Many hardware vendors armoring modern Secure Boot by moving Root of Trust to the hardware. It is definitely the right direction to create more difficulties for the attacker. But usually, between hardware and firmware exist many layers of code. Also, hardware vendors always fighting for boot performance which creates interesting security issues in actual implementations. In this presentation, I’ll explain new security issues to bypass specific implementation of Intel Boot Guard technology in one of the most common enterprise vendors. The actual vulnerability allows the attacker to bypass Intel Boot Guard security checks from OS without physical access to the hardware. Also, I’ll cover topics including Embedded Controller (EC) with focus on UEFI Firmware cooperation and Authenticated Code Module (ACM) runtime environment. It is brand new research not based on my previous Boot Guard discoveries.
One thought on “OffensiveCon: Attacking Hardware Root of Trust from UEFI Firmware”