Bypassing Hardware-Based Trusted Boot Through x86 CPU Microcode Downgrade

PRESENTATION SLIDES (PDF)

It is widely known Intel CPU microcode is hardcoded into CPU ROM, and for security reasons, should be updated every time CPU is powered on, including situations like waking up from Sleep/Hibernation states. This is usually done by a microcode loader in UEFI BIOS. I’ve discovered a vulnerability in this loader, which allows tricking it to downgrade the CPU microcode.

One of the obvious consequences of this attack vector is removing fixes (implemented in microcode) for vulnerabilities like Spectre var2. However, I’ve found out the older versions of microcode allows to load the older versions of Intel ACMs (Authenticated Code Modules).

ACMs are a special code modules developed (and signed) by Intel to support some Intel security technologies, like Intel Boot Guard, Intel BIOS Guard, Intel TXT, Intel SGX. “Supporting” means serving as a Root of Trust. These modules are loaded into CPU L3 cache (sometimes called AC RAM) and executed from there. Like the other code, ACMs can be updated/fixed, and for security reasons running a downgraded version of an ACM is deprecated. This is maintained by a microcode and, like mentioned above, the old version of a microcode loads an old (associated) version of an ACM.

This opens up an opportunity to exploit patched vulnerabilities in ACMs influencing on the technologies they support. Which in turn leads to bypassing the trusted/measured boot (hardware-based). In this talk I’m going to show how exactly this could be done on a real Intel TXT & Intel BIOS Guard protected platform.

CONFERENCE
Location: BALLROOM 1 Date: August 30, 2019 Time: 10:30 am - 11:30 am Alexander Ermolov