Explore the intricacies of bypassing hardware-based trusted boot through x86 downgrade in this 33-minute conference talk from the Hack In The Box Security Conference. Delve into the vulnerability discovered in the Intel CPU microcode loader, which allows for downgrading CPU microcode and potentially removing security fixes for vulnerabilities like Spectre var2. Examine the implications of loading older versions of Intel Authenticated Code Modules (ACMs) and their impact on Intel security technologies such as Boot Guard, BIOS Guard, TXT, and SGX. Learn how exploiting patched vulnerabilities in ACMs can lead to bypassing trusted/measured boot on Intel TXT & BIOS Guard protected platforms. Gain insights into firmware security, undocumented technologies, and architectural flaws as the speaker demonstrates the practical application of this attack vector on a real-world system.
Bypassing Hardware-Based Trusted Boot Through x86 Downgrade
Hack In The Box Security Conference via YouTube
Overview
Syllabus
Intro
Inside Intel CPU
Firmware Interface Table (FIT)
Microcode Update binary main header
Microcode Update binary extended header
Microcode Update binary data
Known facts about Microcode
Authenticated Code Modules (ACMS)
Useful links to start digging
Updating Microcode in UEFI BIOS
Microcode Update loading process
Platform Init
Microcode Downgrade
Side channel attacks
Debug capabilities
Downgrading ACMs. Intel BIOS Guard
Downgrading ACMs. Intel TXT
#Report and Reaction
#Mitigations
Taught by
Hack In The Box Security Conference
