boot. Boots are

Trending Boot Technology The Most Determinate Piece of Equipment in Skiing is the Boot. Boots are

Trending Boot Technology The Most Determinate Piece of Equipment in Skiing is the Boot. Boots are the transmitters of body movement to the ski. Proper support, comfort, and performance application make the difference between a good day on the snow

431 views • 29 slides
Digging into Linked Parliamentary Data Jane Winters (Reader in Digital Humanities, Institute of

Digging into Linked Parliamentary Data Jane Winters (Reader in Digital Humanities, Institute of

Digging into Linked Parliamentary Data Jane Winters (Reader in Digital Humanities, Institute of Historical Research) Digging into Data, Phase 3 start-up meeting, 30 April 2-13 The data UK Hansard (House of Commons debates, 1803 to the

140 views • 9 slides
Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15

Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15

Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15 Presentation licensed CC-By-SA-4.0 Why Secure Boot? How can we prevent running malware at boot? With Secure Boot! What if the machine is a VM in

303 views • 15 slides
Dec 08 Backup Boot Flash Tools (BBF): Introduction Introduction The Backup Boot Flash (BBF) is

Dec 08 Backup Boot Flash Tools (BBF): Introduction Introduction The Backup Boot Flash (BBF) is

Dec 08 Backup Boot Flash Tools (BBF): Introduction Introduction The Backup Boot Flash (BBF) is an innovative SPI tool created by DediProg to force the application controller to work (read, program, update..) on the backup memory inserted in the

1.06k views • 17 slides
Master Boot Record (MBR) A Forensic Perspective Villanova University Department of

Master Boot Record (MBR) A Forensic Perspective Villanova University Department of

Master Boot Record (MBR) A Forensic Perspective Villanova University Department of Computing Sciences D. Justin Price Spring 2014 Master Boot Record Occupies the first 512-byte sector Boot Code Assembly Language

65 views • 6 slides
Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda

Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda

Lollipop MR1 Verified Boot Andrew Boie Open Source Technology Center Intel Corporation Agenda What is Verified Boot? Description of Verified Boot Components Q&A What Is Verified Boot? Verified Boot establishes a chain of

432 views • 19 slides
Flicker Free Boot Seamless boot for UEFI systems Presented by Hans de Goede Red Hat Desktop

Flicker Free Boot Seamless boot for UEFI systems Presented by Hans de Goede Red Hat Desktop

Flicker Free Boot Seamless boot for UEFI systems Presented by Hans de Goede Red Hat Desktop Hardware Enablement Team This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License Topics What / why? Pre-kernel:

434 views • 16 slides
Secure and flexible boot with U-Boot bootloader Marek Va sut < marex@denx.de > October

Secure and flexible boot with U-Boot bootloader Marek Va sut < marex@denx.de > October

Secure and flexible boot with U-Boot bootloader Marek Va sut < marex@denx.de > October 15, 2014 Marek Va sut < marex@denx.de > Secure and flexible boot with U-Boot bootloader Marek Vasut Software engineer at DENX S.E. since

382 views • 35 slides
Discover UEFI with U-Boot 2020-02-01, Heinrich Schuchardt CC-BY-SA-4.0 About Me

Discover UEFI with U-Boot 2020-02-01, Heinrich Schuchardt CC-BY-SA-4.0 About Me

Discover UEFI with U-Boot 2020-02-01, Heinrich Schuchardt CC-BY-SA-4.0 About Me Software-Consultant ERP, Supply Chain Contributor to U-Boot since 2017 Maintainer of the UEFI sub-system since 02/2019 I Want a Network Drive Many

598 views • 28 slides
Marrying U-Boot, UEFI and grub About Me Alexander Graf KVM and QEMU developer for SUSE

Marrying U-Boot, UEFI and grub About Me Alexander Graf KVM and QEMU developer for SUSE

Marrying U-Boot, UEFI and grub About Me Alexander Graf KVM and QEMU developer for SUSE Server class PowerPC KVM port Nested SVM Founding member of SUSE ARM team Booting on ARM Booting on ARM Boot ROM Booting on ARM Boot

2.09k views • 160 slides
HOWTO: Boot an OS By Camille Lecuyer LSE Week - July 17 2013 2 PRESENTATION EPITA 2014 -

HOWTO: Boot an OS By Camille Lecuyer LSE Week - July 17 2013 2 PRESENTATION EPITA 2014 -

1 HOWTO: Boot an OS By Camille Lecuyer LSE Week - July 17 2013 2 PRESENTATION EPITA 2014 - GISTRE Not LSE team 3 SUMMARY BIOS UEFI Boot a Linux kernel Boot a Multiboot compliant kernel 4 BIOS 5 OVERVIEW Basic

788 views • 48 slides
Spring Cloud, Spring Boot and Netflix OSS http://localhost:4000/decks/cloud-boot-netflix.html

Spring Cloud, Spring Boot and Netflix OSS http://localhost:4000/decks/cloud-boot-netflix.html

Spring Cloud, Spring Boot and Netflix OSS http://localhost:4000/decks/cloud-boot-netflix.html Spencer Gibb twitter: @spencerbgibb email: sgibb@pivotal.io Dave Syer twitter: @david_syer email: dsyer@pivotal.io ( Spring Boot and Netflix OSS or

471 views • 44 slides
Roadmap for Section 11.2 Windows Boot Process Shutdown Causes for Crashes Recovery Console and

Roadmap for Section 11.2 Windows Boot Process Shutdown Causes for Crashes Recovery Console and

Unit OS11: Performance Evaluation 11.2. Boot/Startup Troubleshooting Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 11.2 Windows Boot Process Shutdown Causes for Crashes

706 views • 28 slides
Using Invariant Analysis for Improving Instrumentation-based Performance Evaluation of

Using Invariant Analysis for Improving Instrumentation-based Performance Evaluation of

Using Invariant Analysis for Improving Instrumentation-based Performance Evaluation of SPECjvm2008 Benchmarks Michael Kuperberg, Martin Krogmann, Ralf Reussner Karlsruhe Institute of Technology SOFTWARE DESIGN AND QUALITY GROUP INSTITUTE FOR

591 views • 16 slides
CSE 331 Composite Layouts; Decorators slides created by Marty Stepp based on materials by M.

CSE 331 Composite Layouts; Decorators slides created by Marty Stepp based on materials by M.

CSE 331 Composite Layouts; Decorators slides created by Marty Stepp based on materials by M. Ernst, S. Reges, D. Notkin, R. Mercer, Wikipedia http://www.cs.washington.edu/331/ 1 Pattern: Composite objects that can contain their own type 2

441 views • 19 slides
Perf rform rmance ance Inter terfer ference ence on Multico ticore Processor essors

Perf rform rmance ance Inter terfer ference ence on Multico ticore Processor essors

An Empir irical ical Model el for Predicting dicting Cross ss-Cor Core Perf rform rmance ance Inter terfer ference ence on Multico ticore Processor essors Jiacheng Zhao Institute of Computing Technology, CAS In Conjunction

430 views • 38 slides
I N C LOUD C OMPUTING Christina Delimitrou Stanford University Defense May 26 th

I N C LOUD C OMPUTING Christina Delimitrou Stanford University Defense May 26 th

I MPROVING R ESOURCE E FFICIENCY I N C LOUD C OMPUTING Christina Delimitrou Stanford University Defense May 26 th 2015 Resource efficiency is a first-order system constraint How efficiently do we utilize resources?

986 views • 81 slides
Porting D3JS to kotlin multiplaform Gatan Zoritchak Pierre Mariac @gz_k @imtam5

Porting D3JS to kotlin multiplaform Gatan Zoritchak Pierre Mariac @gz_k @imtam5

KotlinConf_2018 Porting D3JS to kotlin multiplaform Gatan Zoritchak Pierre Mariac @gz_k @imtam5 KotlinConf_2018 The idea 2 The idea KotlinConf_2018 D3.js shape force data2viz JS JFx Android isomorphic, open source 3

623 views • 59 slides
Cross-Platform Development CS 4720 Mobile Application Development CS 4720 Which Platform?

Cross-Platform Development CS 4720 Mobile Application Development CS 4720 Which Platform?

Cross-Platform Development CS 4720 Mobile Application Development CS 4720 Which Platform? Weve discussed this! Where are the users you want to target? How much do you plan to charge? How much do you want to invest?

300 views • 17 slides
Building and Distributing SDK Add-ons Dave Smith NewCircle, Inc. @devunwired +DaveSmithDev

Building and Distributing SDK Add-ons Dave Smith NewCircle, Inc. @devunwired +DaveSmithDev

Building and Distributing SDK Add-ons Dave Smith NewCircle, Inc. @devunwired +DaveSmithDev How do we connect developers with the additional features and functionality we have built into our Android-based device? The Pointy Haired Boss

550 views • 26 slides
Principles of Software Construction: How to Design a Good API and Why it Matters Josh Bloch

Principles of Software Construction: How to Design a Good API and Why it Matters Josh Bloch

Principles of Software Construction: How to Design a Good API and Why it Matters Josh Bloch Charlie Garrod School of Computer Science 15-214 1 Administrivia Homework 4b due next Thursday HW 4a feedback available after class 15-214

539 views • 53 slides

More recommend