Intel’s boot guard is a doddle to defeat
 

If you have time alone with a laptop

Security experts have come up with a way of defeating Intel’s boot verification process.

Researchers Peter Bosch and Trammell Hudson presented a Time-of-check, time-of-use (TOCTOU) attack against the Boot Guard feature of Intel's reference Unified Extensible Firmware Interface (UEFI) implementation at the Hack in the Box conference in Amsterdam this week.

Boot Guard is a technology that was added in Haswell and was supposed to check that the low-level firmware (UEFI) has not been maliciously modified. It does this by checking that the loaded firmware modules are digitally signed with trusted keys that belong to Intel or the PC manufacturer every time the computer starts.

Bosch, an independent researcher and computer science student at Leiden University in the Netherlands, discovered an anomaly in the Boot Guard verification process while he was trying to find a way to use the open-source Coreboot firmware on his laptop. In particular, he noticed that after the system verified the firmware and created a validated copy in the cache, it later re-read modules from the original text located in the Serial Peripheral Interface (SPI) memory chip -- the chip that stores the UEFI code.

The system should only rely on the verified copy after the cryptographic checks are passed and this made Bosch think there might be an opportunity for an attacker to modify the firmware code after it's been verified and before it's incorrectly re-read from SPI memory.

Trammell Hudson confirmed Bosch's findings and together worked on an attack that involves attaching a programming device to the flash memory chip to respond with malicious code when the CPU attempts to reread firmware modules from SPI memory instead of the validated copy.

The result is that malicious and unsigned code is executed successfully, something that Boot Guard was designed to prevent.

https://fudzilla.com/news/pc-hardwar...ddle-to-defeat