libreboot
/
lbwww
1
0
Fork 0
Code Packages Projects Releases Activity

deguard page 

more of a philosophical rant but eh

Signed-off-by: Leah Rowe <info@minifree.org>
master
Leah Rowe 2024-12-05 19:02:46 +00:00
parent b8c5061c40
commit 4252ddd1cd
1 changed files with 78 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
site/docs/install/deguard.md Normal file
View File

@ -0,0 +1,78 @@
---
title: Disabling Intel Boot Guard on MEv11
x-toc-enable: true
...
This covers Intel Skylake, Kaby Lake and Kaby Lake Refresh / Coffeelake
machines; note that Coffeelake includes KabyLake Refresh and may have MEv12.
This page concerns only those platforms that have Intel MEv11, not MEv12. The
facts on this page are applicable to both *mobile* and *desktop* platforms.
The Intel Boot Guard is a security mechanism implemented by intel, but not all
vendors enable it. If enabled, the bootblock in the flash is protected at boot
time by cryptographic signature verification; this means only the vendor can
update the flash.
On systems with MEv11, a bug exists in older versions (of MEv11) that allows
for unsigned code execution, at a very early stage in the boot process, to the
point that almost all of the ME firmware in flash can be fully replaced. The
ME is also what implements Boot Guard, and the hack is possible *before* Boot
Guard is enforced, allowing for it to be disabled.
See: [CVE-2017-5705](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html)
Mate Kukri, who authored the ThinkPad T480/T480 and OptiPlex 3050 Micro ports,
wrote a tool called *deguard*, which Libreboot uses on these boards. This tool
reconfigures the ME, exploiting it so as to disable the Boot Guard.
This is done by externally flashing an older version. Libreboot's build system
automatically downloads this older version, runs `me_cleaner` on it, and applies
the deguard hack; this includes machine-specific ME configuration, which is
added per machine by extracting it from a dump of the original flash. The
resulting configuration (for the MFS partition in the ME) is then inserted into
the generic ME image.
Note that the deguard utility can *also* be used on MEv11 setups that *don't*
have Boot Guard, if you simply want to auto-download and neuter a generic ME
image, and then provide machine configuration. It is essentially doing the same
thing that Intel's own *FITC* utility does (Intel Flash Image Tool), which is
normally only available to vendors; the *deguard* utility written by Mate Kukri
is available under a free software license, and included by default in Libreboot
releases. It can be used for *any* MEv11-based system.
To download deguard in lbmk (Libreboot's build system), do this:
./mk -f deguard
Then go in `src/deguard/` and the `README.md` file in there tells you more
information about how it works, and how to use it. You do not need to run
this tool yourself, unless you're adding a new board, because Libreboot is
programmed to use it automatically, during the build process (or during
insertion of vendor files after the fact, on release images).
With deguard, the machine is operating in a state as though the Boot Guard keys
were never fused, even if they were. [Previous work](https://trmm.net/TOCTOU/)
has been done by others, related to the Boot Guard, but nothing quite so
thorough and easy to use as deguard existed previously!
Mate Kukri was able to figure this out and implement deguard, using existing
work done by PT Research and Youness El Alaoui, exploiting the Intel SA 00086
bug which you can read more about here:
<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html>
<https://www.intel.com/content/www/us/en/support/articles/000025619/software.html>
Note that *Intel* refers to this as a means of a so-called *attacker* running
so-called *malicious* code; while this may also be possible in the strictest
sense, flash write protection is possible on these machines, which you can
read about on the [GRUB hardening](../linux/grub_hardening.md) page. Intel made
the Boot Guard without giving users control of it, so people have worked for
years to try to hack around it, as a matter of user freedom. So remember: when
Intel is talking about security, they mean *their* security, not yours. To them,
you are simply flashing malicious code. But they are the ones with malice.
Mate Kukri and others who work on such hacks are heroes, and they have done a
great service to the Libreboot project.
Many more machines are now possible to port to coreboot, thanks to this hack.