Toshiba: Infineon TPMs, Security Feature Bypass Vulnerability

March 23, 2018March 23, 2018 ~ hucktech ~ Leave a comment

Infineon Technologies Trusted Platform Modules (TPMs), Security Feature Bypass Vulnerability

Document ID: 4015874
Posted Date: 2018-03-20
Last Updated: 2018-03-20

Infineon® Technologies Trusted Platform Modules (TPMs), Security Feature Bypass Vulnerability

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Potential Security Impact: A security vulnerability exists in certain Trusted Platform Module (TPM) firmware. The vulnerability weakens key strength. It is important to note that this is a firmware vulnerability, and not a vulnerability in the operating system or a specific application. Toshiba is working closely with Infineon® to validate their fix and ensure it works across Toshiba’s range of products. Until firmware updates are available, it is recommended that people and companies using Toshiba PCs and devices that incorporate TPMs to take steps to maintain the security of their systems and information.

Toshiba’s TPM Firmware Release Schedule:[…]
Source: Infineon® & Microsoft® Security TechCenter

https://support.toshiba.com/sscontent?contentId=4015874

Using Intel C/Fortran to mitigate against Spectre/Meltdown

March 23, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/DevZoneBlog/status/977257032364494849

Using Intel® Compilers to Mitigate Speculative Execution Side-Channel Issues
Jennifer J. (Intel)
March 23, 2018

Table of Content:
Disclaimers
Introduction
Mitigating Bounds Check Bypass (Spectre Variant 1)
Mitigating Branch Target Injection (Spectre Variant 2)
How to Obtain the Latest Intel® C++ Compiler and Intel® Fortran Compiler
Conclusion and Further Reading

https://software.intel.com/en-us/articles/using-intel-compilers-to-mitigate-speculative-execution-side-channel-issues

https://software.intel.com/en-us/c-compilers
https://software.intel.com/en-us/qualify-for-free-software

Vincent on how to pronounce UEFI and ACPI :-)

March 23, 2018March 23, 2018 ~ hucktech ~ Leave a comment

Vincent has a new blog post, first new post in months. It covers UEFI and Open Compute Project, and amongst other things, how to pronounce “UEFI” and “ACPI.

http://vzimmer.blogspot.com/2018/03/open-platforms-and-21-or.html

MeshCmd: new Intel AMT command line tool

March 23, 2018 ~ hucktech ~ Leave a comment

Intel has a new AMT command line tool — not a GUI! — for Windows and Linux:

https://software.intel.com/en-us/blogs/2018/03/22/meshcmd-new-intel-amt-command-line-tool

http://www.meshcommander.com/

Intel ME crypto info (in Russian)

March 23, 2018 ~ hucktech ~ Leave a comment

Some information about Intel ME cryptography implementation [rus]. https://t.co/2xrE9Nr8vN

— Maxim Goryachy (@h0t_max) March 23, 2018

https://github.com/ptresearch/IntelME-Crypto

Intel on security -vs- debug policy

March 23, 2018 ~ hucktech ~ Leave a comment

Wow, found some Intel presentation "Security Vs Debug" describing basic policy of Intel platforms debugging (what we had been investigating for years)https://t.co/lIa6uOifx9

— Mark Ermolov (@_markel___) March 16, 2018

Click to access 3_vikas_kumar.pdf

Verified Boot – Introduction to U-Boot’s Secure Boot

March 22, 2018 ~ hucktech ~ Leave a comment

Verified Boot – Introduction to U-Boot’s Secure Boot
Submitted by admin on Sun, 09/24/2017 – 13:37

First things first, Uboot for the uninitiatited is an open source bootloader that is commonly used on Linux ARM, and MIPS systems, but has roots in the PowerPC (PPC) days. It supports a number of computer architectures and is secretly hiding away in many devices you or I use everyday (e.g., home routers).[…]

https://www.pacificsimplicity.ca/blog/verified-boot-%E2%80%93-introduction-u-boot%E2%80%99s-secure-boot

HackBGRT: How to change Windows Boot Logo using HackBGRT

March 22, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2016/05/21/hackbgrt-changes-windows-boot-logo-on-uefi-systems/

https://github.com/Metabolix/HackBGRT

People are constantly searching for “HackBGRT” is constantly being hit on this blog search site. Here’s a new article on how to use it:

http://www.thewindowsclub.com/change-windows-boot-logo-using-hackbgrt

Microsoft Project Denali

March 22, 2018 ~ hucktech ~ Leave a comment

Microsoft creates industry standards for datacenter hardware storage and security
March 20, 2018
Kushagra Vaid General Manager, Azure Hardware Infrastructure

Today I’m speaking at the Open Compute Project (OCP) U.S. Summit 2018 in San Jose where we are announcing a next generation specification for solid state device (SSD) storage, Project Denali. We’re also discussing Project Cerberus, which provides a critical component for security protection that to date has been missing from server hardware: protection, detection and recovery from attacks on platform firmware. Both storage and security are the next frontiers for hardware innovation, and today we’re highlighting the latest advancements across these key focus areas to further the industry in enabling the future of the cloud.[…]

Microsoft creates industry standards for datacenter hardware storage and security

Project Denali to define flexible SSDs for cloud-scale applications

https://www.sdxcentral.com/articles/news/microsoft-disaggregates-layers-flash-storage-denali-project/2018/03/

http://www.eweek.com/storage/microsoft-announces-project-denali-ssd-storage-specification-effort

Flash storage

ARM to add PSA to Trusted Firmware-M (and new threat model docs available)

March 21, 2018 ~ hucktech ~ Leave a comment

ARM has new threat model docs available for their PSA, and have announced that they’ll be releasing ARM Trusted Firmware with PSA support at the end of the month, you can give them your email address to be notified when it is released.

[…]we announced a major program to improve IoT security, called Platform Security Architecture (PSA). PSA is a common framework aiming to provide a holistic approach to IoT security.[…]Now available! Open Source Trusted Firmware-M. Arm wants to make security simpler and more cost effective, by making high quality reference code and documents accessible – as security becomes more complex, all developers need access to these resources. We have released the first open source reference implementation firmware that conforms to the PSA specification, Trusted Firmware-M, at the end of March 2018.[…] Download now: Threat Models and Security Analyses documentation: The TMSA is a starting point for assessing the security risk facing a selection of connected devices. From this research, the right level of security can be determined, and then functional requirements established to mitigate the threats.

https://pages.arm.com/psa-resources.html
https://www.trustedfirmware.org/
https://www.arm.com/news/2018/02/psa-next-steps-toward-a-common-industry-framework-for-secure-iot
https://community.arm.com/iot/b/blog/posts/the-next-step-for-psa-and-a-secure-iot-future
https://github.com/ARM-software/arm-trusted-firmware/wiki/ARM-Trusted-Firmware-Security-Centre
https://github.com/ARM-software/arm-trusted-firmware

FWTS 18.03.00 is released

March 21, 2018 ~ hucktech ~ Leave a comment

FWTS 18.03.00 is released.

New Features:
* ACPICA: Update to version 20180313
* dmi: dmicheck: add chassis type for Type 3

http://fwts.ubuntu.com/release/fwts-V18.03.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/18.03.00
https://launchpad.net/ubuntu/+source/fwts

UEFI Plugfest in Seattle next week! Time to verify firmware on various systems. See you there!

— Firmware Test Suite (@fwts_team) March 21, 2018

UEFI tool: UEFI image parsing tools in Go language

March 21, 2018 ~ hucktech ~ Leave a comment

UEFI tool: This repository will contain tools to parse and manipulate UEFI firmware images.

https://github.com/insomniacslk/uefi

Not to be confused with UEFITool, which is in C++, not Go.

AMD responds to CTS Labs vulns

March 20, 2018March 20, 2018 ~ hucktech ~ Leave a comment

AMD's confirmation to the CTS Labs fiasco. As expected, the vulnerabilities were real. And as expected, it's not nearly as a big of deal as they were trying to make it. https://t.co/Ulb1cF0goL

— David Schor (@david_schor) March 20, 2018

“[…]AMD will provide additional updates on both our analysis of these issues and the related mitigation plans in the coming weeks.”

https://community.amd.com/community/amd-corporate/blog/2018/03/20/initial-amd-technical-assessment-of-cts-labs-research

While many feel that CTS Labs did not do a good job at disclosure, AMD has also not been doing a good job at updating the world about it’s vulns. Still no CVE for the PSP vuln from January, which is related to this one. Does AMD only reply-to vulns which have 24 hour limit response threats, and ignore ones that do not? Why haven’t we seen some response like above for the below fulldisclosure vuln?

a bit more on AMD PSP vuln

INTEL-SA-00117: Intel SGX Elevation of Privilege

March 20, 2018 ~ hucktech ~ Leave a comment

Intel® SGX SDK Edger8r and Intel® Software Guard Extensions Platform Software Component
Intel ID: INTEL-SA-00117
Product family: Intel® SGX
Impact of vulnerability: Elevation of Privilege
Severity rating: Important
Original release: Mar 19, 2018

[…]CVE-2018-3626: The Edger8r tool in the Intel® Software Guard Extensions (SGX) Software Development Kit (SDK) before version 2.1.2 (Linux) and 1.9.6 (Windows) may generate code that is susceptible to a side channel attack, potentially allowing a local user to access unauthorized information. CVE-2018-5736: An elevation of privilege in Intel® Software Guard Extensions Platform Software Component before 1.9.105.42329 allows a local attacker to execute arbitrary code as administrator. CVE-2018-3626: Recently it was reported that the Edger8r Tool, a software component of the Intel® Software Guard Extensions (SGX) Software Development Kit (SDK), may generate C source code potentially leading to a software based side-channel vulnerability. […]Intel would like to thank Jo Van Bulck, Frank Piessens, and Raoul Strackx of Ku Leuven University for reporting CVE-2018-3626 and working with us on coordinated disclosure.

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00117&languageid=en-fr

IBM providing their OpenBMC code to Linux Foundation

March 20, 2018 ~ hucktech ~ Leave a comment

[…]IBM is providing their OpenBMC code base to The Linux Foundation, and this project will be supported by several organizations, including Facebook, Google, Intel, and Microsoft. The community is looking to expand and invites contributors from across the industry to come together in defining and creating the OpenBMC stack.[…]The Linux Foundation is pleased to welcome OpenBMC to our family of open source projects and to work with the community to support its growth.[…]

https://www.linuxfoundation.org/blog/openbmc-project-community-comes-together-at-the-linux-foundation-to-define-open-source-implementation-of-bmc-firmware-stack/

https://www.openbmc.org/

https://github.com/openbmc/openbmc

Intel: Implementing MicroPython as a UEFI test framework

March 20, 2018 ~ hucktech ~ 1 Comment

Did you know #MicroPython enables validation engineers to apply skills from OS-level scripting to UEFI unit tests & manufacturing-line applications? Learn more here: https://t.co/DjxEqEGZWP pic.twitter.com/nXYcJWd9cJ

— Intel Software (@IntelSoftware) March 20, 2018

Preview of one of Intel's presentations at next week's UEFI Plugfest in Bellevue, WA: Developing a new open source firmware test framework based on @micropython https://t.co/NAjn1bcdJu

— Brian Richardson (on LinkedIn) (@BrianOnChips) March 20, 2018

https://software.intel.com/en-us/blogs/2018/03/08/implementing-micropython-as-a-uefi-test-framework

MicroPython for UEFI - Stack Overview

AMI response to the CTS-Labs AMDflaws.com advisory

March 20, 2018 ~ hucktech ~ Leave a comment

PR Announcement: American Megatrends Response to the CTS-Labs Advisory of 13 Security Flaws in AMD Ryzen and EPYC Processors https://t.co/bzXPu1h3gp pic.twitter.com/j2kz5v8FUA

— AMI (@AMI_PR) March 19, 2018

https://ami.com/en/news/press-releases/american-megatrends-response-to-the-ctslabs-advisory-of-13-security-flaws-in-amd-ryzen-and-epyc-processors/

PCILeech 3.1 released!

March 20, 2018 ~ hucktech ~ Leave a comment

Linux support for PCILeech FPGA PCIe DMA attacks finally released! Huge thanks to @key2fr for the driver making this possible and to ikelos for all time spent on hunting down the bugs! https://t.co/KuTVVzZc5j

— Ulf Frisk (@UlfFrisk) March 20, 2018

https://github.com/ufrisk/pcileech

Exploitation on ARM-based Systems

March 19, 2018 ~ hucktech ~ Leave a comment

I've published the slides we used last week for the ARM exploitation training https://t.co/84Ey4IDHDD

— Sascha Schirra (@s4sh_s) March 19, 2018

Exploitation on ARM-based Systems: These are the slides of the arm exploitation training we gave at Troopers18

https://github.com/sashs/arm_exploitation

https://scoding.de/troopers18-exploitation-on-arm-based-systems

Intel publishes PCIe Device Security Enhancements spec

March 17, 2018 ~ hucktech ~ 1 Comment

Intel just published a draft of their proposed PCIe firmware measurement and device authentication spec. This is one of the things @syncsrc and I were talking about at @shmoocon.https://t.co/Y4X8eErZQC
These enhancements allow hardware-backed firmware measurements.

— Paul McMillan (@PaulM) March 16, 2018

PCIe Device Security Enhancements Specification

PCI Express (PCIe) Devices may be composed of hardware (immutable) and firmware (immutable and mutable) components. Presently, Vendor ID/Device ID/Revision ID registers convey the hardware identify of a PCIe* Device and there is no defined mechanism to convey the firmware identity of a PCIe Device. In addition to the Device identity, PCIe specification defines various types of capability structures to convey PCIe Device features capabilities. Both the Device Identity and capability can be spoofed and used maliciously by an advanced adversary. This specification introduces the notion of PCIe* Device Firmware Measurement, a method of exposing the identity of Device firmware. The Device Firmware Measurement mechanism used in isolation, however, is subject to supply chain attacks such as counterfeiting and can also be spoofed by an advanced adversary. Additionally this specification introduces the notion of PCIe Device Authentication, which uses public key cryptography to defend against such attacks and to provide higher assurance about the hardware and firmware identities and capabilities. PCIe Device Authentication adapts the USB Authentication mechanism to PCIe—the new elements are the specific PCIe register interface and the associated mechanisms, plus some details that are necessarily specific to PCIe. PCIe Device Authentication result can be used in various scenarios such as: 1) a data center administrator can ensure all PCIe Devices are running appropriate firmware versions 2) system software can ensure a trusted Device is plugged in before enabling the PCIe Address Translation Services (ATS) for the Device. PCIe Device Authentication provides platforms with a way to make trust decisions about specific Devices. This in turn provides value to Device vendors because the Authentication feature is itself a valuable Device feature, and supports the detection of counterfeit and potentially malicious Devices. This specification details the requirements, interface and protocol for PCIe Device Firmware Measurement and PCIe Device Authentication. It also provides general guidelines for implementing these technologies in practice.

https://www.intel.com/content/www/us/en/io/pci-express/pcie-device-security-enhancements-spec.html