Targeting better x86 platform security, Intel have created a hardware-based firmware protection mechanisms: TXT, BIOS Guard, Boot Guard and SGX. Since there’s nothing to trust at the runtime, these protections rely on a hardware boundaries set up in a manufacturing environment. This introduces only two Roots of Trusts – Intel Management Engine ROM and Intel CPU ROM (Microcode). The latter one in turn loads and executes different Intel Authenticated Code Modules (ACMs) – a special signed binaries, each provides a core of implementation and trust for one of the above mentioned technologies. Obviously, a security issue in ACM could lead to compromising the protection technology it supports.
This talk will be all about security analysis of all known types of ACMs and how to exploit vulnerabilities in them, keeping in mind that they are sometimes encrypted and running only from L3 cache: Boot Guard ACM, TXT SINIT ACM and BIOS Guard ACM (and how to steal the decrypted image of it from cache). A lot of undocumented technical details gathered through reverse-engineering, specifics of discovering and exploiting vulnerabilities in those Intel trusted low-level binaries will also be presented.