Waxaan soo jeedineynaa inaan hoos u dhaadhacno mar kale oo aan ka hadalno amniga firmware-ka x86-ku-xirnaanta kombuyuutarrada. Markan, qaybta ugu muhiimsan ee daraasadda waa Intel Boot Guard (ma aha in lagu jahwareeriyo Intel BIOS Guard!) - Qalabka kabaha BIOS ee lagu kalsoon yahay ee lagu kalsoon yahay oo iibiya nidaamka kombiyuutarku uu si joogto ah u awood u leeyahay ama u joojin karo marxaladda wax soo saarka. Waa hagaag, habka cilmi-baarista horeba waa nala yaqaan: si khafiif ah u jarjar hirgelinta tignoolajiyadan iyadoo la adeegsanayo injineernimada gadaal, sharax qaabdhismeedkeeda, ku buuxinta faahfaahinta aan sharciyeysnayn, xilli leh vectors weerar si ay u dhadhamiyaan oo isku daraan. Aynu ku sii shido sheekada ku saabsan sida bug oo muddo sanado ah ku xidhnaa soo saarista dhawr iibiye ay u ogolaato weeraryahan iman kara inuu isticmaalo tignoolajiyadan si uu u abuuro rootkit qarsoon ee nidaamka oo aan laga saari karin (xitaa barnaamij sameeyaha).
Jid ahaan, maqaalku wuxuu ku saleysan yahay warbixinnada "On Guard of Rootkits: Intel BootGuard" ee shirka iyo kulankii 29-aad (labadaba bandhig ).
Firmware ee goob kombuyuutar oo leh qaab-dhismeedka Intel 64
Marka hore, aan ka jawaabno su'aasha: waa maxay firmware-ka kumbuyuutarka casriga ah ee leh Intel 64 architecture? Dabcan, UEFI BIOS. Laakiin jawaabta noocaas ah sax ma noqon doonto. Bal aan eegno sawirka, kaas oo tusinaaya nooca desktop-ka (laptop) ee naqshadahan.
Salku waa isku xirka:
- Processor (CPU, Central Processing Unit), kaas oo, marka lagu daro koofiyadaha ugu muhiimsan, uu leeyahay muraayad garaafyo ah oo la dhisay (oo aan ku jirin dhammaan noocyada) iyo kontoroolka xusuusta (IMC, Isku-dhafka xusuusta);
- Chipset (PCH, Platform Controller Hub), oo ka kooban kontaroolayaal kala duwan si ay ula falgalaan aaladaha durugsan iyo maaraynta nidaamyada hoose. Waxaa ka mid ah Engine-ka Intel Management Engine (ME) ee caanka ah, kaas oo sidoo kale leh firmware (Intel ME firmware).
Laabtoobyada, marka lagu daro kuwa kor ku xusan, waxay u baahan yihiin kontorool gudaha ku dhex jira (ACPI EC, Control Advanced and Power Interface Embedded Controller), kaas oo mas'uul ka ah hawlgalka nidaamka hoose ee awoodda, taabashada, kiiboodhka, Fn furayaasha ( dhalaalka shaashadda, mugga codka , Keyboard backlight, iwm) iyo waxyaabo kale. Waxayna sidoo kale leedahay firmware u gaar ah.
Marka, wadarta guud ee firmware-ka sare waa firmware-ka kumbuyuutarka (system firmware), kaas oo lagu kaydiyo xusuusta SPI ee caadiga ah. Si dadka isticmaala xusuustan aysan ugu jahwareerin halka ay ku taal, waxa ku jira xusuustaan waxaa loo qaybiyaa gobollada soo socda (sida sawirka ka muuqata):
- UEFI BIOS;
- ACPI EC firmware (gobol gooni ah ayaa la soo muuqday Skylake processor microarchitecture (2015), laakiin duurjoogta weli maanu arag tusaalooyin isticmaalkeeda, sidaa darteed firmware-ka kontaroolaha ku dhex jira ayaa wali ku jira UEFI BIOS) ;
- Intel ME firmware;
- qaabeynta (Cinwaanka MAC, iwm.) ee isku xidhka GbE (Gigabit Ethernet) ee isku xidhan;
- Sharaxayaasha Flash waa gobolka ugu weyn ee xusuusta flash ka oo ka kooban tilmaamayaasha gobollada kale, iyo sidoo kale ogolaanshaha gelitaanka iyaga.
Master-ka baska SPI, kontaroolaha SPI ee lagu dhex dhisay Chipset-ka, kaas oo xusuustaan laga galo, ayaa mas'uul ka ah xaddididda gelitaanka gobollada (iyadoo la raacayo oggolaanshaha la cayimay). Haddii rukhsadaha loo dejiyay qiimayaasha Intel ee lagu taliyay (sababo nabdoon awgood), markaa isticmaale kasta oo SPI flash-ku wuxuu si buuxda u heli karaa (akhri/qor) gobolkooda oo keliya. Inta soo hartayna waa mid wax akhriya oo keliya ama lama heli karo. Xaqiiqda si fiican loo yaqaan: Nidaamyo badan, CPU waxay si buuxda u helaysaa UEFI BIOS iyo GbE, akhri marin u helida kaliya sharraxayaasha iftiinka, oo aan marin u helin gobolka Intel ME gabi ahaanba. Waa maxay sababta kuwa badan, oo aan dhammaan? Waxa lagu taliyay looma baahna. Waxaan si faahfaahsan kuugu sheegi doonaa maqaalka dambe.
Farsamooyin ka ilaalinta qalabka kumbuyuutarka ee qalabka wax ka beddelka
Sida iska cad, qalabka kumbuyuutarka ee aaladda kumbuyuutarka waa in laga ilaaliyaa tanaasulaad suurtagal ah, taas oo u oggolaan doonta qofka weerarka soo qaadaya inuu boos ka helo (ka badbaado cusbooneysiinta OS / dib u rakibida), ku fuliyo koodka qaababka ugu mudnaanta badan, iwm. Iyo xaddidaadda gelitaanka gobollada xusuusta ee SPI, dabcan, kuma filna. Sidaa darteed, si looga ilaaliyo firmware-ka wax ka beddelka, habab kala duwan oo gaar ah deegaan kasta oo ka hawlgala ayaa la isticmaalaa.
Markaa, Intel ME firmware waxa loo saxeexay si loo xakameeyo hufnaanta iyo xaqiiqada, waxaana hubinaya ME controller mar kasta oo lagu shubo xusuusta ME UMA. Hannaanka xaqiijinta waxa aan mar hore uga hadalnay mid ka mid ah , oo loogu talagalay nidaamka-hoosaadka Intel ME.
Iyo ACPI EC firmware, sida caadiga ah, waxaa lagu hubiyaa kaliya daacadnimada. Si kastaba ha ahaatee, sababta oo ah xaqiiqda ah in binary-kan uu ku jiro UEFI BIOS, waxay had iyo jeer ku xiran tahay hababka ilaalinta ee UEFI BIOS isticmaalo. Aynu ka hadalno iyaga.
Hababkan waxa loo qaybin karaa laba qaybood.
Ku qor ilaalinta gobolka UEFI BIOS
- Ilaalinta jireed ee waxa ku jira SPI flash memory oo leh qor-ilaaliye boodada;
- Ilaalinta saadaasha gobolka UEFI BIOS ee booska ciwaanka CPU iyadoo la adeegsanayo diiwaannada PRx chipset;
- Joojinta isku dayga ah in loo qoro gobolka UEFI BIOS iyada oo la soo saarayo lana socodsiinayo joojinta u dhiganta ee SMI iyada oo la dejinayo BIOS_WE/BLE iyo SMM_BWP ee diiwangelinta Chipset-ka;
- Nooca ka sii horumarsan ee ilaalintan waa Intel BIOS Guard (PFAT).
Marka lagu daro hababkan, iibiyeyaashu waxay horumarin karaan oo ay hirgelin karaan tallaabooyinkooda amniga (tusaale ahaan, saxiixa kaabsoosha leh cusbooneysiinta UEFI BIOS).
Waxaa muhiim ah in la ogaado in nidaam gaar ah (oo ku xiran iibiyaha), dhammaan hababka ilaalinta ee kor ku xusan lama isticmaali karo, laga yaabo in aan la dabaqin, ama waxaa laga yaabaa in loo fuliyo hab nugul. Waxaad wax badan ka akhriyi kartaa hababkan iyo xaaladda marka la hirgeliyo . Kuwa xiiseynaya, waxaan kugula talineynaa inaad akhrido dhammaan maqaallada taxanaha ah ee ku saabsan amniga UEFI BIOS .
Xaqiijinta UEFI BIOS
Marka aan ka hadalno tignoolajiyada kabaha la aamini karo, waxa ugu horreeya ee maskaxda ku soo dhaca waa Secure Boot. Si kastaba ha noqotee, qaab dhismeed ahaan waxaa loogu talagalay in lagu xaqiijiyo xaqiiqada qaybaha ka baxsan UEFI BIOS (darawalada, bootloaders, iwm.), ee ma aha firmware laftiisa.
Sidaa darteed, Intel, gudaha SoCs-yada leh Bay Trail microarchitecture (2012), waxay hirgelisay qalab aan naafo ahayn oo Secure Boot (Verified Boot), kaas oo aan waxba la wadaagin tignoolajiyada Secure Boot ee kor ku xusan. Later (2013), habkan waa la hagaajiyay oo lagu sii daayay magaca Intel Boot Guard ee kombiyuutarada leh Haswell microarchitecture.
Kahor intaanan qeexin Intel Boot Guard, aynu eegno deegaanka fulinta ee qaab dhismeedka Intel 64, kuwaas oo, marka la isku daro, ay yihiin xididada kalsoonida tignoolajiyadan kabaha la aamini karo.
Intel CPU
Cap wuxuu soo jeedinayaa in processor-ku yahay deegaanka ugu weyn ee fulinta ee naqshadaha Intel 64. Maxay u tahay xididka kalsoonida? Waxaa soo baxday in waxa isaga ka dhigaya in ay tahay haysashada walxahan soo socda:
- Microcode ROM waa xusuusta aan isbeddelayn, ee aan dib loo qori karin ee lagu kaydinayo microcode. Waxaa la rumeysan yahay in microcode uu yahay hirgelinta nidaamka amarka processor-ka iyadoo la adeegsanayo tilmaamaha ugu fudud. Waxay ku dhacdaa microcode sidoo kale . Markaa BIOS-ka waxaad ka heli kartaa binaries oo leh cusbooneysiin microcode ah (la dulsaaray inta lagu jiro bootinta, maadaama ROM-ka aan la qori karin). Waxyaabaha ku jira binary-yadan waa la siray, taas oo si weyn u adkeyneysa falanqaynta (sidaas darteed, nuxurka gaarka ah ee microcode waxaa loo yaqaan oo keliya kuwa horumariya), oo loo saxiixay si loo xakameeyo daacadnimada iyo runnimada;
- Furaha AES ee lagu kala furfuro waxa ku jira cusboonaysiinta microcode;
- xashiishka furaha dadweynaha ee RSA ee loo isticmaalo in lagu xaqiijiyo saxeexa cusboonaysiinta koodhka;
- Hash furaha dadweynaha ee RSA, kaas oo xaqiijiya saxiixa Intel-horumariyay ACM (Authenticated Code Module) modules code, kaas oo CPU uu bilaabi karo ka hor inta aan la fulin BIOS (hello microcode) ama inta lagu jiro hawlgalkiisa, marka dhacdooyinka qaarkood dhacaan.
Intel ME
Boggeena wuxuu u heellan yahay nidaamkan hoose . Aynu dib u xasuusanno in deegaankan la fulin karo uu ku salaysan yahay microcontroller oo lagu dhex dhisay Chipset-ka waana kan ugu qarsoon uguna mudnaanta badan nidaamka.
In kasta oo ay sir tahay, Intel ME sidoo kale waa xidid aaminaad sababtoo ah waxay leedahay:
- ME ROM - xusuusta aan isbeddelin, aan dib loo qori karin (hab cusub lama bixin) oo ka kooban koodka bilowga, iyo sidoo kale SHA256 hash ee furaha dadweynaha ee RSA, kaas oo xaqiijinaya saxiixa Intel ME firmware;
- Furaha AES ee kaydinta macluumaadka sirta ah;
- Helitaanka fiyuusyo kala duwan (FPFs, Field Programmable Fuses) oo lagu dhex daray Chipset-ka si loogu kaydiyo macluumaadka qaarkood, oo ay ku jiraan kuwa uu cayimay iibiyaha nidaamka kombayutarka.
Intel Boot Guard 1.x
Afeef yar. Nambarada nooca tignoolajiyada ee Boot Guard ee aan ku isticmaalno maqaalkan waa kuwo aan sharci ahayn waxaana laga yaabaa in aan wax shaqo ah ku lahayn nambarada lagu isticmaalo dukumeentiyada gudaha ee Intel. Intaa waxaa dheer, macluumaadka halkan lagu bixiyay ee ku saabsan hirgelinta tignoolajiyadan waxaa la helay intii lagu jiray injineernimada gadaal, waxaana laga yaabaa inay ku jiraan khaladaadyo marka la barbar dhigo qeexitaanka Intel Boot Guard, taas oo aan u badneyn in weligeed la daabaco.
Marka, Intel Boot Guard (BG) waa qalab ay taageerto UEFI BIOS tignoolajiyada xaqiijinta. Marka la eego sharraxaadda gaaban ee buuga [Tusmada Nabadgelyada ee Tignoolajiyada La Shaaciyey, cutubka Boot with Integrity, or Not Boot], waxay u shaqeysaa sidii silsilad boot ah oo la aamini karo. Xidhiidhka ugu horreeya ee ku jira waa code code (microcode) gudaha CPU, kaas oo ay kiciso dhacdada RESET (aan lagu khaldin vector-ka RESET ee BIOS!). CPU-gu waxay helaysaa module code ah oo ay soo saartay oo ay saxeexday Intel (Intel BG startup ACM) ee xusuusta SPI, waxay ku shubtaa khasnadeeda, xaqiijisaa (horey ayaa loo xusay in CPU-gu uu leeyahay xashiish furaha dadweynaha kaasoo xaqiijinaya ACM saxiix) oo bilaaba.
Module code-kan ayaa mas'uul ka ah xaqiijinta qayb yar oo bilaw ah oo ka mid ah UEFI BIOS - Initial Boot Block (IBB), taas oo, iyadu, ka kooban shaqeynta xaqiijinta qaybta ugu muhiimsan ee UEFI BIOS. Markaa, Intel BG wuxuu kuu ogolaanayaa inaad xaqiijiso xaqiiqada BIOS ka hor inta aanad ku shubin OS-ka (kaas oo lagu fulin karo iyada oo la kormeerayo tignoolajiyada Secure Boot).
Tiknoolajiyada Intel BG waxay bixisaa laba nooc oo hawlgalka ah (midna kuma faragelinayo kan kale, tusaale ahaan labada noocba waa la awoodsiin karaa nidaamka, ama labadaba waa la curyaami karaa).
Boot la qiyaasay
Habka Cabbirka Bootka (MB), qayb kasta oo boot ah (laga bilaabo CPU boot ROM) "waxay cabbirtaa" kan soo socda iyadoo la adeegsanayo awoodaha TPM (Trusted Platform Module). Kuwa aan aqoonta u lahayn, aan u sharaxo.
TPM waxay leedahay PCRs (Platform Configuration Registers), kaas oo natiijada hawlgalka xashiishku lagu qoray hab waafaqsan qaacidada:
Kuwaas. Qiimaha PCR ee hadda wuxuu ku xiran yahay kii hore, diiwaannadan waxaa dib loo dajin doonaa kaliya marka nidaamka dib loo dajiyo.
Markaa, qaabka MB, wakhti wakhti ka mid ah, PCR-yadu waxay ka tarjumayaan aqoonsi gaar ah (awoodaha hawlgalka xashiishka) ee koodka ama xogta la "la qiyaasay." Qiimaha PCR waxaa loo isticmaali karaa sirta xogta qaarkood (TPM_Seal). Taas ka dib, fur-furantooda (TPM_Unseal) waxay suurtagal noqon doontaa oo keliya haddii qiyamka PCR aysan isbeddelin natiijada rarista (ie, hal qayb "la qiyaasey" lama beddelin).
Boot La Xaqiijiyay
Waxa ugu xun ee kuwa jecel inay wax ka beddelaan UEFI BIOS waa habka la xaqiijiyay ee Boot (VB), kaas oo qayb kasta oo boot ka mid ah ay si qarsoodi ah u xaqiijiso daacadnimada iyo runnimada midka xiga. Iyo haddii ay dhacdo khalad xaqiijinta, (mid ka mid ah) ayaa dhacaya:
- xidhitaanka wakhtiga ka baxsan 1 daqiiqo ilaa 30 daqiiqo (si uu isticmaaluhu u helo wakhti uu ku fahmo sababta kumbuyuutarkiisu aanu u kicin, iyo, haddii ay suurtagal tahay, isku dayo inuu soo celiyo BIOS);
- xirid degdeg ah (si aan isticmaaluhu u helin waqti uu ku fahmo, wax ka yar sameeyo, wax);
- sii wadida inaad ku shaqeyso hadal degan (kiiskaas marka aysan jirin waqti badbaado, sababtoo ah waxaa jira waxyaabo badan oo muhiim ah oo la sameeyo).
Doorashada ficilku waxay ku xiran tahay qaabka Intel BG ee la cayimay (sida, waxa loogu yeero siyaasadda fulinta), kaas oo si joogto ah u diiwaangashan iibiyaha mashiinka kombuyuutarka ee kaydinta gaarka ah ee loogu talagalay - fiyuuska chipset (FPFs). Arrintaan si faahfaahsan ayaan gadaal uga dagi doonnaa.
Marka lagu daro qaabeynta, iibiyuhu wuxuu soo saaraa laba fure oo RSA 2048 ah wuxuuna abuuraa laba qaab dhismeed xog (oo lagu muujiyey shaxanka):
- Muujinta furaha xididka iibiyaha (KEYM, OEM Root Key Manifest), oo ka kooban SVN (Lambarka Nooca Amniga) ee bayaankan, SHA256 hash ee furaha guud ee warbixinta soo socota, furaha guud ee RSA (sida qaybta dadweynaha ee furaha xididka iibiyaha) si loo xaqiijiyo saxiixa qoraalkan iyo saxiixa laftiisa;
- IBB Manifest (IBBM, Initial Boot Block Manifest), kaas oo ka kooban SVN ee bayaanka, SHA256 hash ee IBB, furaha dadweynaha ee lagu xaqiijinayo saxeexa qoraalkan iyo saxeexa laftiisa.
Xashiishka SHA256 ee OEM Root Key furaha dadweynaha waxaa si joogto ah loogu duubay fiyuuska chipset (FPFs), sida qaabeynta Intel BG. Haddii qaabeynta Intel BG ay bixiso ku darida tignoolajiyadan, markaa laga bilaabo hadda kaliya milkiilaha qaybta gaarka ah ee OEM Root Key ayaa cusbooneysiin kara BIOS nidaamkan (ie, awood u leh inuu dib u xisaabiyo calaamadahan), i.e. iibiye.
Markaad eegto sawirka, shaki ayaa isla markiiba ka soo baxa baahida loo qabo silsiladda xaqiijinta dheer ee caynkaas ah - waxay isticmaali karaan hal caddayn. Waa maxay sababta ay wax u adkeynayaan?
Dhab ahaantii, Intel sidaas darteed waxay siisaa iibiyaha fursad uu ku isticmaalo furayaasha IBB kala duwan ee khadadka kala duwan ee alaabteeda iyo mid ka mid ah furaha xididka. Haddii qaybta gaarka ah ee furaha IBB (oo ay ku qoran tahay caddaynta labaad ee lagu saxeexay) ay soo daadato, dhacdadu waxay saamaynaysaa hal xariiq oo badeecad ah oo kaliya ilaa uu iibiyuhu soo saaro lammaane cusub oo ay ku jiraan muujinta dib loo xisaabiyay ee cusboonaysiinta BIOS ee soo socota.
Laakiin haddii furaha xididka (kaas oo caddaynta ugu horreysa lagu saxeexay) la jabiyo, suurtagal ma noqon doonto in la beddelo, ma jirto habraac ka noqoshada oo la bixiyay. xashiishka qaybta dadweynaha ee furahaan waxaa loo habeeyey FPF hal mar iyo dhammaan.
Qaabaynta Boot Guard Intel
Hadda aan si qoto dheer u eegno qaabeynta Intel BG iyo habka loo abuurayo. Haddii aad eegto tabka u dhigma ee GUI ee utility Image Tool ka Intel System Tool Kit (STK), waxaad ogaan doontaa in qaabaynta Intel BG ay ku jirto xashiish qaybta dadweynaha ee furaha xididka iibiyaha, laba ka mid ah. qiimayaal aan caddayn, iwm. Intel BG profile.
Qaab dhismeedka astaanta guud:
typedef struct BG_PROFILE
{
unsigned long Force_Boot_Guard_ACM : 1;
unsigned long Verified_Boot : 1;
unsigned long Measured_Boot : 1;
unsigned long Protect_BIOS_Environment : 1;
unsigned long Enforcement_Policy : 2; // 00b – do nothing
// 01b – shutdown with timeout
// 11b – immediate shutdown
unsigned long : 26;
};Guud ahaan, qaabeynta Intel BG waa wax aad u dabacsan. Tixgeli, tusaale ahaan, Force_Boot_Guard_ACM calanka. Marka la saaro, haddii moduleka bilowga ah ee BG ACM ee flash-ka SPI aan la helin, boot la aamini karo ma dhacayo. Waxay noqon doontaa mid aan la aamini karin.
Waxaan horeyba kor ugu qornay in siyaasadda fulinta ee qaabka VB la habeyn karo si haddii uu jiro qalad xaqiijin ah, soo dejin aan la aamini karin ayaa dhici doonta.
Waxyaalahan oo kale ku daaya go'aanka iibiyeyaasha...
Utility GUI wuxuu bixiyaa boggaga "diyaar la sameeyey" ee soo socda:
Qolka
Qaabka
Description
0
Maya_FVME
Tignoolajiyada Intel BG waa naafo
1
VE
Habka VB waa daaran yahay, xidhidh wakhtigoodu dhammaaday
2
VME
Labada noocba waa la damiyay (VB iyo MB), xidhidh wakhtigu
3
VM
Labada habba waa la damiyay, iyada oo aan la damin nidaamka
4
FVE
Habka VB waa la furay, isla markiiba xirid
5
FVME
Labada noocba waa la awooday, isla markiiba xirid
Sidii aan horeyba u soo sheegnay, qaabeynta Intel BG waa in lagu qoraa hal mar iyo dhammaan iibiyaha nidaamka galay fiyuusyada chipset (FPFs) - yar (sida laga soo xigtay macluumaadka aan la xaqiijin, kaliya 256 bytes) kaydinta hardware ee macluumaadka gudaha chipset-ka, kaas oo la barnaamijayn karaa. meel ka baxsan tas-hiilaadka wax soo saarka Intel (taasi waa sababta dhabta ah Goobta Barnaamijyada Fiyuusyada).
Way ku fiican tahay kaydinta qaabaynta sababtoo ah:
- waxay leedahay aag hal mar-barnaamij ah oo lagu kaydiyo xogta (sida saxda ah halka qaabaynta Intel BG ku qoran tahay);
- Kaliya Intel ME ayaa akhrin kara oo barnaamijin kara.
Marka, si loo dejiyo qaabeynta tignoolajiyada Intel BG ee nidaam gaar ah, iibiyuhu wuxuu sameeyaa waxyaabaha soo socda inta lagu jiro wax soo saarka:
- Isticmaalka utility Image Tool Flash (laga bilaabo Intel STK), waxa ay abuurtaa image firmware leh qaabeynta Intel BG la siiyey qaab doorsoomayaasha gudaha Intel ME gobolka (waxa loogu yeero muraayad ku meel gaar ah FPFs);
- Iyada oo la adeegsanayo utility Tool Programming Tool (laga bilaabo Intel STK), waxay sawirkan u qortaa xusuusta SPI ee nidaamka waxayna xidhaysaa waxa loogu yeero. habka wax soo saarka (kiiskan, amarka u dhigma waxaa loo diraa Intel ME).
Natiijadii hawlgalladan awgeed, Intel ME waxay ka samayn doontaa qiyamka la cayimay ee muraayadda FPFs ee gobolka ME ilaa FPFs, waxay dejin doontaa xallinta sharraxayaasha Flash SPI ee qiyamka ay Intel ku taliso (oo lagu sharraxay bilowga article) oo samee nidaamka dib u dejinta.
Falanqaynta hirgelinta Intel Boot Guard
Si loo falanqeeyo hirgelinta tignoolajiyadan anagoo adeegsanayna tusaale gaar ah, waxaan ku eegnay nidaamyada soo socda raadadka tignoolajiyada Intel BG:
nidaamka
tacliiq
Gigabyte GA-H170-D3H
Skylake, waxaa jira taageero
Gigabyte GA-Q170-D3H
Skylake, waxaa jira taageero
Gigabyte GA-B150-HD3
Skylake, waxaa jira taageero
MSI H170A Gaming Pro
Skylake, ma jirto taageero
Lenovo ThinkPad 460
Skylake, waa la taageeray, tignoolajiyada waa la dajiyay
Lenovo Yoga 2 Pro
Haswell, ma jirto taageero
Lenovo U330p
Haswell, ma jirto taageero
"Taageerada" waxaan ula jeednaa joogitaanka moduleka bilowga Intel BG ACM, muujinta kor ku xusan iyo koodka u dhigma ee BIOS, i.e. hirgelinta falanqaynta.
Tusaale ahaan, aan soo qaadano kan laga soo dejiyo xafiiska. Sawirka mareegaha iibiyaha ee SPI flash memory ee Gigabyte GA-H170-D3H (nooca F4).
ROM-ka Intel ee CPU
Marka hore, aan ka hadalno ficilada processor-ka haddii tignoolajiyada Intel BG ay shaqeyso.
Suurtagal ma ahayn in la helo muunado ka mid ah koodhka la furay, markaa sida ficilada hoos lagu sharraxay loo hirgeliyay (microcode ama hardware) waa su'aal furan. Si kastaba ha ahaatee, waa xaqiiqo in processor-yaasha casriga ah ee Intel ay "ay qaban karaan" falalkan.
Ka dib markaad ka baxdo gobolka RESET, processor-ka (waxa ku jira xusuusta flash-ka ayaa horeyba loogu dhejiyay meesha ciwaanka) waxay helaysaa miiska FIT (Firmware Interface Table). Way fududahay in la helo; tilmaamuhu wuxuu ku qoran yahay ciwaanka FFFF FFC0h.
Tusaalaha la tixgelinayo, qiimaha FFD6 9500h wuxuu ku yaalaa ciwaankan. Markaad gasho cinwaankan, processor-ku wuxuu arkayaa miiska FIT, waxa ku jira kuwaas oo loo qaybiyay diiwaanno. Gelida koowaad waa madaxa qaab dhismeedka soo socda:
typedef struct FIT_HEADER
{
char Tag[8]; // ‘_FIT_ ’
unsigned long NumEntries; // including FIT header entry
unsigned short Version; // 1.0
unsigned char EntryType; // 0
unsigned char Checksum;
};
Sababo aan la garanayn awgood, jeegaggu had iyo jeer laguma xisaabiyo jaantusyadan (beerku waa ka tagay eber).
Galitaanka soo haray waxay tilmaamayaan binary kala duwan oo u baahan in la kala saaro / la fuliyo ka hor inta aan BIOS la fulin, i.e. Kahor intaadan u wareegin dhaxalka RESET vector (FFFF FFF0h). Qaab dhismeedka gelitaan kasta oo noocaas ah waa sida soo socota:
typedef struct FIT_ENTRY
{
unsigned long BaseAddress;
unsigned long : 32;
unsigned long Size;
unsigned short Version; // 1.0
unsigned char EntryType;
unsigned char Checksum;
};
Goobta EntryType ayaa kuu sheegaysa nooca xannibaadda gelitaankan tilmaamayso. Waxaan ognahay dhowr nooc:
enum FIT_ENTRY_TYPES
{
FIT_HEADER = 0,
MICROCODE_UPDATE,
BG_ACM,
BIOS_INIT = 7,
TPM_POLICY,
BIOS_POLICY,
TXT_POLICY,
BG_KEYM,
BG_IBBM
};Hadda way iska caddahay in mid ka mid ah gelitaanka uu tilmaamayo goobta Intel BG ee bilowga ACM binary. Qaab dhismeedka madaxa ee binary-kan waxa uu caadi u yahay koodhka ay soo saartay Intel (ACMs, cusboonaysiinta microcode, qaybaha koodhka Intel ME, ...).
typedef struct BG_ACM_HEADER
{
unsigned short ModuleType; // 2
unsigned short ModuleSubType; // 3
unsigned long HeaderLength; // in dwords
unsigned long : 32;
unsigned long : 32;
unsigned long ModuleVendor; // 8086h
unsigned long Date; // in BCD format
unsigned long TotalSize; // in dwords
unsigned long unknown1[6];
unsigned long EntryPoint;
unsigned long unknown2[16];
unsigned long RsaKeySize; // in dwords
unsigned long ScratchSize; // in dwords
unsigned char RsaPubMod[256];
unsigned long RsaPubExp;
unsigned char RsaSig[256];
};
Processor-ku wuxuu ku shubaa binary-gan cache-giisa, wuu hubiyaa oo socodsiiyaa.
Intel BG bilawga ACM
Natiijadii falanqaynta shaqada ACM-kan, waxa caddaatay in uu sameeyo waxa soo socda:
- wuxuu ka helaa qaabeynta Intel BG ee Intel ME, oo ku qoran fiyuuska chipset (FPFs);
- hel KEYM iyo IBBM oo muujinaya oo xaqiijiya.
Si loo helo caddaymahan, ACM waxa kale oo ay isticmaashaa miiska FIT, kaas oo leh laba nooc oo gelitaan si ay u muujiyaan xogta qaabdhismeedka (eeg FIT_ENTRY_TYPES ee sare).
Aynu si qoto dheer u eegno manifestos. Qaab dhismeedka muujinta koowaad, waxaan ku aragnaa dhowr joogto ah oo dahsoon, xashiish furaha dadweynaha oo ka yimid muujinta labaad, iyo furaha OEM Root ee dadweynaha oo loo saxiixay qaab dhismeed buul leh:
typedef struct KEY_MANIFEST
{
char Tag[8]; // ‘__KEYM__’
unsigned char : 8; // 10h
unsigned char : 8; // 10h
unsigned char : 8; // 0
unsigned char : 8; // 1
unsigned short : 16; // 0Bh
unsigned short : 16; // 20h == hash size?
unsigned char IbbmKeyHash[32]; // SHA256 of an IBBM public key
BG_RSA_ENTRY OemRootKey;
};
typedef struct BG_RSA_ENTRY
{
unsigned char : 8; // 10h
unsigned short : 16; // 1
unsigned char : 8; // 10h
unsigned short RsaPubKeySize; // 800h
unsigned long RsaPubExp;
unsigned char RsaPubKey[256];
unsigned short : 16; // 14
unsigned char : 8; // 10h
unsigned short RsaSigSize; // 800h
unsigned short : 16; // 0Bh
unsigned char RsaSig[256];
};
Si loo xaqiijiyo furaha dadweynaha ee xididka OEM, waxaan xasuusaneynaa inaan isticmaalno SHA256 xashiishyada fiyuuska, kaas oo markan mar hore laga helay Intel ME.
Aan u gudubno qoraalka labaad. Waxay ka kooban tahay saddex qaab:
typedef struct IBB_MANIFEST
{
ACBP Acbp; // Boot policies
IBBS Ibbs; // IBB description
IBB_DESCRIPTORS[];
PMSG Pmsg; // IBBM signature
};Midka hore wuxuu ka kooban yahay qaar ka mid ah joogtada:
typedef struct ACBP
{
char Tag[8]; // ‘__ACBP__’
unsigned char : 8; // 10h
unsigned char : 8; // 1
unsigned char : 8; // 10h
unsigned char : 8; // 0
unsigned short : 16; // x & F0h = 0
unsigned short : 16; // 0 < x <= 400h
};Midka labaad waxa uu ka kooban yahay xashiishka SHA256 ee IBB iyo tirada sharraxaadaha qeexaya waxa ku jira IBB (ie, waxa xashiishku laga soo xisaabiyay):
typedef struct IBBS
{
char Tag[8]; // ‘__IBBS__’
unsigned char : 8; // 10h
unsigned char : 8; // 0
unsigned char : 8; // 0
unsigned char : 8; // x <= 0Fh
unsigned long : 32; // x & FFFFFFF8h = 0
unsigned long Unknown[20];
unsigned short : 16; // 0Bh
unsigned short : 16; // 20h == hash size ?
unsigned char IbbHash[32]; // SHA256 of an IBB
unsigned char NumIbbDescriptors;
};Sharaxayaasha IBB waxay raacaan qaabkan, midba midka kale. Waxa ku jira qaabkan soo socda:
typedef struct IBB_DESCRIPTOR
{
unsigned long : 32;
unsigned long BaseAddress;
unsigned long Size;
};Way sahlan tahay: sharaxe kastaa wuxuu ka kooban yahay ciwaanka/ cabbirka qaybta IBB. Haddaba, isku xidhka baloogyada ay tilmaan-bixiyeyaashu tilmaamayaan (sida ay u kala horreeyaan sharraxayaasha laftooda) waa IBB. Iyo, sida caadiga ah, IBB waa ururinta dhammaan qaybaha qaybaha SEC iyo PEI.
Muujinta labaad waxaa lagu dhameeyay qaab ka kooban furaha guud ee IBB (oo lagu xaqiijiyay SHA256 xashiishka muujinta kowaad) iyo saxiixa bayaankan:
typedef struct PMSG
{
char Tag[8]; // ‘__PMSG__’
unsigned char : 8; // 10h
BG_RSA_ENTRY IbbKey;
};
Marka, xitaa ka hor inta uusan UEFI BIOS bilaabin fulinta, processor-ku wuxuu bilaabi doonaa ACM, kaas oo xaqiijin doona xaqiiqada waxyaabaha ku jira qaybaha SEC iyo PEI code. Marka xigta, processor-ku wuxuu ka baxaa ACM, wuxuu raacayaa resET vector wuxuuna bilaabay inuu fuliyo BIOS.
Qaybta PEI ee la xaqiijiyay waa in ay ka kooban tahay cutub hubin doona inta ka hartay BIOS (code DXE). Modulekan waxa mar hore sameeyay IBV (Independent BIOS Vendor) ama nidaamka iibiyaha laftiisa. Sababtoo ah Kaliya nidaamyada Lenovo iyo Gigabyte ayaa gacantayaga ku jiray oo haystay taageerada Intel BG; aan eegno koodka laga soo saaray nidaamyadan.
UEFI BIOS module LenovoVerifiedBootPei
Dhanka Lenovo, waxay u noqotay LenovoVerifiedBootPei moduleka {B9F2AC77-54C7-4075-B42E-C36325A9468D}, oo ay samaysay Lenovo.
Shaqadeedu waa inay kor u qaaddo (GUID) miiska xashiishka ee DXE oo ay xaqiijiso DXE.
if (EFI_PEI_SERVICES->GetBootMode() != BOOT_ON_S3_RESUME)
{
if (!FindHashTable())
return EFI_NOT_FOUND;
if (!VerifyDxe())
return EFI_SECURITY_VIOLATION;
}Хеш таблица {389CC6F2-1EA8-467B-AB8A-78E769AE2A15} имеет следующий формат:
typedef struct HASH_TABLE
{
char Tag[8]; // ‘$HASHTBL’
unsigned long NumDxeDescriptors;
DXE_DESCRIPTORS[];
};typedef struct DXE_DESCRIPTOR
{
unsigned char BlockHash[32]; // SHA256
unsigned long Offset;
unsigned long Size;
};UEFI BIOS module BootGuardPei
Arrinka Gigabyte, waxa ay noqotay moduleka BootGuardPei {B41956E1-7CA2-42DB-9562-168389F0F066}, oo ay samaysay AMI, sidaa darteed, ku dhex jira AMI BIOS kasta oo leh taageerada Intel BG.
Algorithm-keeda hawlgalku xoogaa wuu ka duwan yahay, si kastaba ha ahaatee, waxay hoos ugu dhacdaa isla shay:
int bootMode = EFI_PEI_SERVICES->GetBootMode();
if (bootMode != BOOT_ON_S3_RESUME &&
bootMode != BOOT_ON_FLASH_UPDATE &&
bootMode != BOOT_IN_RECOVERY_MODE)
{
HOB* h = CreateHob();
if (!FindHashTable())
return EFI_NOT_FOUND;
WriteHob(&h, VerifyDxe());
return h;
}Shaxda xashiishka {389CC6F2-1EA8-467B-AB8A-78E769AE2A15} ay raadinayso waxay leedahay qaabkan soo socda:
typedef HASH_TABLE DXE_DESCRIPTORS[];
typedef struct DXE_DESCRIPTOR
{
unsigned char BlockHash[32]; // SHA256
unsigned long BaseAddress;
unsigned long Size;
};Intel Boot Guard 2.x
Aynu si kooban uga hadalno hirgelinta kale ee Intel Boot Guard, kaas oo laga helay nidaam cusub oo ku salaysan Intel SoC oo leh Apollo Lake microarchitecture - ASRock J4205-IT.
In kasta oo noocaan kaliya lagu isticmaali doono SoCs (nidaamyada cusub ee leh processor-ka Kaby Lake microarchitecture waxay sii wadaan adeegsiga Intel Boot Guard 1.x), waxay xiiso weyn u leedahay barashada ikhtiyaarka qaab dhismeedka cusub ee aaladaha Intel SoC, kuwaas oo arkay isbedelo la taaban karo, tusaale ahaan:
- gobollada BIOS iyo Intel ME (ama halkii Intel TXE, marka loo eego ereybixinta Intel SoC) hadda waa hal gobol IFWI;
- In kasta oo Intel BG uu ku shaqaynayey madal, haddana dhismayaasha sida FIT, KEYM, IBBM lagama helin xusuusta flash-ka;
- marka lagu daro koodhka TXE iyo ISH (x86), xudunta saddexaad ayaa lagu daray chipset-ka (ARC mar kale, jidka) - PMC (Control Controller Power), oo la xidhiidha hubinta ku shaqaynta nidaamka hoose ee awoodda iyo kormeerka waxqabadka.
Nuxurka gobolka cusub ee IFWI waa cutubyada soo socda:
Eex
magaca
Description
0000h
ISKU DHAAF
qaabaynta madal gaar ah, oo uu saxeexay iibiyuhu
0000h
RBEP
Intel TXE qaybta koodhka firmware, x86, oo saxeexay Intel
0001h
PMCP
Intel PMC qaybta koodhka firmware, ARC, oo saxeexay Intel
0002h
FTPR
Intel TXE qaybta koodhka firmware, x86, oo saxeexay Intel
0007 B000h
UCOD
cusbooneysiinta microcode ee CPU, oo ay saxiixday Intel
0008h
IBBP
UEFI BIOS, wejiyada SEC/PEI, x86, oo uu saxeexay iibiyuhu
0021h
ISHC
Qaybta koodhka Intel ISH firmware, x86, oo uu saxeexay iibiyuhu
0025h
NFTP
Intel TXE qaybta koodhka firmware, x86, oo saxeexay Intel
0036h
IUNP
lama yaqaan
0038h
OBBP
UEFI BIOS, wajiga DXE, x86, lama saxiixin
Intii lagu guda jiray falanqaynta TXE firmware, waxaa caddaatay in dib-u-soo-celinta kadib, TXE ay ku hayso processor-ka gobolkan ilaa ay ka diyaarinayso nuxurka aasaasiga ah ee booska ciwaanka ee CPU (FIT, ACM, RESET vector ...). Intaa waxaa dheer, TXE waxay xogtan gelisaa SRAM-keeda, ka dib waxay si ku-meel-gaar ah u siinaysaa processor-ka inuu galo halkaas oo uu "ka sii daayo" RESET.
Ka ilaali rootkits
Hagaag, hadda aan u gudubno walxaha "kulul". Waxaan mar ogaanay in nidaamyo badan, SPI flash descriptors ay ka kooban yihiin ogolaansho si ay u galaan gobollada SPI flash memory si dhammaan isticmaalayaasha xusuustan ay u qori karaan oo akhrin karaan gobol kasta. Kuwaas. ma dhici karto.
Ka dib markii aan hubinay utility MEinfo (oo ka socda Intel STK), waxaan aragnay in habka wax soo saarka ee nidaamyadan aan la xirin, sidaas darteed, fiyuuska chipset (FPFs) ayaa looga tagay xaalad aan la cayimin. Haa, Intel BG looma damin mana damiyo xaaladahan oo kale.
Waxaan ka hadleynaa nidaamyada soo socda (ee ku saabsan Intel BG iyo waxa lagu tilmaami doono dambe ee maqaalka, waxaan ka hadli doonaa hababka leh Haswell processor microarchitecture iyo ka sare):
- dhammaan alaabta Gigabyte;
- dhammaan alaabta MSI;
- 21 nooc oo laptops Lenovo ah iyo 4 nooc oo ah server-yada Lenovo.
Dabcan, waxaan u sheegnay helitaankooda waratada, iyo sidoo kale Intel.
Falcelin waafi ah ayaa ka timid oo kaliya Lenovoyaa gartay dhibka iyo .
Gigabyte Waxay u muuqdeen inay aqbaleen macluumaadka ku saabsan baylahda, laakiin sinaba ugamay hadlin.
Xiriirinta MSI si buuxda ayaa loo hakiyay codsigeena ahaa inaan dirno furahaaga PGP-ga dadweynaha (si aad ugu dirto la-talinta amniga qaab qarsoodi ah). Waxay sheegeen inay yihiin "qalabka soo saaraha oo aanay soo saarin furayaasha PGP."
Laakin aan gaadhno dulucda. Maaddaama fiyuusyadu ay kaga tageen xaalad aan la cayimin, isticmaaluhu (ama weeraryahanku) ayaa si madax-bannaan u barnaamijin kara (waxa ugu adag waa ). Si taas loo sameeyo, waxaad u baahan tahay inaad dhammaystirto tallaabooyinka soo socda.
1. Ku dheji Windows OS (guud ahaan, ficillada hoos lagu sharraxay ayaa sidoo kale lagu samayn karaa Linux, haddii aad sameysid analoogga Intel STK ee OS la rabo). Adigoo isticmaalaya utility MEinfo, iska hubi in fiyuusyada aan lagu barnaamijin nidaamkan.
2. Akhri waxa ku jira xusuusta flash-ka adiga oo isticmaalaya aaladda barnaamijka Flash.
3. Fur sawirka la akhriyay adigoo isticmaalaya qalab kasta oo UEFI BIOS ah, samee isbeddellada lagama maarmaanka ah (ku bilow rootkit, tusaale ahaan), samee/wax ka beddel qaab-dhismeedka KEYM iyo IBBM ee hadda jira ee gobolka ME.
Sawirku wuxuu muujinayaa qaybta dadweynaha ee furaha RSA, kaas oo xashiishkiisa lagu diyaarin doono fiyuusyada chipset-ka oo ay la socdaan inta kale ee qaabeynta Intel BG.
4. Isticmaalka Qalabka Sawirka Flash, dhis muuqaal firmware cusub ah (adiga oo dejinaya qaabeynta Intel BG).
5. Qor sawir cusub si aad u iftiimiso xusuusta adigoo isticmaalaya Flash Programming Tool, oo xaqiiji adigoo isticmaalaya MEinfo in gobolka ME uu hadda ka kooban yahay qaabeynta Intel BG.
6. Adeegso aaladda barnaamijka Flash si aad u xidho habka wax soo saarka.
7. Nidaamku dib ayuu u kicin doonaa, ka dib waxaad isticmaali kartaa MEinfo si aad u xaqiijiso in FPF-yada hadda la qorsheeyay.
Falalkan weligiis awood Intel BG nidaamka this. Ficilka lama celin karo, taas oo macnaheedu yahay:
- Kaliya mulkiilaha qaybta gaarka ah ee furaha xididka (ie, midka awood u siiyay Intel BG) wuxuu awoodi doonaa inuu cusbooneysiiyo UEFI BIOS nidaamkan;
- haddii aad ku soo celiso firmware-kii asalka ahaa nidaamkan, tusaale ahaan, adigoo isticmaalaya barnaamij-sameeyaha, xitaa ma dami doono (cawaaqibta siyaasadda fulinta haddii ay dhacdo khalad xaqiijin ah);
- Si aad uga takhalusto nooca UEFI BIOS, waxaad u baahan tahay inaad ku beddesho Chipset-ka FPF-yada barnaamijka leh mid “nadiif ah” (tusaale ahaan, dib u iibisa chipset-ka haddii aad marin u leedahay saldhigga alxanka infrared qiimaha gaariga, ama si fudud u beddel Motherboard-ka. ).
Si aad u fahamto waxa rootkit noocan oo kale ah uu sameyn karo, waxaad u baahan tahay inaad qiimeyso waxa suurtogal u ah in lagu fuliyo koodhkaaga deegaanka UEFI BIOS. Aynu nidhaahno, habka processor-ka ugu mudnaanta leh - SMM. Rootkit-ka noocan oo kale ah wuxuu yeelan karaa sifooyinka soo socda:
- oo lagu fuliyay si la mid ah OS-ka (waxaad habayn kartaa habaynta si aad u abuurto carqaladayn SMI, kaas oo uu kicin doono saacad);
- Hayso dhammaan faa'iidooyinka ku jira habka SMM (helitaanka buuxa ee waxa ku jira RAM iyo agabka qalabka, sirta OS);
- Koodhka barnaamijka rootkit-ka waa la sirin karaa oo waa la dejin karaa marka lagu bilaabo qaabka SMM. Xog kasta oo lagu heli karo kaliya qaabka SMM waxa loo isticmaali karaa furaha sir ahaan. Tusaale ahaan, xashiish ka soo baxay cinwaanno ku jira SMRAM. Si aad u hesho furahaan, waxaad u baahan doontaa inaad gasho SMM. Taasna waxa lagu samayn karaa laba siyaabood. Ka hel RCE koodka SMM oo ka faa'iidayso, ama ku dar moduleka SMM ee BIOS-ka, taas oo aan macquul ahayn tan iyo markii aanu awoodnay Boot Guard.
Haddaba, baylahdaani waxay u oggolaanaysaa weeraryahan:
- abuur qarsoon, rootkit aan la tirtiri karin oo ujeeddo aan la garanayn ee nidaamka;
- ku samee code-kaaga mid ka mid ah koodhka Chipset-ka gudaha Intel SoC, kaas oo ah Intel ISH (si taxadar leh u fiiri sawirka).
In kasta oo awoodda nidaamka-hoosaadka Intel ISH aan weli la sahamin, waxay u muuqataa in ay tahay vector weerar oo xiiso leh Intel ME.
natiijooyinka
- Daraasadu waxay suurtagelisay in la helo sharraxaad farsamo oo ku saabsan hawlgalka farsamada Intel Boot Guard. Laga jaro dhowr sirood oo ku jira amniga Intel iyada oo loo marayo qaabka mugdiga.
- Xaalad weerar ayaa la soo bandhigay kaas oo kuu ogolaanaya inaad ku abuurto rootkit uninstallable nidaamka.
- Waxaan aragnay in processor-rada casriga ah ee Intel ay awood u leeyihiin inay fuliyaan kood badan oo lahaanshaha xitaa ka hor inta uusan BIOS bilaabin socodsiinta.
- Platforms leh qaab dhismeedka Intel 64 ayaa sii yaraanaya oo ku habboon socodsiinta softiweerka bilaashka ah: xaqiijinta qalabka, tirada sii kordheysa ee tignoolajiyada gaarka ah iyo nidaamyada hoose (saddex geesood oo ku jira Chipset-ka SoC: x86 ME, x86 ISH iyo ARC PMC).
Yaraynta
Iibiyeyaasha si ula kac ah uga taga habka wax soo saarka ee furan waa inay hubiyaan inay xidhaan. Ilaa hadda, kaliya indhahoodu waa xiran yihiin, nidaamyada cusub ee Kaby Lake ayaa muujinaya tan.
Isticmaalayaashu waxay ka saari karaan Intel BG nidaamkooda (kuwaas oo u nugul nuglaanta la tilmaamay) iyaga oo ku socodsiinaya aaladda barnaamijka Flash ee cabbirka -closemnf. Marka hore, waa inaad hubisaa (adoo isticmaalaya MEinfo) in qaabeynta Intel BG ee gobolka ME ay bixiso daminta tignoolajiyadan ka dib marka lagu sameeyo barnaamijka FPFs.
Source: www.habr.com