I research security of Intel platforms. I don't work for Intel

Москва, Россия
Finally, the casket is opened: we (+@h0t_max and @_Dmit) have extracted Intel x86 microcode! One more Intel "top secret" information gets revealed... github.com/chip-red-pill/glm…
19
370
963
Wow, we (+@h0t_max and @_Dmit) have found two undocumented x86 instructions in Intel CPUs which completely control microarchitectural state (yes, they can modify microcode)
104
1,811
4,905
Intel HW is too complex to be absolutely secure! After years of research we finally extracted Intel SGX Fuse Key0, AKA Root Provisioning Key. Together with FK1 or Root Sealing Key (also compromised), it represents Root of Trust for SGX. Here's the key from a genuine Intel CPU😀
101
949
4,871
973,439
The very important goal has been achieved, for the benefit of the entire information security society: we decrypted Intel XuCode!
10
289
1,284
We did it: Intel ME 11.x arbitrary code execution, #BHEU blackhat.com/eu-17/briefings…
36
555
724
A very bad thing happened: now, the Intel Boot Guard on the vendor's platforms can no longer be trusted... ☹️
14
174
684
They really tried hard to protected the key: the part of ucode works perfectly but they forgot to clear the internal buffer in the core IP holding all fuses (including FK0) acquired from Fuse Controller
6
26
568
58,931
Intel x86 Root of Trust: loss of trust: blog.ptsecurity.com/2020/03/…
9
291
534
Here're all the technical details of the undocumented x86 instructions which we (+@h0t_max and @_Dmit) found: github.com/chip-red-pill/udb…
8
216
518
Lack of coordination between Intel CSME security/firmware team and PCH HW team has led to a very big fail: Fuse Encryption Key has been extracted!
7
84
489
53,685
The last step is remaining nevertheless to fully compromise Intel SGX - knowing of FK0 Fuse Encryption Key (FK0 FEK), but we hope to do it like we did for CSME...
9
14
456
51,338
They're decoded in all modes (even in User Mode) but the ucode in MSROM throws #UD if not in Red Unlocked state. All details a little later...
4
36
419
I can't believe it: Intel decided to be open about the debugging capabilities of their chips. Our work definitely bears fruit: software.intel.com/content/w…
2
111
388
Found an Intel CPU's DSB (uop cache) JTAG scan-out description. It reveals Intel x86 microcode format. Proves that Intel's microcode is opcode-based
5
86
295
No human has ever set foot here (no researcher’s eye has looked) 😀. This is Intel pcode ROM (for Atoms)
6
18
265
23,980
After a year of the coordinated disclosure process, we (+@h0t_max and @_Dmit ) can finally share: we found a reliable, not damaging way to extract the security fuses (Chipset + EPID root keys) from the Intel platforms. intel.com/content/www/us/en/…
3
107
257
So, as Intel dropped embargo, now we can say: the Intel CSME boot ROM bug exists in all their chipsets and SoCs having x86 CSME MCU (except Ice Point and Comet Point). Let's find it together:
5
135
251
Intel super secret Lakemore technology (full-fledged, GHz speed On Die Logic Analyzer in every CPU and PCH) is revealed... blackhat.com/asia-19/briefin…, #BHASIA 2019
6
107
242
Let's clarify: the main threat of the Intel SGX Root Provisioning Key leak is not an access to local enclave data (requires a physical access, already mitigated by patches, applied to EOL platforms) but the ability to forge Intel SGX Remote Attestation
6
34
247
21,732
Using CVE-2019-0090 we've extracted Intel Cannon Point chipset's (mobile Whiskey Lake, Cannon Lake and 300 series) Intel CSME boot ROM, but this is just a beginning... More info on next week.
1
65
221
This's not good guys, not good at all...
10
39
220
Here are slides of our VISA BlackHat talk: i.blackhat.com/asia-19/Thu-M…
4
106
203
Ooh, found hundreds undocumented MSRs for an Intel desktop CPU. So, MSR is just a register on CPU CRBUS (Control Register Bus). Addresses don't match. Names in documentation are combed to hide internal details (unit name and CR suffix)
4
57
209
We have a progress in Intel Atom's microcode reverse engeeniring: e.g. we've found the GenuineIntel formation in MSROM's implementation of CPUID 0.0. Full disassembler from the Small Core microcode isn't far away...
3
48
208
Searching for zero days in Intel x86 microcode is a very exciting experience, knowing that we are the first to do it and they should definitely be there
3
25
190
Intel has very strongly protected their main platform asset - CSME security fuses (root keys): there exist three independent protection mechanism: DFX secure policy blocking, personality lock and CSE tap firewall. But we break them all! Write-up is coming...
6
37
175
17,935
A direct, runtime, RW access to PRF (physical register file) of CPU core via LDAT port (accessible through CRBUS) gives unprecedented possibilites for analysis of CPU transient execution vulnerabilities
2
46
177
A human foot has not yet set foot here (the researcher's eyes did not look). Intel pcode (runs on 8051 power control unit in CPU complex)
6
23
165
Replying to @Someoak1
No, AMD CPUs don't implement SGX technology and aren't susceptible to the fuse extraction technique
2
1
156
20,788
Very good, someone collected the info about ALL existing HW debug probes and corresponding SW to perform JTAG debugging for both Intel and AMD... github.com/Necrosys/x86-JTAG…
1
34
151
One unnoticed vulnerability found by Intel STORM team: Intel IGD (integarted graphic card) can read two first dwords (unencrypted of course) of cache lines belonging to Intel SGX Enclave intel.com/content/www/us/en/…
54
140
We've found a bug in CSME on-die ROM!💥 Intel says it's already targeted by CVE-2019-0090 (intel.com/content/www/us/en/…). Security Fuses can be extracted! 🔥 Mehlow and Cannon Point chipsets are affected. Stay tuned!
4
68
149
Even closer to the goal: Intel SGX FK1 (Fuse Key 1) is extracted (by Intel VISA 😀). Now to finally pull out the FK0...
The hour is not far off when Intel SGX will be "fundamentally broken" (the keys derivation will be recalculated for any EPOCH)...
15
33
142
the Apocalypse begins: Multiple buffer overflows in Intel CSME including with remote vector security-center.intel.com/ad…
5
141
136
This's certantly undocumented behavour of CPUID instruction: working with physicall memory, reading some data and doing conditional logic depending of the data content. Suppose, this is for CPU crash dump support...
7
33
138
Ha-ha, after our report about finding of undocumented command for arbitrary memory read inside PMC firmware, Intel responded with - there's no any security problem, but fixed the command implementation nevertheless...
3
16
132
16,336
North Bridge (CPU complex) wake-up logic complexity in pcode 😱 (for Atoms)
11
139
14,961
Is it the beginning of the end?
6
32
133
It seems this leak affects not only Intel Boot Guard technology, but all OEM signing-based mechanisms in CSME, such as OEM unlock (Orange Unlock), ISH firmware, SMIP and others...
⛓️Confirmed, Intel OEM private key leaked, causing an impact on the entire ecosystem. It appears that Intel BootGuard may not be effective on certain devices based on the 11th Tiger Lake, 12th Adler Lake, and 13th Raptor Lake. Our investigation is ongoing, stay tuned for updates.
51
132
34,738
A big step forward in reverse engineering of Intel p-unit firmware (pcode): managed to match the debug trace message IDs in the pcode with the message IDs from the .xml files of Intel System Trace utilities. Huh, many things become clearer...
16
141
7,354
I can't believe: NDA-ed MSRs, for the newest CPU, what a good day...
6
17
128
It seems Intel knows all about our CPUs. This information is burned into fuses of each CPU die instance and it completely identifies CPU
6
30
127
That's better... IDA processor module for Intel pcode is implemented
9
131
13,321
Intel SGX implementation (in addition to the support in microcode itself) consists from two large code modules: platform dependent MCHECK and cross-platform XuCode. Now, we have all of them.
1
3
119
Intel Cannon Point chipset (300 series) as well as Apollo Lake and Gemini Lake SoCs have very dangerous Delayed Authentication Mode (DAM) vulnerability allowing arbitrary code execution and the root key prediction. Detailed write-up is coming. Stay tuned.
2
41
126
The hour is not far off when Intel SGX will be "fundamentally broken" (the keys derivation will be recalculated for any EPOCH)...
2
32
119
What???😱
9
28
121
This is an implemenation of rdtsc instruction in microcode for Intel GLM Atom CPU: besides real TSC value from 0x2d7 CRBUS address there're two core-wide parameters - multiplier and constant addition (at 0x87 and 0x3b URAM addrs)
1
23
115
It's time to put an end to numerous disputes and speculations about whether Intel CSME can bypass VT-d: Yes, it can bypass it!
2
33
117
Intel p-unit (power control unit in CPU complex, don't confuse with platform's power management controller PMC) arbitrary code execution + reverse engineering. It's based on Intel Foxton micro-controller with completely private 16bit ISA
2
15
111
10,315
Yes, we bypassed some of Intel Manufacturing Fuses (hacked CSE fuse puller): here's an example of functional use inteneded only for pre-production testing (Intel VISA tracing of CSE's system agent data bus)
2
23
114
When we asked Intel about the mnemonics of the undocumented instructions we had just found, they told us that these instructions are called "debug read" and "debug write". Unfortunately - this is not true and apparently they tried to hide the existence of another one, PATCH1 ☹️
So, those undocumented x86 instructions that we found in Intel CPUs are officially called PATCH2 and PATCH3. If so, what is PATCH1???
2
27
109
It's time to hunt the microcode of desktop CPUs 😁
4
9
107
Here's how STD (set direction flag) x86 instruction is implemented in microcode (jump at 01 IDQ entry can be ignored)
3
23
103
How much code is there, how many errors can there be😀
4
102
Intel discloses remote 'privileges escalation' vulnerability in CSME for non-vPro systems (not having AMT module). That's a precedent breaking well recognized assumptions about remote attacks on CSME (CVE-2019-0169): intel.com/content/www/us/en/…
63
106
Intel debug technologies really help in reverse engineering of their HW/FW...
2
8
97
So, those undocumented x86 instructions that we found in Intel CPUs are officially called PATCH2 and PATCH3. If so, what is PATCH1???
2
12
96
I found, I found! Machine Check codes for punit (described in Trace Hub messages xmls) in pcode! This will greatly simplify reverse engineering of pcode.
1
10
105
12,793
Amazingly, Intel Secure Key Storage (SKS) of CSME subsystem also has a bug allowing to brute-force any key slot, but the issue exists at hardware level - insecure design of the keys distribution to crypto engines (AES, SHA, RC4)
so, PS4 Crypto Coprocessor (CCP) interface in secure kernel had a bug that allowed us to dump (or better saying, bruteforce) key slots from SAMU, that's how AES/HMAC keys from PFS, portability keys, VTRM keys, etc could be retrieved on unpatched firmware: gist.github.com/flatz/222153…
1
16
96
Intel quietly fixes RCE in AMT (CVE-2018-3628): intel.com/content/www/us/en/…. Admin credentials aren't needed
1
76
96
Intel VISA demo: extracting one's of Intel SoCs security fuses (debug root key for TPM, ME file system, Intel IPT and others):
3
49
88
Existence of uops allowing to indirectly transfer execution to arbitrary uaddr inside ucode ROM will definitely lead to rethinking of Spectre-like transient execution attacks after the ucode disasm publication because it'll require to take into account also ucode-level gadgets
2
39
92
Secretly, for hypervisors developers: undocumented offset of current VMCS pointer in VMXON region😉
2
16
96
So, as Intel SGX Provisioning Key is the only key not depending on Root Seal Key, XuCode reveals that Fuse Key 0 is Root Provisioning Key and Fuse Key 1 is Root Seal Key...
Even closer to the goal: Intel SGX FK1 (Fuse Key 1) is extracted (by Intel VISA 😀). Now to finally pull out the FK0...
4
21
90
I found how UEFI accesses CPU complex devices' PCRs (Private Configuration Space Registers) in newest Intel CPUs (CNL+, based on IOSF) - via undocumented REGBAR!
1
16
90
What a find! Direct access to CPU SVID (serial voltage id) bus via undocumented punit mailbox MSRs (0x607/0x608), voltage change step ~1mV, access to Cores/SA/GT VRs. It's much more flexible than RAPL...
1
17
90
Here's the PoC for VT-d bypass by Intel CSME on Apollo Lake platform. Moreover, Intel CSME can grant any integrated or even external PCI-E device the ability to bypass VT-d using IMRs. UEFI/OS can't prevent and even reliably audit this as IMRs can be changed at arbitrary time☹️
3
29
93
Security researcher: This is a backdoor! Manufacturer: No, this is a debug feature! ¯\_(ツ)_/¯
3
10
86
So, Intel XuCode is now available for third-party research...
Today we've published Intel Microcode decryptor! It gives you an amazing opportunity for researching x86 platforms. You can understand how Intel mitigated spectre vulnerability, explore the implementation of Intel TXT, SGX,VT-x technologies! Enjoy it! github.com/chip-red-pill/Mic…
17
82
I found the map of all fuses (OTP config) for all IPs of both north and south complexes for one of the newest platforms (Intel platforms of course). Unbelievable...
5
12
80
It seems that on Desktop platforms, Intel CSME is powered by dedicated power rail (controlled by APWROK pin). Together with precise timings provided by VISA, it looks like a perfect target for voltage glitching...
16
80
Replying to @Myriachan
Yes, the private signing key is leaked ☹️
3
8
75
This was a real challenge, but here's the JTAG break into Intel MCHECK entry point (see intel.com/content/www/us/en/…), and the access to the decrypted microcode patch in the special protected SRAM...
13
79
8,885
What, they "fixed" CVE-2021-0146 (CSE security fuses access, intel.com/content/www/us/en/…) by microcode??? But... it only prevents our PoC to work!!! It seems I will send them a new PoC soon...
2
15
80
Now that we have full Intel CSME hardware (MISA, Gasket, OCS and others) and Fuses description (thanks to the Simics' info), let's bring the firmware reverse engineering at the new level😀
5
8
79
9,890
Intel Cannon Point CSME ring-0 arbitrary code execution via DAM vulnerability (doesn't have CVE actually, don't confuse with the CSME boot ROM bug) is achieved. Here's RED Unlock for CNP:
3
16
79
Confirmed: Intel added SHA3 engine to DFX AGG for hardware authentication, but only starting from Tiger Lake (11 gen), all previous platforms have raw unlock passwords burnt into fuses...
Replying to @_markel___
1. Orange/Red unlock passwords are burnt directly into fuses (not thier SHA3 digest as Intel convices) 2. If so, the timing attacks are possible 3. Orange password is 32bit length allowing to brute force it
1
16
72
One of the latest research on Intel's microcode patch reverse engineering. Verily, "there is nothing secret that would not become apparent..." ieeexplore.ieee.org/stamp/st…
1
15
75
It's amazing how many heterogeneous CPU cores were integrated in Intel Silvermont's Moorefield SoC (ANN): x86, ARC, LMT, 8051, Audio DSP, each running own firmware and supporting JTAG interface
4
29
74
Just got a book... The paper and print quality are very good
1
6
75
This ucode for VMREAD (ebx, eax) x86 instruction reveals that on Big Cores there is VMCS cache in special protected SRAM accessible to ucode at 0xfeb80000 (while Atoms directly access current VMCS in physical memory)
8
71
10,761
They did not set the secure attribute for FEK, mistakenly believing that the AES CBC result could not be read back into CSME memory for secure keys (although this only applies to HMAC)
2
3
74
6,263
The true Intel SGX hack is not an extraction of current Provisioning or private EPID keys from Provisioning/Quoting Enclaves, which can be revoked and re-derived, but an extraction of the Root Provisioning and Seal Keys what is only possible by takeover at microcode level
1
19
74
This's a breakthrough: found JTAG TAP of Intel PMC ARC600 MCU for Atoms. It isn't supported by public OpenIPC, so raw IRs must be used. ARC's IR codes is actually shifted 4 bits left. Scary to imagine what can be done using this...
1
16
75
10,848
This led to disastrous results, so this last barrier has been overcome and Intel CSME for Apollo Lake/Gemini Lake/Refresh is completely compromised. Newer platforms also have this architectural flaw that can be exploited if a code execution vulnerability is found...
3
5
71
6,844
Ooh, found second SMM-like mode (so called PSMI) with independent SMBASE
3
14
69
Remote Red Unlock with the access to the microarchitecture? Yes, it's now possible for new Intel Xeons: meet Intel BMCJTAG...
1
8
72
9,583
Do you know that some Simics modules for Intel EagleStream platform (based on Sapphire Rapids CPU) from the 2021's ExConfidential Lake leak have unstripped symbols? This gives unbelievable level of understanding how Intel hw works! Below is an example of the Fuse Pulling impl...
3
8
74
13,539
What a find! The synchronization point of the platform boot flow for the VISA trace which can be managed without DFx Unlock! I can already see the SGX FK0 on the horizon...
1
10
65
Undocumented MSR (0x171) containing SMBASE (SMRAM base address). SMBASE is stored into microcode URAM (FSCP) and can be r/w by RSM instruction, JTAG and XuCode (!!!)
1
13
71
A bug in CSME 16.x (for Alder Lake SoC) will cost Intel dearly, as it will likely provide microcode access for both Big Core and Atom. Let's start researching (small hit, CSME 16.x ROM is already available 😁)
2
12
69
We managed to bypass DFX Secure Policy on ApolloLake/Gemini Lake/Gemini Lake Refresh. All keys are ours😀
1
8
69
18,687
Intel SGX implementation will be available for third-party audit
6
67
It turns out there is a method to disable Intel ME 11.x on all platforms (designed for NSA #HAP program) blog.ptsecurity.com/2017/08/…
56
62
In my opinion, the most serious vulnerability published today by Intel: intel.com/content/www/us/en/…. The privilege escalation in that context means one of two: or arbitrary microcode execution, or SGX instructions behavior modification
2
27
69
18,598