Dmytro has an interesting 6-part twitter post on PCI-e security:
Rogue PCI-E/FireWire/Thunderbolt/etc. device can exploit platform firmware vulns to execute arbitrary System Management Mode code [1/x] pic.twitter.com/CueD3ke0yb
— Dmytro Oleksiuk (@d_olex) June 22, 2017
Normally SMM memory is protected against rogue DMA using TSEGMB register, discovered vulnerability allows to break this mechanism [2/x]
— Dmytro Oleksiuk (@d_olex) June 22, 2017
For most of computers with Intel chips SMM code execution means that attacker can infect platform firmware with persistent rootkit [3/x]
— Dmytro Oleksiuk (@d_olex) June 22, 2017
Vulnerability exists because of design flaws in Intel reference code, it presents in EFI 2.x firmware of almost all new computers [4/x]
— Dmytro Oleksiuk (@d_olex) June 22, 2017
Apple is only one vendor so far who not vulnerable for sure (they're know how to cook PCI-E and IOMMU properly :)) [5/x]
— Dmytro Oleksiuk (@d_olex) June 22, 2017
FPGA powered toolkit which implements the attack was tested on Intel NUC 6i3SYH. Test setup pic: https://t.co/59eEwsy2qa [6/6]
— Dmytro Oleksiuk (@d_olex) June 22, 2017
I discovered this vuln a while ago but had no FPGA knowledge to craft the hardware which can exploit it. Now I can report it to Intel 🙂
— Dmytro Oleksiuk (@d_olex) June 22, 2017