Maxim Goryachiy & Mark Ermolov - Inside Intel Management Engine

Transcript

1. Inside
   Intel Management Engine
   Mark Ermolov
   Maxim Goryachy
   

   View Slide

2. Research Team
   • Mark Ermolov
   email: mermolov {at} ptsecurity {dot} com
   twitter: @_markel___
   • Maxim Goryachy
   email: mgoryachy {at} ptsecurity {dot} com
   twitter: @h0t_max
   • Dmitry Sklyarov
   email: dsklyarov {at} ptsecurity {dot} com
   twitter: @_Dmit
   2
   

   View Slide

3. Our Papers/Talks About Intel ME and DCI
   1. How to Become the Sole Owner of Your PC, PHDays 2016 [ru/en]
   2. Tapping into the core, 33c3 2016 [en]
   3. Intel ME: The Way of the Static Analysis, Troopers 2017 [en]
   4. Intel DCI Secrets, HITBSecConf 2017 CommSec [en]
   5. Where there's a JTAG there's a Way, blog 2017 [ru/en]
   6. Disabling Intel ME 11 via undocumented mode, blog 2017 [ru/ en]
   7. Recovering Huffman tables in Intel ME 11.x, blog 2017 [en/ru]
   8. Intel ME: Flash File System Explained, BlackHat UK 2017 [en]
   9. How to Hack a Turned-Off Computer, or Running Unsigned Code in Intel
   Management Engine, BlackHat UK 2017 [en/ru]
   10. Inside Intel Management Engine, 34c3 [en]
   3
   

   View Slide

4. Roadmap
   • Intel Management Engine: Quick Start
   • Intel’s JTAG: Overview
   • JTAG for ME: How Does It Work?
   • Activation Without Intel Keys
   • DFx Abstraction Layer
   • Developing ME Core Configuration
   • Demo
   4
   

   View Slide

5. Intel Management Engine
   Quick Start
   

   View Slide

6. Intel Management Engine (ME)
   • Undocumented Intel technology with proprietary
   firmware
   • Root of trust for security features such as PAVP, PTT, and
   Boot Guard
   • Full access to many Intel devices
   • Hardware capabilities for interception of user activity
   • Integral component for all stages of the platform
   operating cycle
   6
   

   View Slide

7. Intel ME 11: Implementation Details
   • Independent 32-bit processor core (x86)
   • Runs its own modified MINIX [STW17]
   • Has a built-in Java machine [IMS14]
   • Interacts with CPU/iGPU/USB/DDR/PCI/...
   • Operates when main CPU is powered down (M3 mode)
   • Contains starter code in non-reprogrammable on-die
   memory
   7
   

   View Slide

8. Intel’s JTAG
   Overview
   

   View Slide

9. JTAG Overview
   • JTAG, Joint Test Action Group IEEE 1149
   • Essential mechanism for debugging electronic chips
   • JTAG-based debugging is available immediately after processor
   core reset
   • Maxim Goryachy, Mark Ermolov, Where there's a JTAG there's a
   way: obtaining full system access via USB: details about JTAG in
   modern Intel’s platform
   9
   

   View Slide

10. Intel DCI
    • Intel Direct Connect Interface (DCI) is a debug transport technology designed to enable
    closed chassis debug through a USB3 port from Intel silicon
    • Intel DCI provides access to CPU/PCH JTAG via USB3.0
    • Software is available without NDA (Intel System Studio)
    There are two types of DCI hosting interfaces in the platform:
     USB3 Hosting DCI (USB-Debug cable)
     BSSB Hosting DCI (Intel SVT Closed Chassis Adapter)
    10
    

    View Slide

11. JTAG + ME = ?
    Unlimited research of
    a modern x86 architecture
    11
    

    View Slide

12. How Does It Work?
    JTAG for ME
    

    View Slide

13. Unlock Token
    UTOK (unlock token) or STOK (security token) is a special partition
    in ME region:
    • Integrated via FPT, HECI, DCI, or directly via an SPI programmer
    • Unique for the platform and temporary
    • Unlocking modes: ORANGE and RED
    • Designed to activate DFx functionality for Intel Management
    Engine
    13
    

    View Slide

14. About DFx
    • DFx stands for design for manufacturability, testability, and
    debuggability
    • DFx is a private implementation of JTAG (1149.1 and 1149.7) by
    Intel
    • There are many integrated devices coupled to a DFx chain inside
    PCH and CPU
    • Embedded DFx Interface (ExI) is used to access DFx
    • ExI connects DFx and the external interface (such as USB)
    14
    

    View Slide

15. ORANGE
    • Provides access to IOSF*
    • Unlocks JTAG for ISH core*
    • Enables debugging of the ISH program via GDB-stub or DCI
    N.B. UTOK partition must be signed by vendor’s key.
    * Our team has found a server firmware image with ORANGE unlock support (provides
    access to IOSF on the server’s motherboard), but hasn’t found a similar image for
    desktops.
    15
    

    View Slide

16. RED
    • Provides access to IOSF
    • Unlocks JTAG for ME core
    • Unlocks JTAG for ISH core
    • Enables debugging from the reset vector (S0) before starting the
    main CPU
    • Provides unlimited access to internal devices and memory
    N.B. UTOK partition must be signed by Intel key
    16
    

    View Slide

17. ME JTAG Activation Interface
    • PCH has a special internal device DFX_AGGREGATOR that
    controls access to DFx
    • BUP and ROM have direct access to the CSE zeroing register and
    DFX_AGGREGATOR device (via LDT selector)
    Ext#8 MmioRanges[41]:
    ...
    sel= FF, base:F00B1050, size:00000004, flags:00000003 :: F00B1000:00001000 GEN_PCIP
    sel=107, base:F00B1004, size:00000004, flags:00000003 :: F00B1000:00001000 GEN_PCIP
    sel=10F, base:F5010000, size:00001000, flags:00000003 :: F5010000:00008000 DFX_AGGREGATOR_SBS
    ...
    17
    

    View Slide

18. Activation (I)
    0
    31
    0xF00B1050
    CSE zeroing register (bit)
    0 Intel Unlock Request (R/W)
    31..1 Reserved
    CSE zeroing register
    18
    

    View Slide

19. Activation (II)
    DFx Personality
    0
    31
    DFx Consent
    0
    31
    DFx Status
    0xF5010008
    0
    63
    0xF5010004
    0xF5010000
    PUID
    0xF5010018
    0
    63
    DFx Personality
    value (2..0)
    Unlock type
    101 ORANGE
    011 RED
    DFx Consent bits Unlock type
    0 Unlock Consent
    ...
    30 Lock Bit
    DFx Aggregator MMIO:
    19
    

    View Slide

20. RED Unlock: BUP
    start Is the UTOK found
    Parsing KNOBs
    Yes
    end
    Are the partition
    signature & platform
    ID valid?
    Invalid UTOK
    Yes
    Is the platform
    already unlocked?
    Is "Intel Knob Lock"
    found?
    Yes
    Parsing and
    processing
    other KNOBs
    Yes
    end
    CSE_Zeroing_REG |= 1
    Reset ME
    19
    

    View Slide

21. RED Unlock: ROM
    start
    CSE_Zeroing_REG = 0
    CSE_Zeroing_REG & 1
    DFx Personality |= 3
    Clean ME’s keys
    end
    end
    Yes
    DFx Consent |= 1
    20
    

    View Slide

22. Latching Consent Register
    void bup_switch_on_dci()
    {
    ...
    eom = 0;
    bup_get_pch_straps(0, &pch_desc_rec0);
    LOBYTE(eom_err) = bup_read_eom(&eom); // Is the platform in Manufacture Mode?
    if ( !(BYTE2(pch_desc_rec0) & 2) || (dfx_data |= 2u, eom_err) || eom )
    bup_disable_dci_by_strap();
    else
    bup_enable_dci_by_strap();
    if ( bup_is_dci_active() == 1 ) // If dci is active ME doesn’t latch DFx consent register
    bup_set_dfx_agg_consent();
    else
    bup_lock_dfx_agg_consent();
    if ( gRmlbCookie != cookies )
    sys_fault();
    }
    Is it a design flaw or not?
    22
    

    View Slide

23. Red Activation Without Intel Keys
    JTAG for ME
    

    View Slide

24. CVE-2017-5705/6/7
    void __cdecl bup_init_trace_hub()
    {
    ...
    int ct_data[202]; // [esp+1Ch] [ebp-334h] 808 bytes
    int cookie; // [esp+344h] [ebp-Ch]
    cookie = gRmlbCookie;
    ...
    if ( !(getDW_sel(0xBF, 0xE0u) & 0x1000000)
    && !bup_get_si_features(si_features)
    && !bup_dfs_get_file_size("/home/bup/ct", &file_size) )
    {
    if ( file_size )
    {
    LOBYTE(err) = bup_dfs_read_file("/home/bup/ct", 0, ct_data, file_size, &bytes_read);
    ...
    if ( gRmlbCookie != cookie )
    sys_fault();
    }
    Vulnerability in BUP module [HTH17]
    24
    

    View Slide

25. ME JTAG How-To
    Arbitrary code execution in the BUP module (CVE-2017-5705/6/7)
    Activation of RED UNLOCK without Intel keys
    JTAG access to ME core
    Full control over the target
    ME is no longer a "black box"
    25
    

    View Slide

26. Red Activation Without Intel’s Crypto Keys
    1. Activate Manufacture Mode for the target
    2. Set DCI strap in a flash descriptor
    3. Use the vulnerability to load the value 3 to DFx
    Personality register
    4. Done ;)
    26
    

    View Slide

27. RED is Activated for Target
    ME core JTAG device ID
    27
    

    View Slide

28. What About Host Side?
    DFx Abstraction Layer
    

    View Slide

29. Intel DAL: What Is It?
    • DAL stands for DFx Abstraction Layer, a software stack for
    DFx
    • DAL is the core of all recent Intel HW debugging/checking
    tools (System Debugger, System Trace, Platform
    Debugging Toolkit)
    • Supports a wide range of Intel platforms/CPUs
    • Supports multiple Intel HW probe types
    • DAL is available without NDA
    29
    

    View Slide

30. Overview of Intel DAL
    UI
    •Python Console (CLI)
    •Intel System Studio (GUI)
    DAL
    •C# library
    Driver
    •Probe/DCI Driver
    Transport
    •Intel SVT
    •USB 3.0 DbC
    •Intel ITP-XDP
    Target
    •DFx
    30
    

    View Slide

31. Sources of Information About DAL
    Documentation / White Papers / Patents
    See also:
    31
    

    View Slide

32. Problem
    Trial version of Intel System Studio
    doesn’t include configuration options for ME core
    32
    

    View Slide

33. Crafting ME Core Configuration
    DFx Abstraction Layer
    

    View Slide

34. Encrypted XML Files
    • DAL configuration is included in encrypted XML files
    • Encryption is performed using PBKDF2 and AES
    • Key and salt are hardcoded in DAL (Intel.DAL.Common.Decryption.dll)
    Salt = "I wandered lonely as a cloud,\r\n
    That floats on high o'er vales and hills,\r\n
    When all at once I saw a crowd,\r\n
    A host of golden daffodils "
    Key = "ITP"
    William Wordsworth
    34
    

    View Slide

35. ME Core Device Configuration
    • Configuration options for ME core are missing in public
    XML files
    • ME core is an LMT2 device (by JTAG ID code)
    • LMT2 is included in XML files
    35
    

    View Slide

36. Craft Custom Configuration (for Skylake)
    36
    1. Decrypt XML files
    2. Add the following lines to "Topo.SPT.xml":
    3. Use standard DAL environment for ME debugging
    4. Make your computer personal again
    
    <_tag key="Invisible" value="False" />
    
    PhysicalEnable="True" />
    SerializePreScan="TapSerializationSTAP5.Serialized" PhysicalEnable="True" />
    
    
    

    View Slide

37. DFx Chain to ME LMT2 Core (LP series)
    SPT_RGNTOP
    SPT_TPSB
    SPT_MASTER SPT_NPK
    SPT_PARCSMEA SPT_CSME
    SPT_RGNLB SPT_PARISH SPT_ISH
    SPT_AGG
    CLTAP
    37
    

    View Slide

38. Demo
    38
    

    View Slide

39. Our achievements so far
    • JTAG activated for Intel ME
    • Starter code (aka ROM) dumped
    • Complete Huffman code recovered for ME 11
    • Integrity and Confidentiality Platform Keys [FFS17] extracted
    39
    

    View Slide

40. Links
    https://github.com/ptresearch/
    http://blog.ptsecurity.com/
    40
    

    View Slide

41. References
    [IMS14] Igor Skochinsky, Intel ME Secrets. Hidden code in your chipset and how to
    discover what exactly it does. Hex-Rays. RECON 2014.
    [STW17] Dmitry Sklyarov, ME: The Way of the Static Analysis. Troopers 2017.
    [FFS17] Dmitry Sklyarov, Intel ME: flash file system explained, Black Hat Europe,
    2017.
    [IDS17] Mark Ermolov, Maxim Goryachy, Intel DCI Secrets, HITBSecConf 2017
    CommSec, Amsterdam, 2017.
    [HTH17] Mark Ermolov, Maxim Goryachy, How to Hack a Turned-Off Computer, or
    Running Unsigned Code in Intel Management Engine, Black Hat Europe, 2017.
    [PSTR14] Xiaoyu Ruan, Platform Embedded Security Technology Revealed:
    Safeguarding the Future of Computing with Intel Embedded Security and
    Management Engine, 2014, Apress, ISBN 978-1-4302-6572-6.
    41
    

    View Slide

42. Thank you!
    Questions?
    42
    

    View Slide