securing secure boot with system management mode
play

Securing secure boot with System Management Mode Paolo Bonzini Red - PowerPoint PPT Presentation

Mar 30, 2023 •295 likes •591 views

Securing secure boot with System Management Mode Paolo Bonzini Red Hat, Inc. KVM Forum 2015 Outline UEFI overview Secure boot and SMM Chipset support: QEMU Hypervisor support: KVM Paolo Bonzini KVM Forum 2015 What is UEFI?

  1. Securing secure boot with System Management Mode Paolo Bonzini Red Hat, Inc. KVM Forum 2015

  2. Outline ● UEFI overview ● Secure boot and SMM ● Chipset support: QEMU ● Hypervisor support: KVM Paolo Bonzini – KVM Forum 2015

  3. What is UEFI? ● “A replacement for BIOS that's designed to improve software interoperability” – Microsoft ● Modular architecture with reusable components (e.g. SCSI and network stacks) ● Portable drivers ● “BIOS documentation was bad, but this time we produced a 10,000 page spec” – me ● “We missed DOS so much that we burnt it into your ROM” – Matthew Garrett Paolo Bonzini – KVM Forum 2015

  4. UEFI phases – Boot “Secure” phase SEC Configure memory controller, enable caches Runs from ROM, decompressing the rest Pre-EFI Initialization PEI Initialize chipset Handle S3 resume Driver eXecution Environment DXE Discover hardware Select boot device (BDS phase) Run-time services RT Available while OS runs Paolo Bonzini – KVM Forum 2015

  5. UEFI phases – S3 resume SEC SEC PEI PEI DXE RT RT Paolo Bonzini – KVM Forum 2015

  6. What's secure boot? ● Firmware-verified chain of trust until OS loads ● OS handles the chain of trust after boot ● Enforce signing for all code running in the kernel (e.g. kernel modules) ● Enforce signing for device firmware (especially if firmware is not checked by the device) ● Non-privileged code should not be able to run arbitrary unsigned ring-0 code (e.g. via /dev/mem) ● OS should not be able to inject arbitrary code into the firmware! Paolo Bonzini – KVM Forum 2015

  7. How can the OS attack the firmware? ● PEI S3 resume uses data from DXE ● CPU data (MSRs, control registers, …) ● S3 bootscript to initialize other devices ● Run-time services must access flash to provide persistent variable storage ● Variable storage includes the keys used to enforce secure boot! ● Changes to “trusted” variables must be signed by a higher-level key Paolo Bonzini – KVM Forum 2015

  8. UEFI phases – Communication The OS can compromise SEC SEC SEC SEC everything else! PEI PEI PEI PEI RAM RAM NVRAM (NOR flash) NVRAM (NOR flash) DXE DXE RT RT RT RT Paolo Bonzini – KVM Forum 2015

  9. System Management Mode ● First introduced in 1990 (80386SL) ● Lets the chipset interrupt the running program with arbitrary code by asserting SMI# ● OUT to port 0B2h usually triggers an SMI ● Processor state is stored in RAM, execution starts at a known address (SMBASE+8000h) ● SMBASE=30000h on startup ● SMBASE can be changed by the SMM handler ● The RSM instruction resumes normal execution Paolo Bonzini – KVM Forum 2015

  10. System Management Mode: SMRAM ● The chipset can keep some RAM hidden to processors not in SMM ● Originally the 128K at A0000h were used ● Usually shadowed by video memory if not in SMM ● On modern chipsets, up to 8MB of memory below 4GB (“TSEG”) can be reserved for SMM ● SMRAM and TSEG configuration can be locked ● No-tampering guarantee! Paolo Bonzini – KVM Forum 2015

  11. Securing secure boot! SEC SEC PEI PEI SMRAM NVRAM (NOR flash) DXE RT RT Paolo Bonzini – KVM Forum 2015

  12. Attacking secure boot: SMI handler ● VU#127284: accessing RAM from SMM (2009) movq 0x407d(%rip),%rax ;; TSEG callq *0x18(%rax) ;; RAM ● VU#976132: “All of the available systems we evaluated stored boot script in unprotected ACPI NVS” (2014) “The only system we identified that used the SMM lockbox to protect the boot script was a UEFI development motherboard […] It dispatched functions in unprotected ACPI NVS” Paolo Bonzini – KVM Forum 2015

  13. Attacking secure boot: insecure hardware! ● Caching attacks ● Mark SMRAM as writeback-cached, pollute cache, generate SMI ● Newer processors have SMRR (SMM memory range register) ● Does not apply under virtualization ● Chipset attacks ● On Q35 TSEG size can be locked, but TSEG base cannot! ● Not vulnerable due to incomplete chipset emulation Paolo Bonzini – KVM Forum 2015

  14. Attacking secure boot: insecure hardware! ● Unprotected NOR flash ● Flash access should only be allowed from SMM… except if firmware forgot to set that bit to 1 ● This matters for virtual machines too ● Interrupt descriptor table ● Somehow force SMI handler to take an exception ● Recent processors reset IDT limit to 0 ● Undocumented, but KVM has to do the same! http://www.ssi.gouv.fr/uploads/IMG/pdf/IT_Defense_2010_final.pdf Paolo Bonzini – KVM Forum 2015

  15. Securing OVMF ● Assume firmware has no bugs :-) ● KVM must: ● Perform SMM world switch (SMI, RSM) ● Hide SMRAM to processors not in SMM ● QEMU must: ● Implement required chipset registers ● Protect flash from processors not in SMM ● Support KVM extensions for SMM (and TCG) ● Target: Q35 (440FX SMRAM too small) Paolo Bonzini – KVM Forum 2015

  16. QEMU: What is missing? ● Q35-specific SMRAM features ● TSEG ● SMRAM locking ● Per-CPU visibility of SMRAM ● Avoid races on SMP guests ● Flash protection Paolo Bonzini – KVM Forum 2015

  17. QEMU: What is there already? ● Basic support for SMRAM at 0xA0000 ● All registers reside in PCI configuration space: migration format won't change ● TCG support for per-CPU address spaces Paolo Bonzini – KVM Forum 2015

  18. QEMU: Flash access ● Q35 uses memory-mapped NOR flash ● Writes to flash put it in “device mode” ● On real hardware, writes also trigger an SMI; the SMI handler puts the flash back in ROM mode ● Complicated and prone to races ● Newer chipsets work around the races with even more complicated protocols ● Can we do anything simpler? Paolo Bonzini – KVM Forum 2015

  19. QEMU: Flash access ● Discard writes to flash outside SMM mode ● Flash remains in ROM mode ● OVMF does not need a special SMI handler ● Easily implemented with QEMU “memory transaction attributes” ● TCG: tlb_set_page_with_attrs ● KVM: pass “in SMM?” flag via struct kvm_run , read it on KVM_EXIT_MMIO/KVM_EXIT_IO ● Avoids non-standard extensions to Q35 registers Paolo Bonzini – KVM Forum 2015

  20. Modeling SMRAM (board) get_system_memory() /machine/smram 0x0 RAM 0xA0000 VRAM RAM RAM 0xC0000 RAM TSEG base (TOLUD - TSEG_SIZE) Zeros RAM RAM (MMIO) Top of low usable DRAM (TOLUD) open SMRAM, TSEG_SIZE=0 Paolo Bonzini – KVM Forum 2015

  21. Modeling SMRAM (TCG) get_system_memory() /machine/smram CPU 0x0 RAM RAM 0xA0000 VRAM RAM RAM VRAM 0xC0000 + = RAM RAM TSEG base (TOLUD - TSEG_SIZE) Zeros Zeros RAM RAM (MMIO) (MMIO) Top of low usable DRAM (TOLUD) SMM active Paolo Bonzini – KVM Forum 2015

  22. KVM design ● Per-CPU address space too expensive ● O(#vcpus) syscalls on every memory map change ● O(#vcpus) higher cost of retrieving dirty bitmap ● Define 2 memory maps (“address spaces”) shared by all VCPUs ● Appropriate address space for VCPU chosen according to current mode ● Pass address space id to KVM_GET_DIRTY_LOG and KVM_SET_MEMORY_REGION ● QEMU: one MemoryListener per address space Paolo Bonzini – KVM Forum 2015

  23. Modeling SMRAM (KVM) get_system_memory() /machine/smram SMM 0x0 RAM RAM 0xA0000 VRAM RAM RAM RAM 0xC0000 + = RAM RAM TSEG base (TOLUD - TSEG_SIZE) Zeros RAM RAM RAM (MMIO) Top of low usable DRAM (TOLUD) open SMRAM, TSEG_SIZE=0 Paolo Bonzini – KVM Forum 2015

  24. KVM implementation: generic code ● New functions: __kvm_memslots(struct kvm *, int as_id) kvm_vcpu_ gfn_to_memslot kvm_vcpu_ gfn_to_hva kvm_vcpu_ gfn_to_pfn kvm_vcpu_ gfn_to_page kvm_vcpu_ read_guest_page kvm_vcpu_ read_guest ... ● New architecture-specific hook: kvm_vcpu_memslots(struct kvm_vcpu *vcpu); Paolo Bonzini – KVM Forum 2015

  25. KVM implementation: x86 MMU ● Use kvm_vcpu_* functions where appropriate ● SMM added to shadow page “role” ● The role acts as the hash key ● GPA→HVA mapping for arbitrary SPTEs ● Special memory regions must be added to all address spaces ● Identity page table ● APIC access page ● Real-mode TSS Paolo Bonzini – KVM Forum 2015

  26. KVM implementation: world switch ● New ioctl: KVM_SMI ● 64-bit version different between Intel and AMD ● QEMU uses AMD format ● Tiano Core expects Intel format ● Intel doesn't document part of the state! ● Segment descriptor caches ● TR base/limit ● Therefore, KVM uses AMD format ● Nested VMX/SVM state not saved Paolo Bonzini – KVM Forum 2015

  27. State ● QEMU: released in 2.4 ● KVM: released in Linux 4.2 ● OVMF: patches under review ● 97 files changed, 17631 insertions, 587 deletions ● SMM core from Intel Quark SDK ● 32-bit only ● Uniprocessor guest only ● TCG: qemu-system-i386 ● KVM: -cpu model ,-lm,-nx Paolo Bonzini – KVM Forum 2015

  28. Acknowledgements ● Laszlo Ersek (OVMF) ● Gerd Hoffmann (Q35) ● Radim Krčmář, Xiao Guangrong (KVM review) ● Michael S. Tsirkin (QEMU review) Paolo Bonzini – KVM Forum 2015

  29. Q&A Paolo Bonzini – KVM Forum 2015

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15

Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15

Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15 Presentation licensed CC-By-SA-4.0 Why Secure Boot? How can we prevent running malware at boot? With Secure Boot! What if the machine is a VM in

303 views • 15 slides
HOST Secure Boot I ECE 525 Secure Boot Introduction Embedded system security can be partitioned

HOST Secure Boot I ECE 525 Secure Boot Introduction Embedded system security can be partitioned

HOST Secure Boot I ECE 525 Secure Boot Introduction Embedded system security can be partitioned into two categories: Security issues associated with the design Security issues associated with the system and application data once the

1.13k views • 25 slides
Secure Boot mistakes Jasper van Woudenberg (Job de Haas) jasper@riscure.com @jzvw 1 Secure

Secure Boot mistakes Jasper van Woudenberg (Job de Haas) jasper@riscure.com @jzvw 1 Secure

Top 10 Secure Boot mistakes Jasper van Woudenberg (Job de Haas) jasper@riscure.com @jzvw 1 Secure Boot Theory Internal boot ROM 1 st stage boot loader N th stage Verify signature Optional decrypt boot loader OS / Application 2

517 views • 25 slides
Extending the Secure Boot Certificate and Signature Chain of Trust to the OS Fionnuala Gunter,

Extending the Secure Boot Certificate and Signature Chain of Trust to the OS Fionnuala Gunter,

Extending the Secure Boot Certificate and Signature Chain of Trust to the OS Fionnuala Gunter, fin.gunter@hypori.com Mimi Zohar, zohar@linux.vnet.ibm.com Secure Boot Chains of Trust Secure Boot places the root of PK trust in hardware

847 views • 16 slides
SECURING SECURE SHELL INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT AGAINST INSIDER THREATS

SECURING SECURE SHELL INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT AGAINST INSIDER THREATS

SECURING SECURE SHELL INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT AGAINST INSIDER THREATS Applying Due Care Via Common Sense Approach April 2017 100% 46% Ponemon 2014 SSH Security Vulnerability of 2000 Global do not Organizations Report

307 views • 29 slides
Secure and flexible boot with U-Boot bootloader Marek Va sut < marex@denx.de > October

Secure and flexible boot with U-Boot bootloader Marek Va sut < marex@denx.de > October

Secure and flexible boot with U-Boot bootloader Marek Va sut < marex@denx.de > October 15, 2014 Marek Va sut < marex@denx.de > Secure and flexible boot with U-Boot bootloader Marek Vasut Software engineer at DENX S.E. since

382 views • 35 slides
Mixed-Mode Sample i d d l Management System: An Management System: An Early Glance Gina

Mixed-Mode Sample i d d l Management System: An Management System: An Early Glance Gina

Mixed-Mode Sample i d d l Management System: An Management System: An Early Glance Gina Cheung The 11th International Blaise Conference Annapolis, Maryland September 2007 Four Powerful Social and Economic Forces 1 1. From homogeneity

441 views • 23 slides
IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT is a system of systems, with A great deal of heterogeneity (sensing, computation, communication, energy) New types of devices appearing all

1.35k views • 65 slides
Securing IoT with a hardware Secure Element Marc Renaudin - Serge Maginot - TIEMPO CONFIDENTIAL

Securing IoT with a hardware Secure Element Marc Renaudin - Serge Maginot - TIEMPO CONFIDENTIAL

Securing IoT with a hardware Secure Element Marc Renaudin - Serge Maginot - TIEMPO CONFIDENTIAL TIEMPO S.A.S. December 3, 2019 1 Outline Connected Objects Securing IoT with a hardware Secure Element Introduction Securing Treats

537 views • 10 slides
towards cost reduction Sr DFM/BRC System Improvements - Engg Construction and Maintenance of

towards cost reduction Sr DFM/BRC System Improvements - Engg Construction and Maintenance of

System Improvements towards cost reduction Sr DFM/BRC System Improvements - Engg Construction and Maintenance of Quarters at BOOT Mode. Construction of Boundary wall next to track in city areas on PPP mode with advertising

1.67k views • 74 slides
Setup For Failure: Defea0ng UEFI Secure Boot Corey

Setup For Failure: Defea0ng UEFI Secure Boot Corey

Setup For Failure: Defea0ng UEFI Secure Boot Corey Kallenberg @coreykal Sam Cornwell @ssc0rnwell Xeno Kovah @xenokovah John BuGerworth

1.22k views • 84 slides
1 Miniature Mode Estimation Example ACS Subsystem GHe Pressure Transducer (S) Model

1 Miniature Mode Estimation Example ACS Subsystem GHe Pressure Transducer (S) Model

Outline Motivation Previous Mode Estimation Approaches Example ACS System Improving Model-based Mode Estimation Miniature Mode Estimation System Through Offline Compilation Rule-based system comparison Conclusions

495 views • 4 slides
INTRODUCTORY PRESENTATION Company Profile MODE Project Management Ltd. (MODE PM) has been

INTRODUCTORY PRESENTATION Company Profile MODE Project Management Ltd. (MODE PM) has been

INTRODUCTORY PRESENTATION Company Profile MODE Project Management Ltd. (MODE PM) has been established in 2012 by Project Management Professionals to provide Project Management Service for all phases of design and construction. The purpose of

933 views • 36 slides
Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure

Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure

Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure Routing? Current routing protocols assume trusted environment! Even misconfigurations severely disrupt Internet routing Secure routing

245 views • 22 slides
Dual-Mode Configurable RISC-V Processor IP Nuclei System Technology Dual-Mode

Dual-Mode Configurable RISC-V Processor IP Nuclei System Technology Dual-Mode

Dual-Mode Configurable RISC-V Processor IP Nuclei System Technology Dual-Mode Configurable Configurable feature is to meet different application scenarios: Real-Time System Mode: Instruction and Data Local Memory (ILM, DLM)

329 views • 21 slides
Defeating Secure Boot with EMFI Ang Cui, PhD & Rick Housley {a|r}@redballoonsecurity.com

Defeating Secure Boot with EMFI Ang Cui, PhD & Rick Housley {a|r}@redballoonsecurity.com

Defeating Secure Boot with EMFI Ang Cui, PhD & Rick Housley {a|r}@redballoonsecurity.com PROJECT 1. Open-source project to democratize EMFI research 2. 2 years of work so far PROJECT Disclaimer: BadFET-style EMFI research is

1.55k views • 126 slides
Exercise /* A lockbox can be open or closed. If closed, only a valid password will open the box.

Exercise /* A lockbox can be open or closed. If closed, only a valid password will open the box.

Exercise /* A lockbox can be open or closed. If closed, only a valid password will open the box. Once the box is open, the contents can be retrieved. */ interface LockBox { boolean openBox(String password); // attempt to open, return true if

482 views • 27 slides
Data-structure lock-in D. J. Bernstein University of Illinois at Chicago The browser is slow I

Data-structure lock-in D. J. Bernstein University of Illinois at Chicago The browser is slow I

Data-structure lock-in D. J. Bernstein University of Illinois at Chicago The browser is slow I ran chromium-browser http://bench.cr.yp.to /results-hash.html . Unsurprising: slow load. This page is 8509794 bytes + 32136149 bytes for 151

568 views • 39 slides
Concurrency Control [R&G] Chapter 17 CS4320 1 Conflict Serializable Schedules Two

Concurrency Control [R&G] Chapter 17 CS4320 1 Conflict Serializable Schedules Two

Concurrency Control [R&G] Chapter 17 CS4320 1 Conflict Serializable Schedules Two schedules are conflict equivalent if: Involve the same actions of the same transactions Every pair of conflicting actions is ordered the same way

831 views • 50 slides
Opera&ng Systems ECE344 Lecture 6: Synchroniza&on (II)

Opera&ng Systems ECE344 Lecture 6: Synchroniza&on (II)

Opera&ng Systems ECE344 Lecture 6: Synchroniza&on (II) Semaphores and Monitors Ding Yuan Higher-Level Synchroniza&on We looked at using locks to

786 views • 40 slides
CPS 310 Threads and Concurrency Jeff Chase Duke University

CPS 310 Threads and Concurrency Jeff Chase Duke University

D D u k e S y s t t e m s CPS 310 Threads and Concurrency Jeff Chase Duke University h<p://www.cs.duke.edu/~chase/cps310 Threads I draw my threads like this. A thread is a stream of

904 views • 62 slides
Delegated Access for Hadoop Clusters in the Cloud David Nu nez , Isaac Agudo, and Javier Lopez

Delegated Access for Hadoop Clusters in the Cloud David Nu nez , Isaac Agudo, and Javier Lopez

Outline Introduction The Hadoop Framework Proxy Re-Encryption DASHR Experimental results Conclusions Delegated Access for Hadoop Clusters in the Cloud David Nu nez , Isaac Agudo, and Javier Lopez Network, Information and Computer Security

615 views • 30 slides
Nortel Legal Summary Koskie Minsky LLP Allocation Litigation Trial Decisions May 12, 2015

Nortel Legal Summary Koskie Minsky LLP Allocation Litigation Trial Decisions May 12, 2015

Nortel Legal Summary Koskie Minsky LLP Allocation Litigation Trial Decisions May 12, 2015 the Ontario Superior Court of Justice and the US Bankruptcy Court released consistent decisions requiring the allocation of the $7.3B lockbox

125 views • 10 slides
AILA Liaison AILA National Liaison What Do We Do? The Liaison Department works with AILA

AILA Liaison AILA National Liaison What Do We Do? The Liaison Department works with AILA

8/23/2016 AILA Liaison AILA National Liaison What Do We Do? The Liaison Department works with AILA leadership and members to develop, direct and coordinate AILAs administrative advocacy efforts. Through member-based liaison

335 views • 14 slides

More recommend