Hello Trammell, Thursday, May 11, 2017, 5:42:38 PM, you wrote:
TH> On Thu, May 11, 2017 at 10:30:48AM -0500, Allen Krell wrote: >> [...] There are multiple keys >> >> ME - public/private key pair - Fused in by Intel and checked by Intel >> silicon - Probably different across models It's a little simpler than that: the ME ROM has a hardcoded list of pubkey hashes and accepts ME manifests signed by any of them. I think (but haven't checked) that the keys change with each major ME version. TH> If an attacker can sign an ME binary, they can provide invalid fuses to TH> the CPU microcode so that it won't check the ACM key (or provide their TH> own bootguard key so that the TPM locality will be set for the IBB TH> measurement). I'm don't think this is possible. the OEM keys (or rather, their hashes) are set in the data area of ME and are copied to the PCH/MCH fuses on first boot. These fuses are one-time programmable so can't be overwritten (supposedly) even if you manage to get ME codeexec. TH> If the attacker can sign the ACM, they can ignore the bootguard key on TH> the IBB and provide invalid measurements to the CRTM. TH> And if they can sign an IBB they can implement their own policy (but TH> not avoid TPM measurement of the IBB by the ACM). This sounds correct (I did not look into BootGuard in much detail). >> So, back to AMT bug. I believe Boot Guard (by itself) doesn't help. An >> exploiter "may" be able to reflash only the ME region and enable AMT even >> if the OEM has disabled AMT and implemented Boot Guard. Not confirmed, >> just a educated hunch. TH> That might be possible, although ideally the startup ACM or IBB can TH> ensure that the ME region is included in its measurements and this would TH> cause key unsealing or remote attestation to fail. That's one of TH> the reasons that I recommend changing the flash descriptor to allow TH> the host CPU to read the ME region. In fact I think this is exactly the reason why flashing cleaned ME fails on BootGuard-protected systems - they check ME's hash (which ME provides in the PCI register space) and fail when it changes. Though that makes me wonder how they handle ME firmware updates... -- WBR, Igor mailto:skochin...@mail.ru -- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot