I admit that I have no idea at all about all that UEFI signing stuff, but the only thing in the "Keys" directory that does not look completely like random data is this, and "DO NOT TRUST - AMI Test PK0" looks more like something I'd distribute among my development team for testing, but would definitely not be the real thing:
$ strings Ivy_Bridge_018s/Keys/Variables/db
4}7Ve
0%1#0!
DO NOT SHIP - AMI Test KEK0
110823215243Z
120823215242Z0%1#0!
DO NOT SHIP - AMI Test KEK0
(...)
$ strings Ivy_Bridge_018s/Keys/Variables/KEK
4}7Ve
0%1#0!
DO NOT TRUST - AMI Test PK0
110823215221Z
120823215220Z0%1#0!
DO NOT TRUST - AMI Test PK0
(...)
$ strings Ivy_Bridge_018s/Keys/Variables/dbx
4}7Ve
0.1,0*
#DO NOT SHIP - Microsoft Test KEK CA0
110506224835Z
121106224834Z0+1)0'
DO NOT SHIP - Microsoft Test KEK0
(...)
$ strings Ivy_Bridge_018s/Keys/Variables/PK
4}7Ve
0%1#0!
DO NOT TRUST - AMI Test PK0
110823215221Z
120823215220Z0%1#0!
DO NOT TRUST - AMI Test PK0
)MCn
D5g(
(...)
Yes, but you'd expect the key (Keys/FW/.priKey) to be accompanied by some useful metadata (naming the entity the key belongs to, and a certificate from microsoft validating the key) to be added to the firmware image, wouldn't you? And if there's only certificates containing "DO NOT USE" text?
But certainly, I have no idea about all that. If someone could post commands how to verify (or at least dump) connection between DER encoded RSA keys and the PK/KEK/db/dbx files (which seem to have a 40byte header, then, again DER data)... that could shed some additional light on these matters.
There'd be no reason to expect the firmware signing key to have any relation to any of the certificates used in Secure Boot. They're used for separate purposes.
openssl rsa -inform DER -in Ivy_Bridge_018s/Keys/FW/.priKey -text
But still, I don't know how to verify that this key is not the one refered to by the "DO NOT USE" certs (which, to me, sounds pretty reasonable to assume).
>References in the files indicate that the code is from sometime in February - so this is current code.
Given that that image shows dates in 2012, I think the author has made the classic mistake many of us make at the start of the new year, of still thinking it's the old one.
For firmware, 2012 is actually very new. I don't think manufacturers change the versions too often, even on firmware updates - they usually maintain/patch the original firmware (the version that was used when the hardware launched). A motherboard released in 2012 probably has an older version of firmware than the leaked one.
Microsoft's requirements for Windows 8 certified firmware continued changing until surprisingly far through 2012. Code from early 2012 wouldn't satisfy it.
I don't see how BIOS signing could be really that important.
BIOS flash must be write protected in silicon before the OS boots to prevent flashing by pwned kernel or drivers so we can assume that only BIOS setup application can touch BIOS flash. Flashing inside BIOS setup application can be prevented by password. And if somebody has physical access to the motherboard to reset this password it's game over anyway.
Call me when somebody leaks something interesting or useful like the Secure Boot private key of Microsoft.
Usually there isn't much protection, if you have root on a system.
On an infrequent basis I've used Flashrom (http://www.flashrom.org) to burn new system BIOS's into flash on a running Linux system. Much easier than fiddling with DOS boot disks, etc. Thus, anyone who can exploit to root could theoretically reflash the BIOS in a system with code that would be persistent through OS reinstallations. Personally, I'd focus on the PXE ROM if asked to compromise systems in this way.
Some older systems have jumpers on board that can write protect the BIOS, but frequently they either default to being in the writable state. I haven't noticed these jumpers on modern PC hardware for a while.
This isn't unique to UEFI Secure Boot systems - I'd assume once you're in OS, all bets are off in terms of who can do what to the hardware.
>I'd assume once you're in OS, all bets are off in terms of who can do what to the hardware.
A common misconception. Even if you are running as ring-0, there are things that you cannot do, and only BIOS can. For example, executing code in SMM mode, mapping/hiding portions of memory, or changing some PCI configuration options that get "locked" after BIOS.
I'm talking about really secure systems, although I'm not sure if such exist in real world.
If we take BIOS security seriously, access to BIOS flash must be restricted to BIOS setup application, for example by programming some non-resettable "write protect" bit before booting the OS.
"so we can assume that only BIOS setup application can touch BIOS flash"
Nope. Intel (at least) let you program the flash controller so it'll forbid writes from the OS but permit writes from System Management Mode. Load the firmware into RAM, hand a list of addresses to an SMM trap and wait for it to flash it. Entirely secure, as long as you're using signed images.
>Flashing inside BIOS setup application can be prevented by password.
That is disabled by default. Most likely the BIOS checks this signature before booting or flashing itself, no difference if you are root or not. It IS useful for a bios rootkit. The private key of Microsoft would be useful for a regultar boot-sector rootkit.
[now this comment became much too long and rambling... ;-) ]
Regarding erase/write protection of flash-memories:
Besides the actual user-acessible bulk-data, a flash-chip typically has additional configuration data that store write-protection of the whole device or parts of the memory (pages). This protection typically is done so that the device is not accidentally overwritten by a misbehaving program (e.g. a process in kernel-space writing randomly to addresses).
Take for example the Intel 28F128[1] (128Mbit) which will appear as a 16bit wide memory on a processor's address/data bus (or some version interfaced to the processor by the northbridge, the details can be found in the AMI Bios sourcecode :-) ). Normally you only read the addresses the flash is mapped to, and you will get your stored data (called "read matrix" mode).
But to make the flash do something special, like identifying itself, executing erase-commands, protecting or un-protecting sectors, you will write some special word to its "command" address: Subsequently the flash will no longer output the stored user-data on reads to its address, but rather whatever the chosen command defines.
For example to identify the flash according to the CFI specificytion, you write the data-value 0x55h to the flash-address 0x98[2], then you will no longer read out user-data, but information about the flash-chip, the manufacturer, timing, ...
To see how that works, you can have a look at the code in u-boot, a pretty common bootloader for arm-, m68k- or mips(?) devices[3], e.g. write_buff() in line #1313, flash_Erase() in #1049. The feature for "write protecting" pages in the 28F128 is called locking/unlocking the data-sheet. "Protection" in the datasheet refers to a different mechanism.
Also the 28F128 _does_ _indeed_ have a hardware write-protect pin (called #WP), and this might be connected to a jumper, or to a GPIO pin as a added layer of protection. But I haven't seen that being implemented "in the wild", at least in embededd devices.
So the only thing a application needs to flash your BIOS is typically a mapping of the processors address/data-bus to the flash-chip, and access to these addresses, either directly from a driver running in 1:1 mapped kernel address-space or mmap()-ed to user-memory. That's how the typical butt-ugly flash-program running directly under Windows7 does it.
(and yes, I know, some devices nowadays employ a mask-programmed mini-loader that loads the 2nd-stage bootloader e.g. from a serial memory, or a mmc/sdcard, as parallel flash such as the 28F128 is a little outdated already)
My point is that to secure the BIOS you must latch this WP bit after the "press whatever to enter setup" message is gone and you must not accept SWAWARD as wildcard password.
If you fail at these, your system is insecure even in presence of BIOS signing.
If you implement these properly, your system is secure even without BIOS signing.
Ergo, BIOS signing is pointless as a security measure and author's whining about this leak putting users at risk is unjustified.
Well, BIOS flash tools would work in this case by flashing the new BIOS on reboot using a feature of the existing BIOS, which is when the BIOS signature would be validated.
Now it has a password. Oh dear, I'm depressed I've missed out on this. The FTP server appeared to have quite a few interesting things on it (for example, a folder called "Samsung ARM").
Anonymous ftp still works, it's just hitting the maximum connected user limit. Better to use an FTP client than the browser as it will persist the connection.
from the article:
"This kind of leak is a dream come true for advanced corporate espionage or intelligence operations."
i disagree. this is banal stuff for "corporate espionage or intelligence". they have that and more for ages. no data that has a price is private.
what is interesting is that we could now have a decent open sourced BIOS implementation. ...Maybe if someone in china or other country with less software copyright starts the project we all can contribute?
This is not the first BIOS source to leak (Award BIOS 6 code leaked 10 yrs ago, am sure still available in your fav torrent tracker). Opensource code will certainly not make use of this leaked implementation, it is asking for trouble.
The story's been updated with information from AMI - it sounds like the keys are only intended to be used for testing purposes and should be changed before use, but it's obviously possible for vendors to ignore that advice.
$ strings Ivy_Bridge_018s/Keys/Variables/db
4}7Ve 0%1#0! DO NOT SHIP - AMI Test KEK0 110823215243Z 120823215242Z0%1#0! DO NOT SHIP - AMI Test KEK0 (...)
$ strings Ivy_Bridge_018s/Keys/Variables/KEK
4}7Ve 0%1#0! DO NOT TRUST - AMI Test PK0 110823215221Z 120823215220Z0%1#0! DO NOT TRUST - AMI Test PK0 (...)
$ strings Ivy_Bridge_018s/Keys/Variables/dbx
4}7Ve 0.1,0* #DO NOT SHIP - Microsoft Test KEK CA0 110506224835Z 121106224834Z0+1)0' DO NOT SHIP - Microsoft Test KEK0 (...)
$ strings Ivy_Bridge_018s/Keys/Variables/PK
4}7Ve 0%1#0! DO NOT TRUST - AMI Test PK0 110823215221Z 120823215220Z0%1#0! DO NOT TRUST - AMI Test PK0 )MCn D5g( (...)