Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Maxim Goryachiy & Mark Ermolov - Inside Intel Management Engine

DC7499
February 10, 2018

Maxim Goryachiy & Mark Ermolov - Inside Intel Management Engine

DC7499

February 10, 2018
Tweet

More Decks by DC7499

Other Decks in Research

Transcript

  1. Inside
    Intel Management Engine
    Mark Ermolov
    Maxim Goryachy

    View full-size slide

  2. Research Team
    • Mark Ermolov
    email: mermolov {at} ptsecurity {dot} com
    twitter: @_markel___
    • Maxim Goryachy
    email: mgoryachy {at} ptsecurity {dot} com
    twitter: @h0t_max
    • Dmitry Sklyarov
    email: dsklyarov {at} ptsecurity {dot} com
    twitter: @_Dmit
    2

    View full-size slide

  3. Our Papers/Talks About Intel ME and DCI
    1. How to Become the Sole Owner of Your PC, PHDays 2016 [ru/en]
    2. Tapping into the core, 33c3 2016 [en]
    3. Intel ME: The Way of the Static Analysis, Troopers 2017 [en]
    4. Intel DCI Secrets, HITBSecConf 2017 CommSec [en]
    5. Where there's a JTAG there's a Way, blog 2017 [ru/en]
    6. Disabling Intel ME 11 via undocumented mode, blog 2017 [ru/ en]
    7. Recovering Huffman tables in Intel ME 11.x, blog 2017 [en/ru]
    8. Intel ME: Flash File System Explained, BlackHat UK 2017 [en]
    9. How to Hack a Turned-Off Computer, or Running Unsigned Code in Intel
    Management Engine, BlackHat UK 2017 [en/ru]
    10. Inside Intel Management Engine, 34c3 [en]
    3

    View full-size slide

  4. Roadmap
    • Intel Management Engine: Quick Start
    • Intel’s JTAG: Overview
    • JTAG for ME: How Does It Work?
    • Activation Without Intel Keys
    • DFx Abstraction Layer
    • Developing ME Core Configuration
    • Demo
    4

    View full-size slide

  5. Intel Management Engine
    Quick Start

    View full-size slide

  6. Intel Management Engine (ME)
    • Undocumented Intel technology with proprietary
    firmware
    • Root of trust for security features such as PAVP, PTT, and
    Boot Guard
    • Full access to many Intel devices
    • Hardware capabilities for interception of user activity
    • Integral component for all stages of the platform
    operating cycle
    6

    View full-size slide

  7. Intel ME 11: Implementation Details
    • Independent 32-bit processor core (x86)
    • Runs its own modified MINIX [STW17]
    • Has a built-in Java machine [IMS14]
    • Interacts with CPU/iGPU/USB/DDR/PCI/...
    • Operates when main CPU is powered down (M3 mode)
    • Contains starter code in non-reprogrammable on-die
    memory
    7

    View full-size slide

  8. Intel’s JTAG
    Overview

    View full-size slide

  9. JTAG Overview
    • JTAG, Joint Test Action Group IEEE 1149
    • Essential mechanism for debugging electronic chips
    • JTAG-based debugging is available immediately after processor
    core reset
    • Maxim Goryachy, Mark Ermolov, Where there's a JTAG there's a
    way: obtaining full system access via USB: details about JTAG in
    modern Intel’s platform
    9

    View full-size slide

  10. Intel DCI
    • Intel Direct Connect Interface (DCI) is a debug transport technology designed to enable
    closed chassis debug through a USB3 port from Intel silicon
    • Intel DCI provides access to CPU/PCH JTAG via USB3.0
    • Software is available without NDA (Intel System Studio)
    There are two types of DCI hosting interfaces in the platform:
     USB3 Hosting DCI (USB-Debug cable)
     BSSB Hosting DCI (Intel SVT Closed Chassis Adapter)
    10

    View full-size slide

  11. JTAG + ME = ?
    Unlimited research of
    a modern x86 architecture
    11

    View full-size slide

  12. How Does It Work?
    JTAG for ME

    View full-size slide

  13. Unlock Token
    UTOK (unlock token) or STOK (security token) is a special partition
    in ME region:
    • Integrated via FPT, HECI, DCI, or directly via an SPI programmer
    • Unique for the platform and temporary
    • Unlocking modes: ORANGE and RED
    • Designed to activate DFx functionality for Intel Management
    Engine
    13

    View full-size slide

  14. About DFx
    • DFx stands for design for manufacturability, testability, and
    debuggability
    • DFx is a private implementation of JTAG (1149.1 and 1149.7) by
    Intel
    • There are many integrated devices coupled to a DFx chain inside
    PCH and CPU
    • Embedded DFx Interface (ExI) is used to access DFx
    • ExI connects DFx and the external interface (such as USB)
    14

    View full-size slide

  15. ORANGE
    • Provides access to IOSF*
    • Unlocks JTAG for ISH core*
    • Enables debugging of the ISH program via GDB-stub or DCI
    N.B. UTOK partition must be signed by vendor’s key.
    * Our team has found a server firmware image with ORANGE unlock support (provides
    access to IOSF on the server’s motherboard), but hasn’t found a similar image for
    desktops.
    15

    View full-size slide

  16. RED
    • Provides access to IOSF
    • Unlocks JTAG for ME core
    • Unlocks JTAG for ISH core
    • Enables debugging from the reset vector (S0) before starting the
    main CPU
    • Provides unlimited access to internal devices and memory
    N.B. UTOK partition must be signed by Intel key
    16

    View full-size slide

  17. ME JTAG Activation Interface
    • PCH has a special internal device DFX_AGGREGATOR that
    controls access to DFx
    • BUP and ROM have direct access to the CSE zeroing register and
    DFX_AGGREGATOR device (via LDT selector)
    Ext#8 MmioRanges[41]:
    ...
    sel= FF, base:F00B1050, size:00000004, flags:00000003 :: F00B1000:00001000 GEN_PCIP
    sel=107, base:F00B1004, size:00000004, flags:00000003 :: F00B1000:00001000 GEN_PCIP
    sel=10F, base:F5010000, size:00001000, flags:00000003 :: F5010000:00008000 DFX_AGGREGATOR_SBS
    ...
    17

    View full-size slide

  18. Activation (I)
    0
    31
    0xF00B1050
    CSE zeroing register (bit)
    0 Intel Unlock Request (R/W)
    31..1 Reserved
    CSE zeroing register
    18

    View full-size slide

  19. Activation (II)
    DFx Personality
    0
    31
    DFx Consent
    0
    31
    DFx Status
    0xF5010008
    0
    63
    0xF5010004
    0xF5010000
    PUID
    0xF5010018
    0
    63
    DFx Personality
    value (2..0)
    Unlock type
    101 ORANGE
    011 RED
    DFx Consent bits Unlock type
    0 Unlock Consent
    ...
    30 Lock Bit
    DFx Aggregator MMIO:
    19

    View full-size slide

  20. RED Unlock: BUP
    start Is the UTOK found
    Parsing KNOBs
    Yes
    end
    Are the partition
    signature & platform
    ID valid?
    Invalid UTOK
    Yes
    Is the platform
    already unlocked?
    Is "Intel Knob Lock"
    found?
    Yes
    Parsing and
    processing
    other KNOBs
    Yes
    end
    CSE_Zeroing_REG |= 1
    Reset ME
    19

    View full-size slide

  21. RED Unlock: ROM
    start
    CSE_Zeroing_REG = 0
    CSE_Zeroing_REG & 1
    DFx Personality |= 3
    Clean ME’s keys
    end
    end
    Yes
    DFx Consent |= 1
    20

    View full-size slide

  22. Latching Consent Register
    void bup_switch_on_dci()
    {
    ...
    eom = 0;
    bup_get_pch_straps(0, &pch_desc_rec0);
    LOBYTE(eom_err) = bup_read_eom(&eom); // Is the platform in Manufacture Mode?
    if ( !(BYTE2(pch_desc_rec0) & 2) || (dfx_data |= 2u, eom_err) || eom )
    bup_disable_dci_by_strap();
    else
    bup_enable_dci_by_strap();
    if ( bup_is_dci_active() == 1 ) // If dci is active ME doesn’t latch DFx consent register
    bup_set_dfx_agg_consent();
    else
    bup_lock_dfx_agg_consent();
    if ( gRmlbCookie != cookies )
    sys_fault();
    }
    Is it a design flaw or not?
    22

    View full-size slide

  23. Red Activation Without Intel Keys
    JTAG for ME

    View full-size slide

  24. CVE-2017-5705/6/7
    void __cdecl bup_init_trace_hub()
    {
    ...
    int ct_data[202]; // [esp+1Ch] [ebp-334h] 808 bytes
    int cookie; // [esp+344h] [ebp-Ch]
    cookie = gRmlbCookie;
    ...
    if ( !(getDW_sel(0xBF, 0xE0u) & 0x1000000)
    && !bup_get_si_features(si_features)
    && !bup_dfs_get_file_size("/home/bup/ct", &file_size) )
    {
    if ( file_size )
    {
    LOBYTE(err) = bup_dfs_read_file("/home/bup/ct", 0, ct_data, file_size, &bytes_read);
    ...
    if ( gRmlbCookie != cookie )
    sys_fault();
    }
    Vulnerability in BUP module [HTH17]
    24

    View full-size slide

  25. ME JTAG How-To
    Arbitrary code execution in the BUP module (CVE-2017-5705/6/7)
    Activation of RED UNLOCK without Intel keys
    JTAG access to ME core
    Full control over the target
    ME is no longer a "black box"
    25

    View full-size slide

  26. Red Activation Without Intel’s Crypto Keys
    1. Activate Manufacture Mode for the target
    2. Set DCI strap in a flash descriptor
    3. Use the vulnerability to load the value 3 to DFx
    Personality register
    4. Done ;)
    26

    View full-size slide

  27. RED is Activated for Target
    ME core JTAG device ID
    27

    View full-size slide

  28. What About Host Side?
    DFx Abstraction Layer

    View full-size slide

  29. Intel DAL: What Is It?
    • DAL stands for DFx Abstraction Layer, a software stack for
    DFx
    • DAL is the core of all recent Intel HW debugging/checking
    tools (System Debugger, System Trace, Platform
    Debugging Toolkit)
    • Supports a wide range of Intel platforms/CPUs
    • Supports multiple Intel HW probe types
    • DAL is available without NDA
    29

    View full-size slide

  30. Overview of Intel DAL
    UI
    •Python Console (CLI)
    •Intel System Studio (GUI)
    DAL
    •C# library
    Driver
    •Probe/DCI Driver
    Transport
    •Intel SVT
    •USB 3.0 DbC
    •Intel ITP-XDP
    Target
    •DFx
    30

    View full-size slide

  31. Sources of Information About DAL
    Documentation / White Papers / Patents
    See also:
    31

    View full-size slide

  32. Problem
    Trial version of Intel System Studio
    doesn’t include configuration options for ME core
    32

    View full-size slide

  33. Crafting ME Core Configuration
    DFx Abstraction Layer

    View full-size slide

  34. Encrypted XML Files
    • DAL configuration is included in encrypted XML files
    • Encryption is performed using PBKDF2 and AES
    • Key and salt are hardcoded in DAL (Intel.DAL.Common.Decryption.dll)
    Salt = "I wandered lonely as a cloud,\r\n
    That floats on high o'er vales and hills,\r\n
    When all at once I saw a crowd,\r\n
    A host of golden daffodils "
    Key = "ITP"
    William Wordsworth
    34

    View full-size slide

  35. ME Core Device Configuration
    • Configuration options for ME core are missing in public
    XML files
    • ME core is an LMT2 device (by JTAG ID code)
    • LMT2 is included in XML files
    35

    View full-size slide

  36. Craft Custom Configuration (for Skylake)
    36
    1. Decrypt XML files
    2. Add the following lines to "Topo.SPT.xml":
    3. Use standard DAL environment for ME debugging
    4. Make your computer personal again

    <_tag key="Invisible" value="False" />

    PhysicalEnable="True" />
    SerializePreScan="TapSerializationSTAP5.Serialized" PhysicalEnable="True" />


    View full-size slide

  37. DFx Chain to ME LMT2 Core (LP series)
    SPT_RGNTOP
    SPT_TPSB
    SPT_MASTER SPT_NPK
    SPT_PARCSMEA SPT_CSME
    SPT_RGNLB SPT_PARISH SPT_ISH
    SPT_AGG
    CLTAP
    37

    View full-size slide

  38. Our achievements so far
    • JTAG activated for Intel ME
    • Starter code (aka ROM) dumped
    • Complete Huffman code recovered for ME 11
    • Integrity and Confidentiality Platform Keys [FFS17] extracted
    39

    View full-size slide

  39. Links
    https://github.com/ptresearch/
    http://blog.ptsecurity.com/
    40

    View full-size slide

  40. References
    [IMS14] Igor Skochinsky, Intel ME Secrets. Hidden code in your chipset and how to
    discover what exactly it does. Hex-Rays. RECON 2014.
    [STW17] Dmitry Sklyarov, ME: The Way of the Static Analysis. Troopers 2017.
    [FFS17] Dmitry Sklyarov, Intel ME: flash file system explained, Black Hat Europe,
    2017.
    [IDS17] Mark Ermolov, Maxim Goryachy, Intel DCI Secrets, HITBSecConf 2017
    CommSec, Amsterdam, 2017.
    [HTH17] Mark Ermolov, Maxim Goryachy, How to Hack a Turned-Off Computer, or
    Running Unsigned Code in Intel Management Engine, Black Hat Europe, 2017.
    [PSTR14] Xiaoyu Ruan, Platform Embedded Security Technology Revealed:
    Safeguarding the Future of Computing with Intel Embedded Security and
    Management Engine, 2014, Apress, ISBN 978-1-4302-6572-6.
    41

    View full-size slide

  41. Thank you!
    Questions?
    42

    View full-size slide