It's a UNIX System - Intel ME, JTAG and FOSS BIOSes

okay our next speaker is James head - otherwise known as ec0 and he'll be talking about its UNIX system Intel ma de tag and open source biases so let's welcome James to the stage

thank you okay I want to start right over the gate by saying that I feel the Jurassic Park is the best hack and maybe that's ever been made and I know that's an unpopular opinion yes so my name's James and backgrounds not that important but I'm right into hardware security hardware hacking you can find me up at the hardware village for the next couple days I'm right into open source liberation and all that kind of stuff so what I'm going to be talking about today is very near and dear to my heart I've spent a lot of my own time coming to understand all this sort of stuff and the format of the talk is kind of less

dropping mad zero days and more of a public service announcement about all the weird [ __ ] that your computer does that you probably don't know about okay so I wanted to start by just giving a brief overview of actually what happens when you turn on a computer a mobile phone anything with the processor in it basically the CPU die has built-in logic that will essentially hold the processor in a certain state until all the voltages stabilize at which point of resets at that at that point the CPU starts looking for code and the place in which it looks is called the reset vector it's a technical term for basically a fixed memory address that

gets assigned when they just line a processor 4 Intel and AMD processors it's just hard coded and the chips it's the same because they use the same architecture for it's it's another address but basically once the voltage is settled your processor resets start executing executing code you can see the addresses here these have been the same for decades and decades and decades and decades nothing has really changed in processes from this perspective for a super long time there's actually some pretty cool tricks that go on in a processor to start loading code and start getting a computer ready to be a useful computer to humans and that all starts after the processor jumps to the reset vector and

starts loading code an example here is the Intel series of processors when you have a CPU a CPU is not smart enough and doesn't have enough logic in it to actually bring itself to life you need supporting circuitry typically these are called North bridges South bridges these are just extra chips on the motherboard that basically give the process of what it needs to start up and start executing instructions in sort of more recent Intel chipsets we're talking about the North Bridge doing things like loading code from a flash chip and poking it into these addresses so basically CPU fires up voltages settle resets at the reset vector the Northbridge has already come in and it done some weird stuff to

load the contents of the flash ROM on the system board into these addresses in l2 cache on the cpu so it's kind of tricks it into thinking like hey you've got this stuff in memory you should start executing it does a similar thing it's typically more implementation specific and it's typically baked into the CPU design example being on the Raspberry Pi basically you've got like a stage 0 bootloader that gets loaded from an SD card and the logic to do that is actually baked into the CPU and it will basically take that boot 0 again poke it into the CPU cache and away you go start running your very very basic bootloader [Music] all this is absolutely invisible to the

user which is kind of the important thing here it's normally binary it's norm normally source code you normally can't change it out it's usually not free and open-source implementations of this stuff at this level but it is very important to actually bringing up the processor and bring up the processor to a state we can start addressing peripherals and essentially once you've been through this state the processor is in a sort of situation where it's able to maybe start looking in SPI flashes or in the case of parm on an SD card for the next stage bootloader which I'll refer to generally has boot code but we're talking about BIOS as UEFI implementations and in the case of arm

systems it's usually a closed source system just a general bootloader so the other thing that happens and this is becoming more and more prevalent and it's spooky hence the flight your computer's also going to start up and it's gonna start up a series of support processors this is less common on arm systems Intel and AMD systems have their own implementations of this technically they're basically gonna fire up as soon as everything has power so they're not actually involved in the process we just talked about AMD has a processor in their CPUs that does this sort of weird handshake with the hardware we'll talk about that but essentially your computer is going to also in tandem to the main

CPU be spinning up a whole bunch of other processes whether they're on our Bluetooth chipsets network cards external bare-metal control cards and also the security processor in modern processors is going to spin up at the same time so you cook all of this stuff going on none of it is visible to you you have no control over the code that runs on it it a bit scary once all of that's happened and you sort of staged the Euro boot loader has gotten the system in a stage where it might actually start thinking about loading an operating system that's when you actually load a boot loader and that's always something like you know grub with Linux gnu/linux NT loader

which Windows NT boot loader launch D on OS X I bid on iOS H boot is the really common boot loader on Android systems dusty goo built on most routers these are a little more common a little less implementation-specific and these 'm there's a tendency for these to be open source so for example the co boot is open source I boot is despite apples intentions now open source not licensed grub that is obviously the grand unified boot loader it is a new project and it's totally open source so this is where you probably as a user have the first opportunity to start controlling what's actually happening on your computer obviously if you run our sex you've said

I don't care and if you run Windows you've said I don't care I trust you Apple I trust you Microsoft interestingly enough obviously these things being open source doesn't make them secure because often the version of you boot that you're running the version of grub you're running it's not necessarily up to date like that's that's on you to keep that up to date basically these are these pieces of software they're their sole role in life their whole reason for existing is to take your computer and start looking at storage devices where they might be able to load a more complicated operating system the examples are here of course OS X Linux iOS Android these are all way

too big and complement complicated to actually fit in the seat that you died or fit in like a small boot flash so you have these stages buuut and a lot of code running that you never see so we talked a little bit about coprocessors before and some more examples of things that might be happening when your machine starts up things like firmware you know we've got Bluetooth chipsets in laptops and phones these days super convenient those typically have a small service processor in them that run a binary only firmware to actually do the Bluetooth bits you know those have essentially got potential attack surface on them because you know they're RF devices they can be

interacted with from outside of the machine these are almost always required to run the chip and they're almost always close source you're essentially by having bluetooth enabled trusting the vendor of that device that they're being proactive about security and that they're bringing your new firmware whenever they find an issue and that they even think that issues are a real thing you've got things like add-on cards PCI boot roms for example when you boot a computer over the network to deploy it say you're going to be running like a PCI add-on ROM that's called and it's essentially something that gets loaded into the BIOS gets executed from a flash chip on the PCI card network card and it extends the functionality of

the BIOS there's not a lot of security or signing around these usually you can load alternate free open-source boot roms on a lot of cards a lot of Intel cards have the ability to load things like IP x e and g p XE to replace the vendor maintained chip contents and people don't do that stuff that really so you're typically running potentially the firmware for these devices that the system came with firmware boot roms by officers typically don't get updated too often because you typically also have to reboot the machine right and that's that's very disruptive when you take that out so like the enterprise scale you take that out to production servers this stuff's just not happening it's

just not on people's radar it's sort of like a third real class of systems here in Co processes that are starting up a light out and BMC management cards examples of these like the dell idrac or HP ILO IBM i think they still call it I think it's got a flash new name but they're basically all ARM processors sitting on a PCI daughterboard with a full OS like full embedded OS running on them and network access and they typically got access if not to the host OS via drivers that are installed in the host OS also if I you can just reboot service with them typically week off indication on the most people use the default passwords and typically you

can get into like a show mode on them so again you'd sort of know you had one of these cards this wouldn't sneak up on you but they're not something that necessarily gets updated very often and can also prevent present a bit more attack surface on a system there's been stacks of CVS for these cards if you go to any CDE database just search dell idrac its eye watering authentication bar bypasses code execution and people don't update them so they're off in a really good place to start if you're trying to cause some havoc on a enterprise network I really just want to use this gift that's why this slide exists but yeah look I mean in in summary boot code is

there to bring the system up on system on chips it's typically referred to as like a stage zero all of these things essentially perform the same function which is to make a computer usable the main sort of key thing with the boot code which is you know BIOS UEFI it's it's it's almost always closed source we'll find out with the firmware as we find out with the stage zero boot loaders boot code is typically only generated by a few companies in the world american megatrends are an example inside by us intel's got a reference UEFI implementation they call Tiano now and they've got this really great catch all-around licensing which means that they don't have to release the source

code the trend away from open sourcing the code for these is often speculated to be related to government backdoors is a really common theory licensing is usually the defense but due to the system wide access the UEFI firmwares and by us have it's pretty common for people to want to in especially in the hardware liberation kind of community want to replace the boot code with something a little more little bit more palatable a little bit more open source and something they can sort of inspect and sort of know is secure and also just add additional features to old old hardware new code is something that often limits the usability of older hardware

in recent years we've sort of seen technology head towards the direction of locking users out of choice kind of similar to what has happened over the years with our gaming consoles as an example we're now in a situation where essentially if you buy a gaming console you are essentially buying a license to use that machinery but if you modify it you're a breaching your EULA [Music] Technologies like a UEFI secure boot they sort of come with these cool words like secure in the name and they can't improve the security of a process there's there's a real potential for someone to load I don't know like a malicious kernel modification then you know could cook your real way into a

system you if you have kernel level access to a system you're essentially route or administrator and there's nothing stopping you doing what you need to do so locking down using encryption and key signing the actual kernel modules themselves and the actual kernel is like a really good way to stop that from happening and to keep a system secure the only problem with UEFI secure boot is most people turn it off and you have to actually have your binary signed by Microsoft thereby implementation the only people who are allowed to sign things are you can install your own key routes like a lot of system firmwares have that capability but most people aren't gonna go down that path like if

you want to say like hey you want to run Mac you want to run with it eggs you've got a go install your own key root to have this secure boot feature enabled people they're not going to do it so it relies on Microsoft actually ordaining an operating system to run on a system it's kind of a flawed implementation for that for that reason in even more recent processors like our skylake onwards I think it is om systems have the capability of essentially burning into the CPU die a series of keys those keys are then used to authenticate the boot code so the actual system bios UEFI intel have an implementation of this called boot guard

it basically relies on the processor and the system board me being manufactured by the same person and when they install the CPU into the board they set a bunch of CPU fuses that contain the CPUs and once they've been said you can't unset them or anything like they're burned in this obviously stops people from putting alternate biases on these systems it also potentially mitigates the risk of things like like bad by us like malicious BIOS modifications designed to maintain persistence on a system there's not a lot of evidence that this sort of stuff actually goes on it's more of a theoretical attack but you know it's possible so into a boot guard designed to sort of keep the BIOS locked to what

the vendor wants you to run what's what's a bit awful about that is it sort of prevents you from modifying a BIOS and we've started to see things like digital rights management technology built into system firmwares and essentially into the Intel management engine there is built-in system there for enforcing digital rights management again limiting user choice so it's another one of those technologies that sort of looks like it it improves system security and it it does by all accounts but it relies on Intel ordaining things and the vendor ordaining things and the problem then is you know if you're not running like an open source bios or something like that you have absolutely no say in what gets

fixed or the functionality that gets added to your system by us to suffer from bit rot I challenge you to find a BIOS that got a meltdown on spec to fix that was more than like four years old and you actually mind that's kinda here or there it's basically putting control from a security perspective of system firmware back in the hands of the manufacturers rather than back in the hands of the users in the security community in general it's it's designed to minimize the attack surface but yeah it limits user choice on the topic of sort of out-of-band management cards like bare metal controllers which we talked about earlier so these are these are kind of

interesting because they're essentially deliberate backdoors you don't want someone to log into your system and have access to your screen keyboard and mouse and be able to turn your computer on and off but a lot of enterprise systems come with these cards installed a lot of people don't change the default passwords on them it's super common to find these systems on corporate networks with Fadel our route as the username and Calvin whoever Calvin is as the password but it's kind of like an easy way into a system really there's also like a tack surface there because you can just wait out an administrator needing to log into the console and people are not super diligent about logging out of the actual

video card on servers once they've done what they needed to do bring the server back up from like a power malfunction or whatever they typically just close their remote management console either leaving a root console or an administrator logged in console on the system so if you can find one of those through there the out-of-band management console you basically in I mentioned before these systems are kind of very closed doors they're actually like entire computers running on a chip so security updates on these are super important like I can't stress that enough and people don't do them enough so if you actually work in an enterprise that has lights-out Management cards please update them there's a very very easy way for people

to get into systems that's if your vendor is still actually issuing updates for in line with this like this is a feature that used to just be relegated to Enterprise land and like really expensive servers like several thousand dollar chassis systems sit in data centers as recently as like it's less than ten years ago so it's recent in CPU land Intel introduced a functionality called a MT V Pro you might have seen labeled on your new Dell workstation this is essentially in its earliest incarnation an ARCA processor sitting inside the CPU die running its own operating system with access to the network card OB system designed to provide lights-out management on workstation class systems I mean like

those those words should be pretty scary but they scare me and it's it's another one of those situations where a a lot of people buy hardware with these functionality enabled they don't configure it they don't change the passwords and again back to the point about vendors potentially not really giving a [ __ ] about updating these things and taking security seriously there's been you know a couple of really notable CVS against AM T and V Pro that have allowed unauthenticated access to the AMT web interface because it runs a web server of course it does and actually the the attack vector was just not supplying a HT digest when you authenticate it and that's latinas

administrator so pretty cool stuff pretty pretty like security 101 kind of stuff and one of my favorite things is like this idea that someone design this feature and would have been super excited about it and would have been like oh wow you know we can do this amazing stuff in the CPU we can control it from anywhere in the world we can turn the machine on and off we can give access to the console never at any point in the process did they go actually that's a really bad idea that's a really huge security issue why do I want that but sure enough Intel baked it into the processes in doing so a lot of hardware

liberation community and like hardware security community raised an eyebrow okay this maybe isn't the best idea have you guys thought about the security implications or someone breaching this processor typical vendor response it's we've had the CVS there to show that it is important to consider this systems one of the main reasons that this was implemented anyway despite the security implications is when you're managing thousands and thousands of workstations in an enterprise network and you get a call from you know you've got your helpdesk centralized somewhere somewhere cost-effective and you know your cost effective help Help Center is having trouble walking the user who's calling through the process of rebuilding their machine because that fixes all problems being

able to actually just log into the vPro interface and kick off a reboot it's super helpful and saves a lot of time saves a lot of unnecessary Hardware replacement so you know this is this is enterprise driven it's not as common in home systems but all of the bits and pieces are there right like the CPU support said most of the system boards supported it is focused on fleet management in enterprise environments and even so even though it's an enterprise environment I've worked in enough places that don't actually configure it to be secure that I have opinions about it being there

you're talking about processes that are embedded inside processes AMD's got their own thing which is called the platform service processor platform security processor it's right there on the slide James its present in 16h and higher AMD processors so like the much older or they're like torrents and things like that they didn't have this essentially Hardware initialization on AMD processors is currently and was previously handled by an open source library called a GSA AG ESA and that was a totally totally open source so the sources that had been provided to like a bunch of open source firmware vendors and vendors projects and basically it meant that you could write a firmware for an AMD processor and all of the

hardware bring up was handled for you by this library when they introduced the security processor they moved all of that responsibility into this it's actually an ARM processor so it's an ARM processor inside an x86 processor that provides all of the security features like TPM and it also is heavily heavily linked to Hardware initialization so you actually can't turn an AMD x86 processor on without the tiny little ARM processor inside saying it's okay and setting up all the memory timings and everything so it's super embedded yeah it's like an a5 so it's reasonably powerful like it's not what the arc caused in the early Intel processors were really really underpowered like 100 megahertz or less

this is a cortex a5 it runs a full real-time operating system inside I mentioned it implements things like that at the TPM so what that means is the inside the flash regions which are allocated to the platform security processor you've got user credentials you've got encryption keys that people have stored in the TPM because the TPM on these processes is a software device it's not a hardware device you know it'd be really really sad if there was a CV that allowed code execution on these processes they also have access to the host memory which is pretty cool so if you see erratically got into one of these machines and had code execution you would essentially have readwrite

memory access to the host I have a diagram here it's kind of small unfortunately it's meant to show you all of the stuff going on inside the little ARM processor and how it's just part of the arm like the AMD processor talked about the TPM there have been vulnerabilities so you can absolutely achieve code execution inside the TPM on these processes there's also been a lot of the recent security announcements AMD flaws the former was a very legitimate security issue like it basically meant you could dump credentials if you had access to the TPM AMD floors is a little less it's more of a persistence being at best it was really played up as like you know the

next big security issue but it really looks like it was probably just a stock manipulation you need like local admin on the machine to exploit this at best you using it to like inject code into the platform security processor to stay a resident but it's not actually giving you any sort of extra privilege that having local admin whom the Machine wouldn't give you so arm processors also implement a similar thing just whilst we're talking about AMD's I mentioned was an ARM processor um trust zone is security implementation forearm is the security implementation for AMD AMD runs an ARM processor for security and that ARM processor also has its own secret processors inside it under trust zone so

you know yo dawg i heard you like coprocessors basically arm trust zone is actually not so much individual CPU dies it allows you to partition an ARM processor into multiple worlds and they're called so they're just like memory regions certain memory allocated to what's called the secure world or SW d can't it's totally invisible and it's also inaccessible to the normal world which is where your code runs a little blinky light demo that's running on your Raspberry Pi actually can't see the secure world at all and on ARM processors things like you typically only see these in really expensive arm systems like server systems but they have TP M's and all that sort of stuff

built into them to make them competitive as server systems but they're actually again just software running inside the secure world on these processes it's a little bit of a diagram so orange being the normal world blue being the secure world the important thing to remember about ARM processors is they're actually extremely variable between vendors so arm only really sort of gives out generic reference implementations for ARM processors and then it's up to the individual vendors to do something with that and do it securely which always goes great the secure world has this thing called the monitor running which is actually what gates access in and out of things running in secure world so you've got a TPM running in

secure world you you do need to expose that to the normal world somehow so you can actually implement an API to access securely the secrets and that's that's the monitors job so there's basically special registers that get set when you're running code that are authenticated by this code that is running in this secure world they're kind of like interrupts that you can fire and you can pass parameters so what actually happens is the execution of those instructions then has access to the secure world really briefly in like a certain way that the secure world has to respond to so it's essentially kind of like a REST API in a in a processor it's it's pretty heavy-duty stuff but

essentially it means that you can have specific calls running to access the secure world to retrieve data and basically that's available to the normal world and like most API is it has security vulnerabilities which is exactly how the the TPM code execution was achieved there was I think it was actually a simple buffer overflow in one of the api's and once you've got code exec in secure world you've actually got access to the entire host memory whatever you're running in there can't be seen by normal world so it's a super nasty I also mentioned the implementations are extremely vendor specific so for example Volcom their their implementation of trustzone is called Q SEC q SE e and

Qualcomm secure execution environment off the top of my head and they also had a CVO that was a codec in secure world and it was an API that they had implemented in the secure world to allow access to like media files or something and it basically allowed code exact because it's just an API and they didn't write it well so the main the main thing I think that is probably the most interesting about this world of coprocessors and like secret code and all that sort of stuff is Intel management engine there's been a lot of focus on the Intel management engine I think white quite rightly it's been around for a while so sort of post Core

2 Duo were the very early implementations it is the hardware side of AMT and vPro so it's actually the hardware implementation that is basically allowing AMT which is a software product to dial into your process and to dial into your system and do things like reboot the machine or yeah like mount virtual media all this stuff that it can do it's integrated into what's called the platform controller hub and that's essentially the majority of the functionality of the Northbridge chip Northbridge chip on the system board which has access to like all of your i/o controllers all of your memory it actually uses the host memory to run priest skylight that looks something like this so you have like your main CPU

any like operating system agents that are communicating with the management engine AMT for example you've got your operating system running on the main CPU and then inside the platform controller hub inside the Northbridge you had a dedicated ARCA core which was running a real-time operating system anything in orange on this is essentially dedicated to the management engine but what's problematic here is that the management engine is inside the piece of the PCH so actually has access to everything that PCH does which means Hardware sensors the Ethernet MAC just super cool and all of the i/o devices that basically hang off the Southbridge which it also has access to it also takes up a small amount of the slot 0 DDR Ram it was

actually pretty cool YouTube talk with the guy who invented this he's like super pumped about it you know this is a great feature and he accidentally sort of mentioned that yeah it runs in the slot zero RAM so if you just like didn't have that bad in the ma wouldn't run and you could literally just take your first stick around Mountain EMA would be neutralised the actual operating system for the entire management engine runs in a partition inside the BIOS flash so for it to actually work it requires the system bios to have a functional environment for it to load up and run as its operating system if that doesn't happen your machine will reboot within

30 minutes because it has like a triggers or watchdog timer inside the CPU so you can't really easily remove it [Music] inside that same flash you've got the system bios you've got the gigabyte gigabit ethernet firmware etc and so I mentioned it has access to the network card it's able to basically coexist on the Ethernet physical interface on the system board and send and receive packets on the ethernet network and respond to those and that's how a MT is implemented this this essentially wasn't as scary because it was in the Northbridge it wasn't sitting in the CPU die if you if you disabled it there were basically ways to disable it by setting flags in the SPI

flash and it was not that big a deal post skylake though they actually removed the intel management engine into the CPU die so it's actually sitting there it's in Intel Atom systems it was actually a spark system which i think is kind of cool it's like an old hardware nerd that if you had one of these atom systems you also had a spark so really the good old days you are in the newer systems though it's actually an x86 core so you've got x86 on x86 it's it's it's way harder to disable so the tricks around just sort of setting the spi flash flags that don't work anymore we'll talk we'll talk about the methods for disabling this but

essentially being integrated into the process it makes it much much harder to neutralize it's much more crucial to the running of the processor and being in the CPU die it has everything that the CPU can access it can access recent research into the Emmy to try and sort of get an idea of like what it's capable of and what code it's running because really if this is running inside the Emmy it's running on your computer all the time and you can't observe it at all recent research shows that basically the processor has multiple unlock modes and these unlock modes are controlled by specific encrypted flash partitions if these partitions contain Intel Keys the processor will enter what's called

read unlock mode and there is essentially an Intel technology called DCI which is debug bus that they use when manufacturing and debugging Intel processors and if the processor is in read unlock mode you actually have a functional JTAG interface into the Intel ME processor basically what's required there is not foreign basically you need the Intel Keys to get that mode because read unlock code mode needs the Intel Keys there were some recent CBS against this though which allowed code execution inside the Intel ME one cool thing is like if you if you're familiar with memory access there's multiple rings in an Intel processor ring 0 traditionally being the highest you know that's like the the operational mode of the kernel

and the until Emmy actually runs in ring minus 3 so it not only has access to everything that ring 0 can't see it so it's totally visible but basically there were Seavey's that allowed code execution in ring minus 3 in the Intel ME core which is an x86 core that allowed positive positive security did a lot of really great research on it there's been some awesome talks coming over blackhat in a year and this code executional they are dumping of the firmware it allowed also for these guys to work out that there was a like secret undocumented unlock mode that didn't need the Intel keys and would get you into read unlock mode which they did

JTAG was had firmware was dumped and yeah basically they found out it runs MINIX which is an educational UNIX operating system this kinda correspond with a bunch of emails back and forth from Android Tannenbaum who's the guy who wrote MINIX from Intel without asking like loads of questions about meanings and he's like this is weird but okay and yeah they basically wrote their own extended version of MINIX for this they haven't released any of the source code again there's more speculation that that's due to government backdoors but it's it's probably just because they don't want a AMD to steal this [ __ ] and basically they're emmys a UNIX system running inside your processor no matter

like what host OS you run you're running MINIX which is cool cuz meaning it's kind of like the most commonly run operating system in the world now so from all of this like there's a few takeaways general coprocessor security to long didn't read security processes running closed source code beyond user control which are hard to update without significant impact to the system they don't necessarily improve the security posture in the long term of a system closed source processors which control the initialization of hardware and which payloads they will pass execution to outside of user control are bad for use of freedom so not being able to run what you need to running hardware that you've

paid money for is it's not only like being unfair it's actually kind of preventing you from keeping that hardware for longer it forces you to buy new hardware and maybe the hobby of god is totally fine there's like environmental implications for that and also he the computer probably has a backdoor in it that you don't know about and there's not heaps you can do about that from a hardware liberation perspective there's those options though so you can basically replace the boot code on your system with something like Linux boot coreboot Libre boot you can disable security management processes like the Intel ME through various means and there's also alternate firmwares being developed for bare metal management

cards like open BNC Linux boot is actually a kind of interesting project because it essentially means to replace the system bios with Linux it's got essentially just enough to bring up the system to the point where Linux can bootstrap and most drivers in Linux actually are capable of bringing up Hardware without assistance from the BIOS mostly because BIOS is are very unreliable for bringing up Hardware unless you've got the secret documentation that they give to Microsoft but yo Linux boot is is essentially more of a server orientated project for end user systems and I run it on this laptop core boot is a becoming more of a common option it's an open source by us basically replaces

your vendor BIOS and it's enough to bring up your system more like unlike Linux boot you can actually you know press f12 boot off the USB it's quite quite usable UEFI actually there is a free and open-source implementation of UEFI called Tiano court and that's actually part of the Intel UEFI implementation that they have open sourced it's often used as a payload for core boot if you need to boot UEFI only operating systems and then you've got projects like heads which is basically meant to coexist with tails and it's essentially like a verified boot option so all stages of the boot process essentially verified with a public key cryptography so as far as if you've got a coprocessor

in you know pro if you've got a coprocessor in your process of what can you do about it until they me there's some kind of crap options MD PSP us or out of like it can't be disabled at all trusts own you can get lucky based on the vendor BMC's you can get lucky based on the vendor by age there are different means for disabling me until ma the very early ones we talked about the ones embedded in the platform controller hub you can set some flags in the flash descriptor and it will just not boot up it's fine it's gone the hilum onward you can run it as an open source project called ami cleaner and essentially what

that does is it removes as many modules as it can from any firmware leaving only the barest minimum modules that they've found a needed to send that watchdog pulse to the processor to keep it running so the nasty stuff is more than likely in those other modules there's absolutely nothing to say that the core modules don't also have nasty stuff in them there is as a result of the the CVS that have come out in telling me the research that has been done by positive security there's been another method found very recently using the JTAG interface which is called old emmy disabled and it is similar to the early methods of disabling me where you can

set a couple of flags in the spi flash and the Emmy sort of goes to sleep don't really like this isn't documented anywhere but it seems to work 2013 Plus Intel have actually implemented a high assurance platform support which is not a public feature it's been designed essentially at the NSA's behest because probably enough they don't want secret processes running in their environment an Emmy cleaner now has support for setting that bit on the newer processors and you can essentially disable the ma that way as well you obviously can't do this on systems with Intel boot guard because you'll be changing the contents of the system bios it'll no longer verify it won't boot so om systems sorry

systems that you've built yourself for example by buying a motherboard buying a processor there's no way the bootcut bootcut can be enabled on that combination so you can absolutely disable the MA using that and there's also vendors like our purism and system76 that are basically they are hardware manufacturers and they choose not to enable this when they set the CPU die they set the fuses on the CPU they don't leave they don't put keys in so boot doesn't work so you can still enable Emme because you can modify your bios and you can also run coreboot on some of these systems as well talked about that bar arm you can't run anything but PSP that's your life i'm

trustzone so certain vendors allow their processes to you can't disable trustzone because it's kind of an inherent cpu feature that allows you to partition areas of memory but some of the vendors will allow you to run code in it so you kind of have access to that you can sort of inspect it you can see what's going on there it's still not or some situation for BMC's you've got open BMC I mentioned earlier or you can actually just often D solder the modules or pull out the BMC cards if you don't use them but open the BMC funnily enough is actually a Facebook initiative because they weren't happy with the stability of their bare metal controllers but also

they didn't like the idea of trusting a vendor to have access to their data which 10 out of 10 for self-awareness and I figured a now just sort of go through demo of a laptop I've disassembled dumping the firmware disabling the MA flashing Corbett showing what that looks like which is going to involve me playing a video on the external screen

of course not right so this is a motherboard out of a Lenovo x2 20 that I've pulled you can do a lot of this stuff inside the machine like you don't necessarily need to pull the motherboard a lot of systems just have the flash chip underneath the palm rest let's say that's model hands that I hired showing where the SPI flash is one of the worst and stupidest things you can try and do is this because it doesn't work basically I have it in this video to demonstrate how futile it is unless you really dial up the temperature on a heat gun it's very hard to remove an SPI flash for flashing because they sold them on to the ground

plane of the board you've kind of got to warm up the entire board so what you want to use is something like a test clip and this is just a soak a test clip you can clip it onto the board you can see I've got the power supply connected to the board that can that can be a really good way to supply enough power to the entire board in the flash chip often when you plug these things in sweet that's cool that's what I wanted to happen oh no that that's intended basically the the power from the SPI flasher is not going to be enough to power up the whole motherboard and because the chip still

soldered that's essentially what it's going to be trying to do that's probably not is that readable ok cool it's not readable for me so with a sope chip connected there's a piece of software called flash rom which is just really common open-source piece of software it's used for interacting with SPI flashes you can see this command over on here it's just a shell script that I'm using a BeagleBone black to do the flashing because it's got a pretty decent 3.3 volt supply which is important it's also very fast because it does native SPI so I'm just dumping out the firmware from that chip and you can see it dumped just fine

so this is me powering up the laptop before I have made any changes system vital data not that interesting you will be able to see though on the config tab when I switch to it okay fine

I'll catch it this time I prepared this whole video with a piece of software called open shot and it was my anyway probably saw it flash up there the Intel AMT is showing us enabled in there I got some pretty decent effects transitions and stuff so I was pretty impressed with myself but I didn't manage to pause it long enough on the AMT bit yeah essentially you can see that it's enabled its the vendor BIOS like you've probably all seen anything paid boot up

what we'll do now is we'll go through the process of running an Intel ME cleaner on the flash that I dumped earlier so basically taking the vendor BIOS running ma cleaner over it which I run it with the dash S flag which also sets the high assurance platform bid in the flash

and then yeah we basically write the flash back to the chip which is always way faster than reading the whole thing because basically if there are any zeros in your flash file it'll just skip over them rather than rewriting them

I promise I spit this up

so this is just doing a walk of the original flash showing just the amount of staff these are all flash partitions is raw mostly containing code and modules that are running inside the management engine just to give you an idea of the scope of it so any cleaner will reduce this down to about 2 or 3 modules depending on the edition the rest of it is things like video drivers and things like that because it interacts with the video card and all sorts of stuff that seems really unnecessary for a security processor

there's a lot

yeah this is basically any cleaner running over it she's removed a bunch of stuff

so now we booted up with the newly flashed cleaned by us

so it firstly does boot after reflashing the modified bios which is kind of cool

if we get into the system menu on the wireless

see the EMT options gone so it's essentially disabled it

this is essentially a compilation of coreboot being a free and open source project you sort of have to select your board it supports a whole bunch of different hardware I've selected the x2 20 it supports a number of payloads so when you run Corbitt on your machine you are not just running for boot so you can basically configure coreboot to load what's called C BIOS which is an open source traditional BIOS you can configure it to actually load grub directly in the SPI flash so you can direct boot you kernel or your OS you can even load a Linux kernel in as a payload so you actually really cut down the amount of code running on your

machine I've gone with grub here one downside from filming this demo was that I learned about halfway through actually it made me super glad I wasn't doing this live is that you actually can't get an external monitor working in coreboot apparently compilation

I'm just flashing in and then running em a cleaner over the coreboot binary because Corbett needs the Emmy firmware as well as keep the processor up and running

and it's following up on the laptop screen now because their boots straight into grub so no vendor bios anymore and me disabled and you can embed a config file so at boot you kernel and everything like that for the purposes of the demo I didn't but that's essentially it

any questions

thank you very much change let's give James a round of applause

we might have time for one question before us that before the start of the next talk if there's any person people out there that want to ask okay great we have one question over here so how many systems have signed by OSA so you can't run any cleaner on them so I actually actually missed the last half of the question so how many biases are signs that you can't just run any cleaner and modify them pretty much any OAM system so the Novo dell they they all enable good card it's all all signed pretty much the only one newer systems is to go with a vendor who specifically doesn't sign their BIOS is like system

77 purism don't paying me any money to say that or build your own systems using sort of standalone parts but they they all enable it because it's a security feature [Music] thank you very much just one more round of applause for James [Applause] and by the way James mentioned this earlier he is part of the hardware people which stuff is Paul Louise coming up next so go see those guys tomorrow at the hardware hacking village and they'll show you a thing or two