ME Cleaner: A cleaner for Intel ME (Management Engine) images.
This tools removes any unnecessary partition from an Intel ME firmware, reducing its size and its ability to interact with the system. It should work both with Coreboot and with the factory BIOS. Currently this tool:
* Scans the FPT (partition table) and checks that everything is correct
* Removes any partition entry (except for FTPR) from FPT
* Removes any partition except for the fundamental one (FTPR)
Tag: Intel
Symbolic Execution of SMM
Slides are available from Zero Nights on the symbolic execution project for SMM. I am hoping that this gets open-sourced eventually!
Intel NUC’s Vulnerable to SMM Exploit
A new Intel Security Center advisory:
Intel® Branded NUC’s Vulnerable to SMM Exploit
Intel ID: INTEL-SA-00057
Product family: Intel® NUC Kits
Impact of vulnerability: Elevation of Privilege
Severity rating: Important
Original release: Oct 03, 2016
Last revised: Nov 15, 2016
Intel is releasing updated BIOS firmware for a privilege escalation issue. This issue affects Intel® NUC Kits listed in the affected products section below. The issue identified is a method that enables malicious code to gain access to System Management Mode (SMM). A malicious attacker with local administrative access can leverage the vulnerable BIOS to gain access to System Management Mode (SMM) and take full control of the platform. Intel products that are listed below should apply the update. Intel highly recommends updating the BIOS of all Intel® NUC’s to the recommended BIOS or later listed in the table of affected products. Intel would like to thank Security Researcher Dmytro Oleksiuk for discovering and reporting this issue.
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00057&languageid=en-fr
OpenCIT 2.2 released
Adolfo V Aguayo of Intel announced the version 2.2 release of OpenCIT.
New Features in 2.2:
– TPM 2.0 support.
+ Added support for platform and asset tag attestation of Linux and Windows hosts with TPM 2.0.
+ Support attestation of either SHA1 or SHA256 PCR banks on TPM 2.0.
+ Ubuntu 16.04 and RHEL 7.2, 7.3 (SHA1 and SHA256), Windows Server 2012 and Hyper-V Server 2012 (SHA1) are supported with TPM 2.0
– All the certificates and hashing algorithms used in CIT are upgraded to use SHA256. SHA1 has been deprecated and will no longer be used.
– CIT Attestation Service UI has been updated to allow the user to select either the SHA1 or SHA256 PCR bank for Attestation of TPM 2.0 hosts.
+ The CIT Attestation Service will automatically choose the strongest available algorithm for attestation (SHA1 for TPM 1.2, and SHA256 for TPM 2.0)
– CIT Attestation Service UI Whitelist tab no longer requires the user to select PCRs when whitelisting, and will automatically choose the PCRs to use based on the host OS and TPM version. This is done to reduce confusion due to differing behaviors between TPM 1.2 and TPM 2.0 PCR usages.
– Additional changes made to support TPM 2.0:
+ Linux hosts with TPM 2.0 will now utilize TPM2.0-TSS (TPM 2.0 Software Stack) and TPM2.0-tools instead of the legacy trousers and tpm-tools packages. The new TSS2 and TPM2.0-tools are packaged with the CIT Trust Agent installer.
+ TPM 2.0 Windows hosts use TSS.MSR (The TPM Software Stack from Microsoft Research) PCPTool.
+ TPM 1.2 hosts will continue to use the legacy TSS stack (trousers) and tpm-tools components.
For more information, see the full announcement on the oat-devel@lists.01.org mailing list.
UEFI Capsule-Update and Recovery
On the EDK2-Devel mailing list, Michael Kinney of Intel has started a new EDK2 wiki page on UEFI Capsule-Based-Firmware Update/Recovery. Capsule Updates are how UEFI-based firmware updates itself.
Draft of documentation for Signed Capsule Feature:
I have started a draft of Wiki pages that describe how to use and verify the Signed Capsule feature from Jiewen Yao. I have focused this first draft on the system firmware update use case for signed capsules. Please review this content and provide feedback. I will work on the remaining 3 signed capsule use cases while the content for this fist use case is reviewed. I plan to add this content to the edk2 Wiki once the reviews are completed.
https://github.com/mdkinney/edk2/wiki/Capsule-Based-Firmware-Update-and-Firmware-Recovery
https://github.com/mdkinney/edk2/wiki/Capsule-Based-System-Firmware-Update
Intel Manageability Commander for Windows: Intel AMT tool
pdxgrlgeek has a new post on the Intel blog, on the topic of Intel Manageability Commander, an Intel AMT-centric, Microsoft Windows-centric tool, which optionally Integrates with Microsoft SCCM. Excerpts of blog post and from the software’s readme PDF:
I am excited to announce the release of Intel® Manageability Commander. Built from the widely used MESHCommander application, Intel® Manageability Commander will make it significantly easier to take advantage of Intel® AMT out of band hardware management features provided on Intel® vPro™ platforms. Intel® Manageability Commander is a light weight console used to connect with and utilize the features of Intel® Active Management Technology (Intel® AMT). Through this software, users will be able to connect to activated Intel® AMT devices to perform functions such as power control, remote desktop, hardware inventory, remote terminal, and more. Additionally, this software will plug into Microsoft* System Center Configuration Manager (SCCM) version 1511 and later.
Subset of features from blog post:
* View and modify network settings of Intel® AMT. If the PC has a wireless interface, users can add multiple wireless profiles to connect to Intel® AMT using the wireless interface
* Configure Intel® AMT security features such as System Defense, Audit Log, and Access Control List
* Discover, diagnose and manage Intel® AMT configured PCs remotely
* View and solve user PC and Operating System issues via integrated KVM remote control (Keyboard, Video, Mouse)
* Display Intel® AMT events and filter events by keyword
* Enable or disable Intel® AMT features on a configured system directly from Intel® Manageability Commander’s user interface.
* Integrate with Microsoft SCCM current build version 1511 and later
Read the list of errata in the relnotes, too. For example:
“1) Powering off a system using Intel® Manageability Commander uses the Intel® AMT power control feature and is outside of the operating system. This means that an OS-based reboot or power down is not possible. Over time, repeated use of this feature could lead to corruption in the operating system. This is the expected behavior of Intel® AMT power off command for all versions of Intel® AMT”
This is a Windows-centric tool. It appears if you want to have all the fun tools from Intel, you have to use Windows, not Linux or MacOSX or Android or ChromeOS. 😐
https://communities.intel.com/community/tech/vproexpert/blog/2016/11/05/intel-manageability-commander-with-microsoft-sccm-integration
http://www.intel.com/content/www/us/en/support/software/manageability-products/intel-manageability-commander.html
https://downloadcenter.intel.com/download/26375/Intel-Manageability-Commander
AMI providing Redfish-enabled firmware for Intel and Aspeed models
AMI is now offering firmware for both BIOS and BMC on Intel customer reference boards (CRB) for the Intel Xeon® processor D-1500 product family and the 4th generation baseboard management controller (BMC) from Aspeed, the Aspeed AST2300 BMC. AMI has developed generic Redfish BIOS and BMC firmware support and has tested on the next generation AMD silicon. AMI’s BIOS and BMC firmware are highly integrated, allowing data center administrators to simultaneously, remotely and securely manage a number of server platforms out-of-box. Other features include BIOS-level firmware configuration and firmware updating. BMC functionality is based on the open industry standard specification and schema from DMTF’s Redfish™ API with the goal of creating seamless integration into existing tool chains.
http://ami.com/products/bios-uefi-firmware/aptio-v/
https://ami.com/news/press-releases/?PressReleaseID=368
VxWorks stack overflow EOP reported
Intel Product Security has a new security advisory for Wind River’s VxWorks:
Stack overflow vulnerability in Wind River VxWorks
Intel ID: INTEL-SA-00064
Product family: Wind River VxWorks
Impact of vulnerability: Elevation of Privilege
Severity rating: Critical
Original release: Nov 01, 2016
WindRiver is releasing mitigations for a privilege escalation issue. This issue affects versions of Wind River VxWorks products. The issue being mitigated is a method to execute arbitrary code without user interactions. Anonymous remote attackers can cause a stack overflow, which can be used to obtain remote code execution on affected devices running vulnerable VxWorks versions without any user interactions. Intel strongly recommends customers using impacted versions of WindRiver VxWorks to upgrade to the latest version listed in the table above.
Acknowledgements: Alex Wheeler, David Barksdale – Exodus Intelligence
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00064&languageid=en-fr
New UEFI patch that Enables SMM page level protection.
Jiewen Yao of Intel submitted a 6-part patch to Tianocore which adds SMM security. It appears it is the first version of the patch.
This series patch enables SMM page level protection. Features are:
1) PiSmmCore reports SMM PE image code/data information in EdkiiPiSmmMemoryAttributeTable, if the SMM image is page aligned.
2) PiSmmCpu consumes EdkiiPiSmmMemoryAttributeTable and set XD for data page and RO for code page.
3) PiSmmCpu enables Static Paging for X64 according to PcdCpuSmmStaticPageTable. If it is true, 1G paging for above 4G is used as long as it is supported.
4) PiSmmCpu sets importance data structure to be read only, such as Gdt, Idt, SmmEntrypoint, and PageTable itself.
tested platform:
1) Intel internal platform (X64).
2) EDKII Quark IA32
3) EDKII Vlv2 X64
4) EDKII OVMF IA32 and IA32X64.
MdeModulePkg/Include: Add PiSmmMemoryAttributesTable.h
MdeModulePkg/dec: Add gEdkiiPiSmmMemoryAttributesTableGuid.
MdeModulePkg/PiSmmCore: Add MemoryAttributes support.
UefiCpuPkg/dec: Add PcdCpuSmmStaticPageTable.
UefiCpuPkg/PiSmmCpuDxeSmm: Add paging protection.
QuarkPlatformPkg/dsc: enable Smm paging protection.
36 files changed, 4513 insertions(+), 798 deletions(-)
For more information, see the posting on the edk2-devel list:
https://lists.01.org/mailman/listinfo/edk2-devel
UEFI Forum talk at Linux Plumbers Conference
November 1-4 is the Linux Plumbers Conference in Santa Fe, New Mexico, USA.
“UEFI Forum member, Harry Hsiung of Intel, will present “UEFI & Linux Interoperability.”
Tim Lewis resumes uefi.blogspot blog!
For a long time the uefi.blogspot.com was one of the only sources of UEFI blogging. It appears to have been inactive for about 2 years, but has 2 new posts from this month! Make sure this blog is still on your RSS feed list.
http://uefi.blogspot.com/2016/10/intel-and-insyde-embedded-white-paper.html
Dmytro takes on the Intel NUC
Dmytro Oleksiuk has a new blog post with UEFI security issues with an Intel NUC using AMI Aptio UEFI BIOS.
(Sad to see that Intel appears to not appear to run CHIPSEC as part of release management QA their own NUCs.)
Exploiting AMI Aptio firmware on example of Intel NUC
[…] Today I’m sharing with you the story of my next x86 machine hacking — we’re going to talk about UEFI vulnerabilities, exploit mitigation features of System Management Mode and new exploit called Aptiocalypsis. Also, this time I did responsible disclosure to Intel and AMI, so, at the moment of this publication you already can patch some of vulnerable products.
Lots of interesting things happened since release of ThinkPwn exploit. Firstly I supposed that vulnerable code was written by Lenovo or its Independent BIOS Vendor (IBV), but later it turned out that they’ve taken this totally mad driver from Intel reference code. This exact code is not available in public, but open source firmware of some Intel boards has it too. For example, SmmRuntimeManagementCallback() function from Intel Quark BSP it’s exactly the same vulnerable code that I’ve found in firmware of my T450s. It’s also interesting that vulnerable code is quite old (it comes from EFI 1.x era) but nevertheless, it was never present in EDK2 source from public repository — its version of QuarkSocPkg was heavily modified in comparison with vulnerable one. The horrible and vulnerable by design piece of code was removed by Intel somewhere in the middle of 2014, but it seems that there were no security advisories regarding this issue. Due to this IBVs had no chance to fix this vulnerability in their relatively old code base and the bug appeared in modern computers from Lenovo, Intel, GIGABYTE, Dell, HP, Fujitsu and other OEM’s (oops!).
Well, I guess at this point it’s much or less clear that currently there’s nothing to do with ThinkPad anymore, it was pwned with 0day, it has too awkward code base that follows ancient version of EFI specification and 8 series chipset that is not the freshest stuff you can get. As my next target for firmware security adventures I’ve decided to take some Skylake based machine of well-known vendor who might have a decent firmware that would be interesting to break. Because I like all kinds of small x86 compatible computers, I’ve put my eye on the latest generation of Intel NUC. It also looks interesting because platform vendor knows his hardware better than anyone else, so, from firmware security perspective, Intel NUC is definitely not the worst choice.[…]
http://blog.cr4.sh/2016/10/exploiting-ami-aptio-firmware.html
Intel to add ‘deep learning’ instructions to Xeon
Piotr Luc of Intel submitted a patch to the Linux kernel, adding ‘deep learning’ instrutions for future Xeon processors.
https://lkml.org/lkml/2016/10/12/530
[PATCH] x86/cpufeature: Add AVX512_4VNNIW and AVX512_4FMAPS features.
AVX512_4VNNIW – Vector instructions for deep learning enhanced word variable precision.
AVX512_4FMAPS – Vector instructions for deep learning floating-point single precision.
The new instructions are to be used in future Intel Xeon & Xeon Phi processors.
The spec can be found in Intel Software Developer Manual or in Instruction Set Extensions Programming Reference.
See https://software.intel.com/sites/default/files/managed/69/78/319433-025.pdf.
CHIPSEC ported to ARM??
screenshot: https://pbs.twimg.com/media/CubkpMsVIAAIrQT.jpg:large
Intel CHIPSEC is — or at least was — Intel-specific. Actually it may be called McAfee CHIPSEC now? Anyway, it did not work on ARM. Via Linaro, ARM Ltd. was in the process of porting LUV (Linux UEFI Validation) distro to AArch64, and LUV includes CHIPSEC, so that was on the list, but AFAIK Linaro had not yet started to port CHIPSEC to ARM yet.
So the above screenshot is news to me, and very exciting. I hope we get more news about this soon!! AND a source check-in (currently nothing in repo)… 🙂
BlueGuard
https://github.com/nohajc/BlueGuard
I just noticed this on Github. Not much documentation: “UEFI Hypervisor”. Windows-based. Maybe interesting to some.
HAXWell: loads custom ISA on Intel Haswell GPUs
https://github.com/jbarczak/HAXWell
Code demonstrating how to load custom ISA on Intel Haswell GPUs via OpenGL. Also includes various ISA utilities and benchmarks. This code works on Windows 8.1. […] For more information, see my related blog posts:
GPU Ray-Tracing The Wrong Way: http://www.joshbarczak.com/blog/?p=1197
SPMD Is Not Intel’s Cup of Tea: http://www.joshbarczak.com/blog/?p=1120
You Compiled This Driver, Trust Me: http://www.joshbarczak.com/blog/?p=1028
video of Brian’s Tianocore Linaro Connect presentation
Brian Richardson of Intel recently gave a presentation at ARM Ltd’s Linaro Connect on the subject of UEFI. Intel started UEFI but in recent years ARM is also using UEFI.
EoP vulnerability in Intel SSD Toolbox
Exercpting Intel’s Security Advisory:
Vulnerability in Intel SSD Toolbox allows authenticated users to elevate privileges via updater subsystem
Intel ID: INTEL-SA-00061
Product family: Intel® Solid-State Drive Consumer, Professional, Embedded and Data Center
Impact of vulnerability: Elevation of Privilege
Severity rating: Important
Original release: Oct 04, 2016
The vulnerability allows a potentially malicious 3rd party to gain the highest possible elevation of privilege level in the Operating System. The root cause of the vulnerability has been identified as an implementation bug in the updater subsystem of the Intel SSD Toolbox. Intel strongly recommends customers impacted by this issue to upgrade to the latest version listed in the table above. This issue was reported to Intel by Florian Bogner @ Kapsch BusinessCom AG.
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00061&languageid=en-fr
https://downloadcenter.intel.com/download/26085/Intel-Solid-State-Drive-Toolbox?v=t
Intel IPP crypto has RSA private key side-channel attack
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00060&languageid=en-fr
Intel has found an RSA private key vulnerability with their Intel Performance Primitives (Intel IPP).
A vulnerability in Intel Integrated Performance Primitives (IPP) Cryptography allows local users to recover the RSA private key via a potential side-channel.
Intel ID: INTEL-SA-00060
Product family: The cryptography (CP) domain in Intel® Integrated Performance Primitives (Intel® IPP)
Impact of vulnerability: Information Disclosure
Severity rating: Important
Original release: Oct 04, 2016
The cryptography (CP) domain in Intel’s newest version of Intel® Integrated Performance Primitives (Intel® IPP) v2017 has been enhanced to improve its security and customers are strongly urged to update to this release. A potential side-channel vulnerability was identified in the Intel® Integrated Performance Primitives Cryptography which is bundled with Intel® IPP. The vulnerability allows an attacker to potentially recover enough information to retrieve a RSA private key. The root cause of the issue has been identified and mitigated in the latest release of IPP Cryptography. The CVSSv3 severity rating for this issue 7.1 (High). Intel has developed an update to the Intel® IPP Cryptography software and is making it available to customers. The mitigated versions are Intel® IPP Cryptography 2017 and 9.0.4. Users with licensed versions of IPP Cryptography can obtain the mitigated versions at this URL: <https://registrationcenter.intel.com/en/>. Intel strongly recommends customers impacted by this issue to upgrade to the latest version listed in the table above. […]
Intel issues SMM patches for Intel NUCs
Intel has updated NUCs for the recent SMM EoP issue. They updated their servers earlier.
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00057&languageid=en-fr
Recommendations: Intel highly recommends updating the BIOS of all Intel® NUC’s to the recommended BIOS or later listed in the table of affected products.
Acknowledgements: Intel would like to thank Security Researcher Dmytro Oleksiuk for discovering and reporting this issue.
As I understand it, this SMM issue impacts many systems, not just Lenovo and Intel-based products. If you have an OEM-based Intel system, check if they have updates. Lenovo and HP may have some, but it is still unclear about all the other OEMs and IBVs.
Firmware Security 
You must be logged in to post a comment.