GPU-pass-through-compatibility-check: Automatically set up a Linux system for PCI pass-through and check if it is compatible

December 1, 2018 ~ hucktech ~ Leave a comment

This project consists of 3 parts.
1) A script (gpu-pt-check.sh) that automatically checks to what extend a computer is compatible with GPU pass-through in its given configuration.
2) A script (setup.sh) that automatically installs and configures your system for GPU pass-through (Only tested on fresh installs of Fedora 28 x64 with Gnome, booted in UEFI mode!)
3) Instructions on how to create a bootable Linux USB stick that automatically runs the gpu-pt-check.sh script when you boot from it without any user interaction required.

example output

https://github.com/T-vK/GPU-pass-through-compatibility-check

Down the rabbit hole of tboot, E820 maps, and Xen PV PCI-passthrough domains

June 8, 2018 ~ hucktech ~ Leave a comment

Down the rabbit hole of tboot, E820 maps and Xen PV PCI-passthrough domains: https://t.co/X02H2iVJBM

— Tamas K Lengyel (@tklengyel) June 7, 2018

https://github.com/OpenXT/xenclient-oe/pull/890#issuecomment-395497431

From an OpenXT bug report:

TL;DR: a minor adjustment had to be made in tboot so that it picks the right memory protection for itself in the E820 map. The bug only affected PV Linux guests with PCI-passthrough devices as correctly guessed above.[…]

PCILeech 3.1 released!

March 20, 2018 ~ hucktech ~ Leave a comment

Linux support for PCILeech FPGA PCIe DMA attacks finally released! Huge thanks to @key2fr for the driver making this possible and to ikelos for all time spent on hunting down the bugs! https://t.co/KuTVVzZc5j

— Ulf Frisk (@UlfFrisk) March 20, 2018

https://github.com/ufrisk/pcileech

Intel publishes PCIe Device Security Enhancements spec

March 17, 2018 ~ hucktech ~ 1 Comment

Intel just published a draft of their proposed PCIe firmware measurement and device authentication spec. This is one of the things @syncsrc and I were talking about at @shmoocon.https://t.co/Y4X8eErZQC
These enhancements allow hardware-backed firmware measurements.

— Paul McMillan (@PaulM) March 16, 2018

PCIe Device Security Enhancements Specification

PCI Express (PCIe) Devices may be composed of hardware (immutable) and firmware (immutable and mutable) components. Presently, Vendor ID/Device ID/Revision ID registers convey the hardware identify of a PCIe* Device and there is no defined mechanism to convey the firmware identity of a PCIe Device. In addition to the Device identity, PCIe specification defines various types of capability structures to convey PCIe Device features capabilities. Both the Device Identity and capability can be spoofed and used maliciously by an advanced adversary. This specification introduces the notion of PCIe* Device Firmware Measurement, a method of exposing the identity of Device firmware. The Device Firmware Measurement mechanism used in isolation, however, is subject to supply chain attacks such as counterfeiting and can also be spoofed by an advanced adversary. Additionally this specification introduces the notion of PCIe Device Authentication, which uses public key cryptography to defend against such attacks and to provide higher assurance about the hardware and firmware identities and capabilities. PCIe Device Authentication adapts the USB Authentication mechanism to PCIe—the new elements are the specific PCIe register interface and the associated mechanisms, plus some details that are necessarily specific to PCIe. PCIe Device Authentication result can be used in various scenarios such as: 1) a data center administrator can ensure all PCIe Devices are running appropriate firmware versions 2) system software can ensure a trusted Device is plugged in before enabling the PCIe Address Translation Services (ATS) for the Device. PCIe Device Authentication provides platforms with a way to make trust decisions about specific Devices. This in turn provides value to Device vendors because the Authentication feature is itself a valuable Device feature, and supports the detection of counterfeit and potentially malicious Devices. This specification details the requirements, interface and protocol for PCIe Device Firmware Measurement and PCIe Device Authentication. It also provides general guidelines for implementing these technologies in practice.

https://www.intel.com/content/www/us/en/io/pci-express/pcie-device-security-enhancements-spec.html

PCILeech3 and Memory Process File System released!

March 12, 2018March 12, 2018 ~ hucktech ~ Leave a comment

Targets 64-bit Intel systems running Windows.

Memory Process File System and PCILeech3 released! Map processes and virtual memory as files & folders!
Use memory dump files or PCIe DMA devices to edit live process memory. More info in blog entry. https://t.co/EfgwZeQSQA https://t.co/KuTVVzZc5j pic.twitter.com/DB6deQAe1G

— Ulf Frisk (@UlfFrisk) March 12, 2018

http://blog.frizk.net/2018/03/memory-process-file-system.html

https://github.com/ufrisk/pcileech

PCILeech updated with board support

February 8, 2018 ~ hucktech ~ Leave a comment

PCILeech PCIe DMA attack support released for PCIeScreamer and AC701 FPGA boards! https://t.co/Vru50qY7ks pic.twitter.com/P1unfBIgPh

— Ulf Frisk (@UlfFrisk) February 8, 2018

https://github.com/ufrisk/pcileech-fpga

https://www.xilinx.com/products/boards-and-kits/ek-a7-ac701-g.html

https://shop.lambdaconcept.com/

pcie_injector – PCIe Injector Gateway – based on Xilinx Artix7 FPGA and FTDI USB FT601 chip

December 31, 2017 ~ hucktech ~ Leave a comment

Latest commit: 2 days ago

Want to masquerade as a PCIe device? Want to learn DMA attack? Check out the cheapest FPGA based PCIe over USB 3 card with DDR3 RAM. Made in colab. with @enjoy_digital. Soon supported by @UlfFrisk for PCILeech as shown @ #ccc https://t.co/EgHC9TpYKo pic.twitter.com/oc4kp6KUWd

— key two (@key2fr) December 29, 2017

PCIe Injector Gateware

The PCIe bus is now the main high speed communication bus between a processor and its peripherials. It is used in all PC (sometime encapsulated in Thunderbolt) and now even in mobile phones. Doing security research on PCIe systems can requires very expensive tools (>$50k) and packet generaration for such tools is not a common feature. PCIe Injector provides a such tool at a more reasonable price. Currently, only few attacks were made on PCIe devices. Most of them were done using a Microblaze inside a Xilinx FPGA to send/receive the TLPs, making it hard to really analyze. (Using embedded C software to generate/analyze traffic) An other way is to use USB3380 chip, but it is also not flexible enough (only supporting 32bits addressing) and does not allow debugging the PCIe state machine.

The PCIe injector is based on a Artix7 FPGA from Xilinx connected to a DDR3 and a high speed USB 3.0 FT601 chip from FTDI. It allows:
* Having a full control of the PCIe core.
* Sending/Receiving TLPs through USB 3.0 (or bufferize it to/from DDR3)
* Using flexible software/tools on the Host for receiving/generating/analyzing the TLPs. (Wireshark dissectors, scapy, …)

https://github.com/enjoy-digital/pcie_injector

http://www.enjoy-digital.fr/

http://pcisig.com/

Sysdream article on using PCILeech to attack Windows

December 25, 2017 ~ hucktech ~ Leave a comment

Nice article by Sysdream on using PCIleech to attack Windows DMA.

Merry christmas from our lab, with this article on DMA attack against Windows: https://t.co/Y3GIkRPsww #infosec #dma #pcileech

Thanks @UlfFrisk !

— Sysdream (@sysdream) December 22, 2017

Thanks, Awesome read about how to roll your own signatures to your advantage 😈 As mentioned, FPGA DMA is the way of the future – hope to present some upcoming news at #34c3

— Ulf Frisk (@UlfFrisk) December 22, 2017

https://sysdream.com/news/lab/2017-12-22-windows-dma-attacks-gaining-system-shells-using-a-generic-patch/

Qubes MSI support for PCI device pass-through with stub domains

October 19, 2017 ~ hucktech ~ Leave a comment

New article by Qubes team member Simon Gaiser (HW42): "MSI support for PCI device pass-through with stub domains"https://t.co/eDVzduPoWY

— Qubes OS (@QubesOS) October 19, 2017

MSI support for PCI device pass-through with stub domains
by Simon Gaiser
In this post, we will describe how we fixed MSI support for VMs running in HVM mode in Qubes 4.0. First, allow us to provide some background about the MSI feature and why we need it in the first place.[…]

https://www.qubes-os.org/news/2017/10/18/msi-support/

Intel patent on “PCI Expansion ROM OS”

August 15, 2017 ~ hucktech ~ Leave a comment

brief patent mention: spoiler alert…..

Fun, Pinczakko’s PCI expansion ROM research was cited in an Intel patent claim. 🙂

http://bioshacking.blogspot.com/2017/08/rather-late-surprise-intel-has-pci.html

https://sites.google.com/site/pinczakko/building-a-kernel-in-pci-expansion-rom

https://www.google.com/patents/WO2012040606A2?cl=en

Microsoft Windows DMA Guard

August 6, 2017 ~ hucktech ~ Leave a comment

Windows RS3 19093+ Introduce "DMA Guard" which uses GUID_CONSOLE_LOCKED and Session Notifications to disable DMA at the lock screen.

— Alex Ionescu (@aionescu) May 20, 2017

The "DMA Guard" prototype is not a "feature" in RS3. Test hooks have bypasses by design, and it does, so don't depend on unpublished APIs.

— Jeremiah Cox (@int0x6) August 6, 2017

Also, yes, trust Jeremiah 😉

— Alex Ionescu (@aionescu) August 5, 2017

Boot Guard, BIOS Guard, OS Guard… we're in a competition

— Jeremiah Cox (@int0x6) August 5, 2017

[…] New Bitlocker features in Windows 10, version 1507:
* DMA port protection. You can use the DataProtection/AllowDirectMemoryAccess MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
[…]

This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled.

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard
https://docs.microsoft.com/en-us/windows/device-security/device-guard/deploy-device-guard-enable-virtualization-based-security
https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide
https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-manage
https://docs.microsoft.com/en-us/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies

PCILeech 2.0 released

May 25, 2017 ~ hucktech ~ Leave a comment

PCILeech 2.0 released! – Mount Live RAM and Target File System over PCIe DMA! Makes pwning super easy 😈https://t.co/KuTVVzZc5j

— Ulf Frisk (@UlfFrisk) May 24, 2017

Insert kernel module over DMA, PCILeech mount, run @volatility on the live RAM and edit/copy target system files! pic.twitter.com/X8C8RP0WXA

— Ulf Frisk (@UlfFrisk) May 24, 2017

Also included: 64-bit DMA and Linux 4.8+ pwn with @d_olex totally awesome pre-release (not yet released) bitstream for SP605 FPGA! pic.twitter.com/F5BJp4kpTw

— Ulf Frisk (@UlfFrisk) May 24, 2017

If pcileech is a self driving car then slotscreamer was a horse drawn buggy. Glad @UlfFrisk did all the work I didn't know how to do!

— Joe Fitz (@securelyfitz) May 24, 2017

https://github.com/ufrisk/pcileech

ShowPCIx: UEFI tool to show PCI devices using PCI.IDS database

April 21, 2017 ~ hucktech ~ Leave a comment

Using PCI.IDS Database to Show PCI Vendor and Device Information in UEFI Shell https://t.co/8Hsn3qsTsS

— vincent zimmer (@vincentzimmer) April 20, 2017

https://github.com/fpmurphy/UEFI-Utilities-2016/tree/master/MyApps/ShowPCIx

http://blog.fpmurphy.com/2017/04/using-pci-ids-database-to-show-pci-vendor-and-device-information-in-uefi-shell.html

http://pci-ids.ucw.cz/

http://pcidatabase.com/

6-part Youtube BIOS system architecture series

March 31, 2017 ~ hucktech ~ Leave a comment

System Architecture for BIOS/System Software Developers https://t.co/JApKTHsUXN via @YouTube

— vincent zimmer (@vincentzimmer) March 30, 2017

BIOS Session 1 – System Memory Map
BIOS Session 2 – Legacy Region
BIOS Session 3 – HIgh Level Overview of the BOOT flow
BIOS Session 4 – Transaction flows and address decoding part 1
BIOS Session 5 – Transaction flows and address decoding part 2
BIOS Session 6 – PCI Basics and Bus Enumeration

UEFI_ListPci: UEFI tool to list PCI/PCIe devices

March 13, 2017 ~ hucktech ~ Leave a comment

UEFI_ListPci is a new UEFI Application that uses UEFI protocol to enumerate PCI/PCIe devices.

https://github.com/Justgocode/UEFI_ListPci

(There is also the UEFI Shell’s PCI command, included in Tianocore.org.)

PCI-Expansion-ROM-OS moves to github

February 2, 2017 ~ hucktech ~ Leave a comment

Experimental PCI Expansion ROM "OS" Code Migrated to GitHub [https://t.co/vmI3xXF2O6]

— pinczakko (@Pinczakko) January 30, 2017

Quoting the post:

Experimental PCI Expansion ROM “OS” Code Migrated to GitHub
The code for the experimental PCI Expansion ROM “OS” explained in the Building a “Kernel” in PCI Expansion ROM article is now in GitHub: https://github.com/pinczakko/PCI-Expansion-ROM-OS. I made some changes to make it compile-able in current version of Nasm and GCC. I’ve only tested the compilation in Arch Linux (x86-64). I’m not sure it will work in other Linux distros. Give it a try ;-). Quick skim over the resulting binary seems to indicate the result is OK. I’m going to check it with a disassembler later on. If anyone wants to help me with that, please do so and post your result in the comment section below. Many of you might be aware that the code has been modified into pure GCC-only code in the Low Cost Embedded x86 Teaching Tool article. I need to migrate that code as well. But, I’m quite sure it will require special GCC version to be able to emit the correct binary, akin to the one used by Coreboot. I’ll post an update once I’ve updated that one as well. Anyway, it’s rather surprising to me that using Nasm + GCC is more future-proof compared to using GCC alone. It shows that you can’t be really sure about the future-proof-ness of the toolset you used for software development.

http://bioshacking.blogspot.com/2017/01/experimental-pci-expansion-rom-os-code.html

https://github.com/pinczakko/PCI-Expansion-ROM-OS

https://sites.google.com/site/pinczakko/building-a-kernel-in-pci-expansion-rom

https://sites.google.com/site/pinczakko/low-cost-embedded-x86-teaching-tool-2

OpenPOWER code added to FWTS

November 13, 2016 ~ hucktech ~ Leave a comment

Deb McLemore of IBM has submitted multiple updates to FWTS, the FirmWare Test Suite, adding a lot more support for OpenPOWER OPAL firmware.

opal: pci_info: Add OPAL PCI Info validation
opal: mem_info: Add OPAL MEM Info validation
opal: cpu_info: Add OPAL CPU Info validation
devicetree: dt_sysinfo: Add OPAL firmware version checks
olog: olog.json: Update OPAL skiboot errors to check on olog scan

There is a lot of useful diagnostic information in this code, example:
“You are running in manufacturing mode. This mode should only be enabled in a factory during manufacturing.”

More information:
https://lists.ubuntu.com/mailman/listinfo/fwts-devel

PCI Leech

August 5, 2016 ~ hucktech ~ Leave a comment

Awesome! @UlfFrisk 's pcileech is SLOTSCREAMER on crack. Excited to try it out. pic.twitter.com/gQxuwLybok

— Joe Fitz (@securelyfitz) August 5, 2016

Thanks @UlfFrisk for conclusively showing that 32 bit DMA is plenty to own a system. pic.twitter.com/GYpbYskVxA

— Joe Fitz (@securelyfitz) August 5, 2016

BAM! shells over PCIe! Nice work @UlfFrisk!

— Joe Fitz (@securelyfitz) August 5, 2016

Win10 anniversary update pwned! Come visit my #defcon talk for more scary stuff. No OS is safe. Aug 5th 1400! pic.twitter.com/Da5h5TM07a

— Ulf Frisk (@UlfFrisk) July 29, 2016

https://github.com/ufrisk

Does not appear to be a public Github project yet.

Tweets by UlfFrisk

new PCI SIG technical forum

June 7, 2016 ~ hucktech ~ Leave a comment

The PCI SIG has a new technical forum. I’ll simply point you to the blog post by William Leara of Dell, instead of writing up about the same thing that he did:

http://www.basicinputoutput.com/2016/06/new-technical-forum-for-pci-sig-members.html