Siphakamisa ukuthi siphinde sehlele ezingeni eliphansi futhi sikhulume ngokuvikeleka kwezingxenyekazi zekhompyutha ezihambisana ne-firmware x86. Kulokhu, isithako esiyinhloko socwaningo yi-Intel Boot Guard (akufanele kudidaniswe ne-Intel BIOS Guard!) - ubuchwepheshe be-boot obuthembekile be-BIOS obusekelwa ihadiwe umthengisi wesistimu yekhompiyutha angakwazi ukubuvumela unomphela noma ukucisha esigabeni sokukhiqiza. Hhayi-ke, sesiyazi kakade iresiphi yocwaningo: sika kancane ukuqaliswa kwalobu buchwepheshe ngobunjiniyela obuhlanekezelanayo, chaza ukwakheka kwayo, ukugcwalise ngemininingwane engabhaliwe, ukonga ngama-vectors okuhlasela ukuze ukunambitha nokukuxuba. Ake sengeze umlilo ngendaba mayelana nokuthi isiphazamisi esihlanganisiwe ekukhiqizweni kwabathengisi abambalwa iminyaka sivumela umhlaseli ongaba khona ukuthi asebenzise lobu buchwepheshe ukuze enze i-rootkit efihliwe engakwazi ukususwa (ngisho nomklami) ohlelweni.
Phela, i-athikili isuselwe emibikweni ethi “On Guard for Rootkits: Intel BootGuard” evela engqungqutheleni. kanye nomhlangano wama-29 (zombili izethulo ).
I-Firmware yesikhulumi sekhompyutha enezakhiwo ze-Intel 64
Okokuqala, ake siphendule umbuzo: iyini i-firmware yesikhulumi sekhompiyutha yesimanje enezakhiwo ze-Intel 64? Yiqiniso, i-UEFI BIOS. Kodwa le mpendulo ngeke inembile. Ake sibheke isibalo, esibonisa inguqulo yedeskithophu (laptop) yalesi sakhiwo.
Isixhumanisi siyisisekelo:
- Iprosesa (i-CPU, i-Central Processing Unit), okuthi, ngaphezu kwama-cores ayinhloko, inomgogodla wehluzo eyakhelwe ngaphakathi (hhayi kuwo wonke amamodeli) kanye nesilawuli sememori (IMC, Isilawuli Sememori Ehlanganisiwe);
- I-Chipset (i-PCH, i-Platform Controller Hub), equkethe izilawuli ezihlukene zokusebenzelana namadivayisi we-peripheral nokuphatha amasistimu angaphansi. Phakathi kwazo kukhona i-Intel Management Engine (ME) edume kabi, nayo ene-firmware (Intel ME firmware).
Amalaptops, ngaphezu kwalokhu okungenhla, adinga isilawuli esididiyelwe (ACPI EC, Advanced Control and Power Interface Embedded Controller), esibhekele ukusebenza kwesistimu engaphansi kwamandla, i-touchpad, ikhibhodi, okhiye be-Fn (ukukhanya kwesikrini, ivolumu yomsindo, ikhibhodi i-backlight, njll. ) nokuningi. Futhi naye une-firmware yakhe.
Ngakho-ke, inhlanganisela ye-firmware engenhla yi-firmware yesikhulumi sekhompiyutha (i-firmware yesistimu), egcinwa kumemori ye-flash ye-SPI evamile. Ukuze abasebenzisi bale nkumbulo bangadideki lapho othile elele khona, okuqukethwe kwale nkumbulo kuhlukaniswe izifunda ezilandelayo (njengoba kukhonjisiwe esithombeni):
- UEFI BIOS;
- I-firmware ye-ACPI EC (isifunda esihlukile sivele ne-Skylake processor microarchitecture (2015), kodwa endle asikaziboni izibonelo zokusetshenziswa kwayo, ngakho-ke i-firmware yesilawuli esishumekiwe iseyingxenye ye-UEFI BIOS);
- I-firmware ye-Intel ME;
- ukucushwa (ikheli le-MAC, njll.) ye-adaptha yenethiwekhi ye-GbE (Gigabit Ethernet) eyakhelwe ngaphakathi;
- izichazi ze-flash - isifunda esiyinhloko sememori ye-flash, equkethe izinkomba kwezinye izifunda, kanye nezimvume zokufinyelela kuzo.
Umehluko wokufinyelela ezifundeni (ngokuhambisana nezimvume ezishiwo) usingathwa umphathi webhasi le-SPI - isilawuli se-SPI esakhelwe ku-chipset, okufinyelelwa ngayo le nkumbulo. Uma izimvume zisethelwe kumanani anconywe (ngezizathu zokuphepha) yi-Intel, umsebenzisi ngamunye we-SPI flash unokufinyelela okugcwele (funda/ukubhala) endaweni yakhe kuphela. Ezinye zifundwa kuphela noma azifinyeleleki. Iqiniso elaziwayo: kumasistimu amaningi, i-CPU inokufinyelela okugcwele ku-UEFI BIOS ne-GbE, ifunda ukufinyelela kuzichazi ze-flash kuphela, futhi akukho ukufinyelela nhlobo esifundeni se-Intel ME. Kungani abaningi hhayi bonke? Okutuswayo kuyakhethwa. Sizokutshela okuningi kamuva esihlokweni.
Izindlela zokuvikela i-firmware yesikhulumi sekhompiyutha ekuguqulweni
Ngokusobala, i-firmware yesikhulumi sekhompiyutha kufanele ivikelwe ekuhlehliseni okungase kube khona, okungavumela umhlaseli ongaba khona ukuthi abambe iqhaza kuyo (ukusinda ngezibuyekezo ze-OS / ukufakwa kabusha), akhiphe amakhodi abo ngezindlela ezibaluleke kakhulu, njll. Futhi ukunqamula ukufinyelela ezifundeni zememori ye-flash ye-SPI, vele, akwanele. Ngakho-ke, izindlela ezahlukahlukene eziqondene nendawo ngayinye yokusebenza zisetshenziswa ukuvikela i-firmware ekuguqulweni.
Ngakho, i-firmware ye-Intel ME isayiniwe ukulawula ubuqotho nobuqotho, futhi ihlolwa isilawuli se-ME isikhathi ngasinye lapho ilayishwa kumemori ye-ME UMA. Le nqubo yokuqinisekisa seyixoxwe yithi kwenye ye enikezelwe kuhlelo olungaphansi lwe-Intel ME.
Futhi i-firmware ye-ACPI EC, njengomthetho, ihlolwa kuphela ubuqotho. Kodwa-ke, ngenxa yokuthi le kanambambili ifakiwe ku-UEFI BIOS, icishe ihlale ingaphansi kwezindlela zokuvikela ezifanayo ezisetshenziswa yi-UEFI BIOS. Ake sixoxe ngazo.
Lezi zindlela zingahlukaniswa izigaba ezimbili.
Bhala isivikelo endaweni ye-UEFI BIOS
- Ukuvikelwa ngokomzimba kokuqukethwe kwememori ye-flash ye-SPI nge-jumper evikela ukubhala;
- Ukuvikelwa kokuqagela kwesifunda se-UEFI BIOS endaweni yekheli le-CPU kusetshenziswa amarejista e-PRx e-chipset;
- Ukuvimbela imizamo yokubhalela isifunda se-UEFI BIOS ngokukhiqiza nokucubungula ukuphazamisa okuhambisanayo kwe-SMI ngokusetha amabhithi e-BIOS_WE / BLE kanye ne-SMM_BWP kumarejista e-chipset;
- Inguqulo ethuthuke kakhulu yalesi sivikelo i-Intel BIOS Guard (PFAT).
Ngaphezu kwalezi zindlela, abathengisi bangathuthukisa futhi basebenzise izindlela zabo zokuphepha (isibonelo, ukusayina amaphilisi ngezibuyekezo ze-UEFI BIOS).
Kubalulekile ukuqaphela ukuthi ohlelweni oluthile (kuye ngokuthi umdayisi), akuzona zonke lezi zindlela zokuvikela ezingenhla ezingasetshenziswa, zingase zingasetshenziswa nhlobo, noma zisetshenziswe ngendlela esengozini. Ungafunda kabanzi mayelana nalezi zindlela kanye nesimo ngokusetshenziswa kwazo ku . Kulabo abanentshisekelo, sincoma ukuthi ufunde lonke uchungechunge lwezihloko mayelana nokuphepha kwe-UEFI BIOS kusuka .
Ukuqinisekisa Ukuqinisekiswa Kwe-UEFI BIOS
Uma sikhuluma ngobuchwepheshe be-boot obuthenjwayo, into yokuqala efika emqondweni i-Secure Boot. Kodwa-ke, ngokwezakhiwo, yakhelwe ukuqinisekisa izingxenye ezingaphandle kwe-UEFI BIOS (abashayeli, abalayishi, njll.), hhayi i-firmware ngokwayo.
Ngakho-ke, i-Intel kuma-SoCs nge-Bay Trail microarchitecture (2012) isebenzise i-Hardware Secure Boot engashintsheki (I-Verified Boot), engahlangene nobuchwepheshe be-Secure Boot obushiwo ngenhla. Kamuva (2013), lo mshini wathuthukiswa futhi, ngaphansi kwegama le-Intel Boot Guard, wakhishelwa amadeskithophu ane-Haswell microarchitecture.
Ngaphambi kokuchaza i-Intel Boot Guard, ake sibheke izikhathi zokugijima ekwakhiweni kwe-Intel 64, okuthi, ngokuhlangene, kuyizimpande zokwethenjwa zalobu buchwepheshe bebhuthi obuthenjwayo.
I-Intel CPU
I-Cap iphakamisa ukuthi iphrosesa iyindawo eyinhloko yokusebenza esakhiweni se-Intel 64. Kungani futhi iyimpande yokwethenjwa? Kuvela ukuthi ukutholakala kwezinto ezilandelayo okwenza kube njalo:
- I-Microcode ROM iyinkumbulo engaguquki, engabhaleki kabusha yokugcina i-microcode. Kukholakala ukuthi i-microcode iwukuqaliswa kohlelo lwemiyalo yephrosesa ngemiyalo elula. Kwenzeka naku-microcode . Ngakho-ke ku-BIOS ungathola amabhanari anezibuyekezo ze-microcode (zibekwe phezulu ngesikhathi sokuqalisa, ngoba i-ROM ayikwazi ukubhalwa ngaphezulu). Okuqukethwe kwalaba kanambambili kubethelwe, okwenza kube nzima kakhulu ukuhlaziya (ngakho-ke, okuqukethwe okuthile kwe-microcode kwaziwa kuphela yilabo abayithuthukisayo), futhi kusayinwe ukuze kulawulwe ubuqotho nobuqiniso;
- Ukhiye we-AES wokukhipha ukubethela okuqukethwe kwezibuyekezo ze-microcode;
- i-hash yokhiye womphakathi wase-RSA oqinisekisa isiginesha yezibuyekezo ze-microcode;
- I-RSA public key hash, ehlola isignesha yamamojula ekhodi e-Intel-ACM (Authenticated Code Module) ethuthukisiwe, i-CPU engawenza ngaphambi kokuthi i-BIOS iqale (hello microcode) noma phakathi nokusebenza kwayo, uma kwenzeka ezinye izenzakalo.
Intel ME
Lesi simiso esingaphansi kubhulogi yethu sinikezelwe kuso . Khumbula ukuthi le ndawo esebenzisekayo isuselwe kusilawuli esincane esakhelwe ku-chipset futhi sifihleke kakhulu futhi sinelungelo ohlelweni.
Ngaphandle kobuqili, i-Intel ME futhi iyimpande yokwethenjwa, ngoba inakho:
- I-ME ROM - inkumbulo engaguquki, engabhaleki kabusha (ayikho indlela yokubuyekeza enikeziwe), equkethe ikhodi yokuqala, kanye ne-SHA256 hashi yokhiye wasesidlangalaleni we-RSA, ohlola isignesha ye-firmware ye-Intel ME;
- Ukhiye we-AES wokugcina imininingwane eyimfihlo;
- ukufinyelela kusethi yamafuse (ama-FPF, amaFuse Ahlelekayo) ahlanganiswe ku-chipset ukuze agcinwe unomphela olunye ulwazi, okuhlanganisa ulwazi olushiwo umthengisi wesistimu yekhompyutha.
I-Intel Boot Guard 1.x
Umshwana wokuzihlangula omncane. Izinombolo zenguqulo zobuchwepheshe be-Intel Boot Guard esizisebenzisa kulesi sihloko azinangqondo futhi zingase zingahlanganise lutho nezinombolo ezisetshenziswa kumadokhumenti e-Intel yangaphakathi. Ngaphezu kwalokho, ulwazi olumayelana nokuqaliswa kwalobu buchwepheshe obunikezwe lapha lutholwe ngesikhathi sobunjiniyela obuhlehlayo, futhi lungaqukatha okunganembile uma kuqhathaniswa nokucaciswa kwe-Intel Boot Guard, okungenzeka ukuthi ngeke kushicilelwe.
Ngakho-ke, i-Intel Boot Guard (BG) ubuchwepheshe bokuqinisekisa ubuqiniso be-UEFI BIOS obusekelwa ihadiwe. Uma sibheka incazelo yayo encane encwadini ethi [Platform Embedded Security Technology Revealed, Chapter Boot with Integrity, noma Not Boot], isebenza njengeketango lokuqalisa elithenjwayo. Futhi isixhumanisi sokuqala kuyo ikhodi yokuqalisa (i-microcode) ngaphakathi kwe-CPU, ebangelwa umcimbi we-RESET (akumele kudidaniswe ne-RESET vector ku-BIOS!). I-CPU ithola imojula yekhodi (Intel BG startup ACM) eyakhiwe futhi yasayinwa yi-Intel kumemori ye-flash ye-SPI, iyilayishe kunqolobane yayo, iyiqinisekise (bese kuphawuliwe kakade ngenhla ukuthi i-CPU ine-hashi yokhiye womphakathi eqinisekisa isiginesha ye-ACM. ) bese uqala.
Le module yekhodi inesibopho sokuqinisekisa ingxenye encane yokuqala ye-UEFI BIOS - Initial Boot Block (IBB), yona, equkethe ukusebenza kokuqinisekisa ingxenye eyinhloko ye-UEFI BIOS. Ngakho, i-Intel BG ikuvumela ukuthi uqinisekise ubuqiniso be-BIOS ngaphambi kokuqalisa i-OS (engenziwa ngaphansi kokuqondisa kobuchwepheshe be-Secure Boot).
Ubuchwepheshe be-Intel BG buhlinzeka ngezindlela ezimbili zokusebenza (futhi eyodwa ayiphazamisi enye, okungukuthi zombili izindlela zingavulwa ohlelweni, futhi zombili zingakhutshazwa).
I-Measured Boot
Kumodi ye-Measured Boot (MB), ingxenye ngayinye yokuqalisa (eqala nge-CPU boot ROM) "ikala" elandelayo isebenzisa amakhono e-Trusted Platform Module (TPM). Kwabangazi ake ngichaze.
I-TPM inama-PCR (Amarejista Okucushwa Kwe-Platform), aqopha umphumela wokusebenza kwe-hashing ngokuya ngefomula:
Labo. inani lamanje le-PCR lincike kwedlule, futhi lawa marejista asethwa kabusha kuphela lapho uhlelo LUSETHWA KABUSHA.
Ngakho-ke, kumodi ye-MB, ngesikhathi esithile, ama-PCR abonisa okuhlukile (ngaphakathi kwamakhono okusebenza kwe-hashi) isihlonzi sekhodi noma idatha "eyalinganiswa". Amanani e-PCR angasetshenziswa ekubethelweni kwedatha ethile (TPM_Seal) ukusebenza. Ngemuva kwalokho, ukuqoshwa kwabo (TPM_Unseal) kuzokwenzeka kuphela uma amanani e-PCR engashintshile ngenxa yokulayisha (okungukuthi, akukho neyodwa ingxenye “ekaliwe” eshintshiwe).
I-Boot Eqinisekisiwe
Into ethusayo kulabo abathanda ukushintsha i-UEFI BIOS imodi ye-Verified Boot (VB), lapho ingxenye ngayinye yebhuthi iqinisekisa ngokufihla ubuqotho nobuqiniso belandelayo. Futhi uma kwenzeka kuba nephutha lokuqinisekisa, (okukodwa kokulandelayo) kwenzeka:
- ukuvala isikhathi sokuvala kusuka kumzuzu ongu-1 kuye kwengama-30 (ukuze umsebenzisi abe nesikhathi sokuqonda ukuthi kungani ikhompyutha yakhe ingaqali, futhi, uma kungenzeka, angazama ukubuyisela i-BIOS);
- ukuvala shaqa ngokushesha (ukuze umsebenzisi angabi nesikhathi sokuqonda futhi, ngaphezu kwalokho, ukwenza);
- ukuqhubeka komsebenzi ngobuso obuqondile (icala lapho singekho isikhathi sokuphepha, ngoba kunezinto ezibaluleke kakhulu okufanele zenziwe).
Ukukhethwa kwesenzo kuncike ekucushweni okucacisiwe kwe-Intel BG (okungukuthi, kulokho okubizwa ngokuthi inqubomgomo yokuphoqelela), eqoshwa unomphela umthengisi wenkundla yekhompyutha endaweni yokugcina eklanywe ngokukhethekile - ama-chipset fuse (FPFs). Sizogxila kuleli phuzu ngokuningiliziwe kamuva.
Ngokungeziwe ekucushweni, umdayisi ukhiqiza okhiye ababili be-RSA 2048 futhi udale izakhiwo ezimbili zedatha (eziboniswe esithombeni):
- I-manifest yokhiye wempande yomthengisi (KEYM, OEM Root Key Manifest), ebeka i-SVN (Inombolo Yenguqulo Yokuphepha) yale-manifest, i-SHA256 hash yokhiye osesidlangalaleni we-manifest elandelayo, ukhiye wasesidlangalaleni we-RSA (okungukuthi, ingxenye yomphakathi ye-manifest). ukhiye wezimpande zomthengisi) ukuze uqinisekise isiginesha yale-manifest kanye nesiginesha ngokwayo;
- I-IBB Manifest (IBBM, Initial Boot Block Manifest), ebeka i-SVN yale-manifest, i-SHA256 hashi ye-IBB, ukhiye osesidlangalaleni wokuqinisekisa isiginesha yale-manifest, kanye nesiginesha ngokwayo.
I-SHA256 hashi ye-OEM Root Key ibhalwe unomphela kuma-chipset fuse (FPFs), njengokucushwa kwe-Intel BG. Uma ukulungiswa kwe-Intel BG kunikeza ukufakwa kwalobu buchwepheshe, khona-ke kusukela manje kuqhubeke lolu hlelo kuphela umnikazi wengxenye yangasese ye-OEM Root Key ongabuyekeza i-BIOS (okungukuthi ukwazi ukubala kabusha lezi zibonisi), i.e. umthengisi.
Uma ubheka isithombe, kuphakama ukungabaza ngokushesha mayelana nesidingo sochungechunge olude kangaka lokuqinisekisa - ngabe usebenzise i-manifest eyodwa. Kungani kuyinkimbinkimbi?
Eqinisweni, i-Intel ngaleyo ndlela inikeza umthengisi ithuba lokusebenzisa okhiye be-IBB abahlukene emigqeni yomkhiqizo eyahlukene nomunye njengempande. Uma ingxenye yangasese yokhiye we-IBB (esayina i-manifest yesibili) iputshuziwe, isigameko sizothinta umugqa womkhiqizo owodwa kuphela kuze kube yilapho umdayisi ekhiqiza ipheya entsha futhi anikeze amandla okuboniswa okubalwe kabusha ekubuyekezweni kwe-BIOS okulandelayo.
Kodwa uma ukhiye wempande usengozini (okusayinwa ngayo i-manifest yokuqala), ngeke kwenzeke ukushintshwa, inqubo yokuhoxisa ayinikeziwe. i-hashi yengxenye yomphakathi yalo khiye ihlelwe yaba ama-FPF unomphela.
Ukucushwa kwe-Intel Boot Guard
Manje ake sibhekisise ukucushwa kwe-Intel BG kanye nenqubo yokudalwa kwayo. Uma ubheka ithebhu ehambisanayo ku-GUI ye-Flash Image Tool kusuka ku-Intel System Tool Kit (STK), uzoqaphela ukuthi ukucushwa kwe-Intel BG kufaka phakathi i-hash yengxenye yomphakathi yokhiye wempande yomthengisi, okumbalwa okungacacile. amanani, njalonjalo. Iphrofayili ye-Intel BG.
Isakhiwo sale phrofayela:
typedef struct BG_PROFILE
{
unsigned long Force_Boot_Guard_ACM : 1;
unsigned long Verified_Boot : 1;
unsigned long Measured_Boot : 1;
unsigned long Protect_BIOS_Environment : 1;
unsigned long Enforcement_Policy : 2; // 00b – do nothing
// 01b – shutdown with timeout
// 11b – immediate shutdown
unsigned long : 26;
};Ngokuvamile, ukucushwa kwe-Intel BG kuyinhlangano evumelana nezimo kakhulu. Cabanga, ngokwesibonelo, ifulegi le-Force_Boot_Guard_ACM. Uma isuliwe, uma imojuli ye-ACM yokuqala ye-BG ku-flash ye-SPI ingatholakali, akukho ukuqalisa okuthenjwayo okuzokwenzeka. Kuyobe kungathembeki.
Sesivele sibhale ngenhla ukuthi inqubomgomo yokuphoqelela yemodi ye-VB ingalungiselelwa ukuze uma ukuqinisekiswa kwehluleka, futhi, ukulanda okungathenjwa kuzokwenzeka.
Shiya izinto ezinjengalezi kubathengisi...
I-GUI yokusetshenziswa ihlinzeka ngamaphrofayili alandelayo "enziwe ngomumo":
Inombolo
Imodi
Incazelo
0
No_FVME
Ubuchwepheshe be-Intel BG bukhutshaziwe
1
VE
Imodi ye-VB inikwe amandla, icishwa ngokuvala isikhathi
2
I-VME
zombili izindlela zinikwe amandla (i-VB ne-MB), ukuvala shaqa ngesikhathi sokuvala
3
VM
zombili izindlela zinikwe amandla, ngaphandle kokuvala isistimu
4
I-FVE
Imodi ye-VB inikwe amandla, ukuvala shaqa ngokushesha
5
I-FVME
zombili izindlela zinikwe amandla, ukuvala shaqa ngokushesha
Njengoba sekushiwo, ukucushwa kwe-Intel BG kumele kubhalwe kube kanye ngumthengisi wesistimu kuma-chipset fuse (FPFs) - encane (ngokolwazi olungaqinisekisiwe, ngamabhayithi angu-256 kuphela) isitoreji solwazi lwehadiwe ngaphakathi kwe-chipset, engahlelwa ngaphandle. yezindawo zokukhiqiza ze-Intel (ngakho-ke I-Field Programmable amafuse).
Kuhle kakhulu ukugcina ukucushwa ngoba:
- inendawo yokugcina idatha ehlelekayo yesikhathi esisodwa (lapho kubhalwe khona ukucushwa kwe-Intel BG);
- I-Intel ME kuphela engakwazi ukuyifunda nokuyihlela.
Ngakho-ke, ukuze usethe ukucushwa kobuchwepheshe be-Intel BG ohlelweni oluthile, umthengisi wenza okulandelayo ngesikhathi sokukhiqiza:
- Ukusebenzisa ithuluzi le-Flash Image Tool (kusuka ku-Intel STK), kwakha isithombe se-firmware esinokucushwa kwe-Intel BG esinikeziwe njengokuguquguqukayo ngaphakathi kwesifunda se-Intel ME (okubizwa ngokuthi isibuko sesikhashana sama-FPF);
- Isebenzisa Ithuluzi Lokusebenza Le-Flash (kusuka ku-Intel STK), ibhala lesi sithombe kumemori ye-flash ye-SPI yohlelo futhi ivale okuthiwa. imodi yokukhiqiza (kulokhu, umyalo ohambisanayo uthunyelwa ku-Intel ME).
Ngenxa yalokhu kusebenza, i-Intel ME izozibophezela kuma-FPF amanani anikeziwe avela esibukweni sama-FPF esifundeni se-ME, isethe izimvume ezichazweni ze-flash ze-SPI kumanani anconywe yi-Intel (echazwe ekuqaleni kwe article) futhi wenze UKUSETHA KABUSHA kwesistimu.
I-Intel Boot Guard Implementation Analysis
Ukuze sihlaziye ukuqaliswa kwalobu buchwepheshe esibonelweni esithile, sihlole amasistimu alandelayo ukuthola imikhondo yobuchwepheshe be-Intel BG:
Uhlelo
Ukubhala
I-Gigabyte GA-H170-D3H
Skylake, kukhona ukwesekwa
I-Gigabyte GA-Q170-D3H
Skylake, kukhona ukwesekwa
I-Gigabyte GA-B150-HD3
Skylake, kukhona ukwesekwa
I-MSI H170A Gaming Pro
Skylake, akukho ukwesekwa
I-Lenovo ThinkPad 460
I-Skylake, ukwesekwa kuyatholakala, ubuchwepheshe buvuliwe
I-Lenovo Yoga 2 Pro
Haswell, akukho ukwesekwa
I-Lenovo U330p
Haswell, akukho ukwesekwa
"Ukwesekwa" kusho ukuba khona kwemojula ye-Intel BG yokuqalisa i-ACM, izibonakaliso ezishiwo ngenhla kanye nekhodi ehambisanayo ku-BIOS, i.e. ukusetshenziswa kokuhlaziywa.
Njengesibonelo, ake sithathe leyo elandiwe ehhovisi. isithombe sesayithi lomthengisi sememori ye-flash ye-SPI ye-Gigabyte GA-H170-D3H (inguqulo F4).
I-Intel CPU boot ROM
Okokuqala, ake sikhulume ngezenzo zeprosesa uma ubuchwepheshe be-Intel BG buvunyelwe.
Akwenzekanga ukuthola amasampula e-microcode esusiwe, ngakho-ke, ukuthi izenzo ezichazwe ngezansi zenziwa kanjani (nge-microcode noma kuhadiwe) kuwumbuzo ovulekile. Noma kunjalo, iqiniso lokuthi ama-Intel processors anamuhla "angakwazi" ukwenza lezi zenzo kuyiqiniso.
Ngemva kokuphuma kusimo se-RESET, iphrosesa (esikhala sekheli lapho okuqukethwe kwememori ye-flash sekuvele kumephu) ithola i-FIT (Ithebula le-Firmware Interface). Ukuyithola kulula, inkomba kuyo ibhalwe ekhelini elithi FFFF FFC0h.
Kulesi sibonelo, leli kheli liqukethe inani FFD6 9500h. Ukuphendukela kuleli kheli, iphrosesa ibona ithebula le-FIT, okuqukethwe kwalo kuhlukaniswe ngamarekhodi. Okufakiwe kokuqala kuyisihloko sesakhiwo esilandelayo:
typedef struct FIT_HEADER
{
char Tag[8]; // ‘_FIT_ ’
unsigned long NumEntries; // including FIT header entry
unsigned short Version; // 1.0
unsigned char EntryType; // 0
unsigned char Checksum;
};
Ngesizathu esithile esingaziwa, isheke alihlali libalwa kulawa mathebula (inkambu ishiywa ingenalutho).
Okufakiwe okusele kukhomba kumabhanari ahlukahlukene adinga ukuncozululwa / abulawe ngaphambi kokuthi kusetshenziswe i-BIOS, i.e. ngaphambi kokushintshela ku-RESET ivektha yefa (FFFF FFF0h). Isakhiwo sokufakwa ngakunye simi kanje:
typedef struct FIT_ENTRY
{
unsigned long BaseAddress;
unsigned long : 32;
unsigned long Size;
unsigned short Version; // 1.0
unsigned char EntryType;
unsigned char Checksum;
};
Inkambu ye-EntryType ibonisa uhlobo lokuvimba lokhu kungena okukhomba kulo. Sazi izinhlobo eziningana:
enum FIT_ENTRY_TYPES
{
FIT_HEADER = 0,
MICROCODE_UPDATE,
BG_ACM,
BIOS_INIT = 7,
TPM_POLICY,
BIOS_POLICY,
TXT_POLICY,
BG_KEYM,
BG_IBBM
};Manje kusobala ukuthi okunye okufakiwe kukhomba indawo ye-Intel BG yokuqalisa kanambambili ye-ACM. Isakhiwo sikanhlokweni salokhu kanambambili sijwayelekile kumamojula ekhodi athuthukiswe yi-Intel (ACMs, izibuyekezo ze-microcode, izingxenye zekhodi ye-Intel ME, ...).
typedef struct BG_ACM_HEADER
{
unsigned short ModuleType; // 2
unsigned short ModuleSubType; // 3
unsigned long HeaderLength; // in dwords
unsigned long : 32;
unsigned long : 32;
unsigned long ModuleVendor; // 8086h
unsigned long Date; // in BCD format
unsigned long TotalSize; // in dwords
unsigned long unknown1[6];
unsigned long EntryPoint;
unsigned long unknown2[16];
unsigned long RsaKeySize; // in dwords
unsigned long ScratchSize; // in dwords
unsigned char RsaPubMod[256];
unsigned long RsaPubExp;
unsigned char RsaSig[256];
};
Iphrosesa ilayisha lokhu kanambambili kunqolobane yayo, iqinisekise futhi iqalise.
I-Intel BG iqala i-ACM
Ngenxa yokuhlaziywa komsebenzi wale ACM, kwacaca ukuthi yenza lokhu okulandelayo:
- ithola kwa-Intel ME ukucushwa kwe-Intel BG okubhalwe kuma-chipset fuse (FPFs);
- ithola i-KEYM ne-IBBM ibonisa, iqinisekise.
Ukuze uthole lezi zibonisi, i-ACM iphinda isebenzisa ithebula le-FIT, elinezinhlobo ezimbili zokufaka ukuze likhombe lezi zakhiwo (bona FIT_ENTRY_TYPES ngenhla).
Ake sibhekisise ama-manifesto. Kusakhiwo se-manifest yokuqala, sibona okufana okungaguquki okumbalwa okungacacile, i-hashi yokhiye osesidlangalaleni ovela ku-manifest yesibili, kanye nokhiye wasesidlangalaleni we-OEM Root osayinwe njengesakhiwo esisidleke:
typedef struct KEY_MANIFEST
{
char Tag[8]; // ‘__KEYM__’
unsigned char : 8; // 10h
unsigned char : 8; // 10h
unsigned char : 8; // 0
unsigned char : 8; // 1
unsigned short : 16; // 0Bh
unsigned short : 16; // 20h == hash size?
unsigned char IbbmKeyHash[32]; // SHA256 of an IBBM public key
BG_RSA_ENTRY OemRootKey;
};
typedef struct BG_RSA_ENTRY
{
unsigned char : 8; // 10h
unsigned short : 16; // 1
unsigned char : 8; // 10h
unsigned short RsaPubKeySize; // 800h
unsigned long RsaPubExp;
unsigned char RsaPubKey[256];
unsigned short : 16; // 14
unsigned char : 8; // 10h
unsigned short RsaSigSize; // 800h
unsigned short : 16; // 0Bh
unsigned char RsaSig[256];
};
Ukuqinisekisa ukhiye osesidlangalaleni we-OEM Root Key, sikhumbula ukuthi kusetshenziswa i-SHA256 hashi evela kumafuse, osekuvele kwamukelwe njengamanje kwa-Intel ME.
Ake sidlulele ku-manifesto yesibili. Iqukethe izakhiwo ezintathu:
typedef struct IBB_MANIFEST
{
ACBP Acbp; // Boot policies
IBBS Ibbs; // IBB description
IBB_DESCRIPTORS[];
PMSG Pmsg; // IBBM signature
};Eyokuqala iqukethe ama-constants:
typedef struct ACBP
{
char Tag[8]; // ‘__ACBP__’
unsigned char : 8; // 10h
unsigned char : 8; // 1
unsigned char : 8; // 10h
unsigned char : 8; // 0
unsigned short : 16; // x & F0h = 0
unsigned short : 16; // 0 < x <= 400h
};Eyesibili iqukethe i-SHA256 hash ye-IBB kanye nenombolo yezichazi ezichaza okuqukethwe kwe-IBB (okungukuthi. ukuthi i-hashi ibalwa kusukela kuphi):
typedef struct IBBS
{
char Tag[8]; // ‘__IBBS__’
unsigned char : 8; // 10h
unsigned char : 8; // 0
unsigned char : 8; // 0
unsigned char : 8; // x <= 0Fh
unsigned long : 32; // x & FFFFFFF8h = 0
unsigned long Unknown[20];
unsigned short : 16; // 0Bh
unsigned short : 16; // 20h == hash size ?
unsigned char IbbHash[32]; // SHA256 of an IBB
unsigned char NumIbbDescriptors;
};Izichazi ze-IBB zilandela lesi sakhiwo, zilandelana. Okuqukethwe kwabo kunefomethi elandelayo:
typedef struct IBB_DESCRIPTOR
{
unsigned long : 32;
unsigned long BaseAddress;
unsigned long Size;
};Kulula: isichazi ngasinye siqukethe ikheli/usayizi wesiqephu se-IBB. Ngakho-ke, ukuhlangana kwamabhulokhi akhonjwe yilezi zichazi (ngokulandelana kwezichazi ngokwazo) yi-IBB. Futhi, njengomthetho, i-IBB iyinhlanganisela yawo wonke amamojula wezigaba ze-SEC ne-PEI.
I-manifest yesibili iphetha ngesakhiwo esiqukethe ukhiye wasesidlangalaleni we-IBB (oqinisekiswe i-SHA256 hash kusukela ku-manifest yokuqala) kanye nesiginesha yale manifest:
typedef struct PMSG
{
char Tag[8]; // ‘__PMSG__’
unsigned char : 8; // 10h
BG_RSA_ENTRY IbbKey;
};
Ngakho-ke, ngisho nangaphambi kokuqala kokukhishwa kwe-UEFI BIOS, iphrosesa izokwethula i-ACM, ezoqinisekisa ubuqiniso bokuqukethwe kwezigaba ngekhodi yesigaba se-SEC ne-PEI. Okulandelayo, iphrosesa iphuma ku-ACM, ihamba eduze kwe-RESET vector, bese iqala ukusebenzisa i-BIOS.
I-PEI verified partition kumele iqukathe imojuli ezohlola yonke i-BIOS (ikhodi ye-DXE). Le mojula isivele ithuthukiswa i-IBV (I-BIOS Vendor Ezimele) noma umthengisi wesistimu uqobo. Ngoba Amasistimu we-Lenovo ne-Gigabyte kuphela esinawo futhi abe nokusekelwa kwe-Intel BG, ake sicabangele ikhodi ekhishwe kulezi zinhlelo.
I-UEFI BIOS module LenovoVerifiedBootPei
Endabeni ye-Lenovo, kuvele ukuthi yimojula ye-LenovoVerifiedBootPei {B9F2AC77-54C7-4075-B42E-C36325A9468D}, eyakhiwe yi-Lenovo.
Umsebenzi wayo ukubheka phezulu (nge-GUID) ithebula le-hashi le-DXE futhi uqinisekise i-DXE.
if (EFI_PEI_SERVICES->GetBootMode() != BOOT_ON_S3_RESUME)
{
if (!FindHashTable())
return EFI_NOT_FOUND;
if (!VerifyDxe())
return EFI_SECURITY_VIOLATION;
}Хеш таблица {389CC6F2-1EA8-467B-AB8A-78E769AE2A15} имеет следующий формат:
typedef struct HASH_TABLE
{
char Tag[8]; // ‘$HASHTBL’
unsigned long NumDxeDescriptors;
DXE_DESCRIPTORS[];
};typedef struct DXE_DESCRIPTOR
{
unsigned char BlockHash[32]; // SHA256
unsigned long Offset;
unsigned long Size;
};I-UEFI BIOS module BootGuardPei
Endabeni ye-Gigabyte, kuvele ukuthi i-BootGuardPei {B41956E1-7CA2-42DB-9562-168389F0F066} module, eyakhiwe yi-AMI, ngakho-ke ikhona kunoma iyiphi i-AMI BIOS enokwesekwa kwe-Intel BG.
I-algorithm yokusebenza kwayo ihluke ngandlela thize, noma kunjalo, ikhuphukela kokufanayo:
int bootMode = EFI_PEI_SERVICES->GetBootMode();
if (bootMode != BOOT_ON_S3_RESUME &&
bootMode != BOOT_ON_FLASH_UPDATE &&
bootMode != BOOT_IN_RECOVERY_MODE)
{
HOB* h = CreateHob();
if (!FindHashTable())
return EFI_NOT_FOUND;
WriteHob(&h, VerifyDxe());
return h;
}Ithebula le-hashi {389CC6F2-1EA8-467B-AB8A-78E769AE2A15} elibheka phezulu linefomethi elandelayo:
typedef HASH_TABLE DXE_DESCRIPTORS[];
typedef struct DXE_DESCRIPTOR
{
unsigned char BlockHash[32]; // SHA256
unsigned long BaseAddress;
unsigned long Size;
};I-Intel Boot Guard 2.x
Ake sikhulume kafushane ngokunye ukuqaliswa kwe-Intel Boot Guard, etholwe ohlelweni olusha olusekelwe ku-Intel SoC ene-Apollo Lake microarchitecture - ASRock J4205-IT.
Nakuba le nguqulo izosetshenziswa kuphela kuma-SoCs (amasistimu amasha ane-Kaby Lake processor microarchitecture iyaqhubeka nokusebenzisa i-Intel Boot Guard 1.x), kunentshisekelo enkulu ekuhloleni inketho entsha yezakhiwo zamapulatifomu asekelwe ku-Intel SoCs, ebone ukubonakala okubambekayo. izinguquko, isibonelo:
- Izifunda ze-BIOS ne-Intel ME (noma kunalokho i-Intel TXE, ngokusho kwamagama e-Intel SoC) manje isiyisifunda esisodwa se-IFWI;
- nakuba i-Intel BG inikwe amandla endaweni yesikhulumi, izakhiwo ezifana ne-FIT, KEYM, IBBM azitholakalanga kumemori ye-flash;
- ngaphezu kwe-TXE kanye ne-ISH cores (x86), umgogodla wesithathu (futhi i-ARC, ngendlela) yengezwe ku-chipset - i-PMC (Isilawuli Sokulawula Amandla), esihlobene nokuqinisekisa ukusebenza kwesistimu engaphansi kwamandla kanye nokuqapha ukusebenza.
Okuqukethwe kwesifunda esisha se-IFWI kuyisethi yamamojula alandelayo:
Ukuqagela
Имя
Incazelo
0000 2000h
SMIP
okunye ukucushwa kwenkundla, okusayinwe umthengisi
0000 6000h
I-RBEP
Isigaba sekhodi ye-Intel TXE, x86, esisayinwe yi-Intel
0001 0000h
PMCP
isigaba sekhodi ye-firmware Intel PMC, ARC, esayinwe yi-Intel
0002 0000h
I-FTPR
Isigaba sekhodi ye-Intel TXE, x86, esisayinwe yi-Intel
0007B000h
UCOD
Izibuyekezo ze-microcode ze-CPU ezisayinwe yi-Intel
0008 0000h
IBBP
I-UEFI BIOS, izigaba ze-SEC/PEI, i-x86, umthengisi osayiniwe
0021 8000h
I-ISHC
ingxenye yekhodi ye-Intel ISH firmware, x86, esayinwe umthengisi
0025 8000h
I-NFTP
Isigaba sekhodi ye-Intel TXE, x86, esisayinwe yi-Intel
0036 1000h
IUNP
akwaziwa
0038 1000h
I-OBBP
I-UEFI BIOS, isigaba se-DXE, x86, esingasayiniwe
Ngesikhathi sokuhlaziywa kwe-firmware ye-TXE, kwaba sobala ukuthi ngemuva kwe-RESET, i-TXE igcina iphrosesa kulesi simo kuze kube yilapho ilungiselela okuqukethwe okuyisisekelo kwesikhala sekheli se-CPU (FIT, ACM, RESET vector ...). Ngaphezu kwalokho, i-TXE ibeka le datha ku-SRAM yayo, ngemva kwalokho ihlinzeka okwesikhashana iphrosesa ngokufinyelela lapho futhi "iyikhiphe" ku-RESET.
Ngokuqapha ama-rootkits
Manje ake siqhubekele kokuthi "hot". Sake sathola ukuthi kumasistimu amaningi, izichazi ze-flash ze-SPI zinezimvume zokufinyelela izifunda zememori ye-flash ye-SPI ukuze bonke abasebenzisi bale nkumbulo bakwazi ukubhala nokufunda noma iyiphi isifunda. Labo. akunakwenzeka.
Ngemva kokuhlola insiza ye-MEinfo (kusuka ku-Intel STK), sabona ukuthi imodi yokukhiqiza kulezi zinhlelo ayizange ivalwe, ngakho-ke, ama-chipset fuse (FPFs) ashiywe esimweni esingapheli. Yebo, i-Intel BG ayivunyelwe noma ayikhutshaziwe ezimweni ezinjalo.
Sikhuluma ngamasistimu alandelayo (mayelana ne-Intel BG nokuthi yini ezochazwa kamuva esihlokweni, sizokhuluma ngamasistimu ane-Haswell processor microarchitecture nangaphezulu):
- yonke imikhiqizo yeGigabyte;
- yonke imikhiqizo ye-MSI;
- 21 amamodeli aphathwayo eLenovo kanye namamodeli amaseva weLenovo ama-4.
Vele, sibike okutholakele kulaba bathengisi, kanye naku-Intel.
Impendulo eyanele ilandelwe kuphela kusuka Lenovoowavuma inkinga futhi .
I-Gigabyte Kubonakala sengathi bamukele ulwazi mayelana nokuba sengozini, kodwa abazange baphawule nganoma iyiphi indlela.
Ukuxhumana ne MSI kumiswe ngokuphelele esicelweni sethu sokuthumela ukhiye wethu womphakathi we-PGP (ukuze sibathumelele izeluleko zokuvikela ezibethelwe). Bathe "bangabakhiqizi bezingxenyekazi zekhompuyutha futhi abakhiqizi okhiye be-PGP."
Kodwa okwengeziwe iphuzu. Njengoba amafuse eshiywe esesimweni esingachazwanga, umsebenzisi (noma umhlaseli) angazihlela ngokwakhe (okunzima kakhulu ). Lokhu kudinga izinyathelo ezilandelayo.
1. Qalisa ku-Windows OS (ngokujwayelekile, izinyathelo ezichazwe ngezansi zingenziwa futhi ngaphansi kwe-Linux, uma uthuthukisa i-analogue ye-Intel STK ye-OS oyifunayo). Usebenzisa insiza ye-MEinfo, qiniseka ukuthi amafuse akulolu hlelo awahlelwanga.
2. Funda okuqukethwe kwimemori ye-flash usebenzisa Ithuluzi Lokusebenza Le-Flash.
3. Vula isithombe esifundiwe usebenzisa noma yiliphi ithuluzi lokuhlela le-UEFI BIOS, yenza izinguquko ezidingekayo (sebenzisa i-rootkit, isibonelo), dala / hlela izakhiwo ezikhona ze-KEYM kanye ne-IBBM esifundeni se-ME.
Ingxenye yomphakathi yokhiye we-RSA igqanyisiwe esithombeni, i-hashi yayo izohlelwa kuma-chipset fuse kanye nokunye ukucushwa kwe-Intel BG.
4. Usebenzisa Ithuluzi Lesithombe Se-Flash, yakha isithombe esisha se-firmware (ngokusetha ukucushwa kwe-Intel BG).
5. Bhala isithombe esisha ozosikhanyisa usebenzisa Ithuluzi Lokusebenza Le-Flash, qinisekisa usebenzisa i-MEinfo ukuthi isifunda se-ME manje sesiqukethe ukucushwa kwe-Intel BG.
6. Sebenzisa i-Flash Programming Tool ukuvala imodi yokukhiqiza.
7. Uhlelo luzoqala kabusha, ngemva kwalokho, usebenzisa i-MEinfo, ungaqinisekisa ukuthi ama-FPF manje asehleliwe.
Lezi zenzo kuze kube phakade vumela i-Intel BG kulolu hlelo. Ngeke kwenzeke ukuhlehlisa isenzo, okusho ukuthi:
- umnikazi wengxenye yangasese yokhiye wempande kuphela (okungukuthi lowo onike amandla i-Intel BG) ozokwazi ukubuyekeza i-UEFI BIOS kulolu hlelo;
- uma ubuyisela i-firmware yasekuqaleni kulesi simiso, isibonelo, usebenzisa umklami, ngeke ize ivule (umphumela wenqubomgomo yokuphoqelela uma kwenzeka iphutha lokuqinisekisa);
- ukuqeda i-UEFI BIOS enjalo, udinga ukufaka esikhundleni se-chipset ngama-FPF ahleliwe ngendawo “ehlanzekile” (okungukuthi, dala kabusha i-chipset uma ukwazi ukufinyelela esiteshini sokusoda nge-infrared ngentengo yemoto, noma vele ufake ibhodi lomama. ).
Ukuze uqonde ukuthi yini i-rootkit enjalo engayenza, udinga ukuhlola ukuthi yini eyenza kube nokwenzeka ukwenza ikhodi yakho endaweni ye-UEFI BIOS. Ithi, ngemodi ebaluleke kakhulu yephrosesa - i-SMM. I-rootkit enjalo ingaba nezimpawu ezilandelayo:
- yenziwe ngokuhambisana ne-OS (ungamisa ukucutshungulwa ngokudala ukuphazamiseka kwe-SMI, okuzoqalwa yisibali sikhathi);
- ube nazo zonke izinzuzo zokuba kwimodi ye-SMM (ukufinyelela okugcwele kokuqukethwe kwe-RAM nezinsiza ze-hardware, imfihlo evela ku-OS);
- Ikhodi ye-rootkit ingabethelwa futhi isuswe ukubethela lapho yethulwa ngemodi ye-SMM. Noma iyiphi idatha etholakala kumodi ye-SMM kuphela ingasetshenziswa njengokhiye wokubethela. Isibonelo, i-hashi evela kusethi yamakheli ku-SMRAM. Ukuze uthole lo khiye, uzodinga ukugibela ungene ku-SMM. Futhi lokhu kungenziwa ngezindlela ezimbili. Thola i-RCE kukhodi ye-SMM futhi uyisebenzise, noma wengeze imojula yakho ye-SMM ku-BIOS, okuyinto engenakwenzeka, njengoba senze i-Boot Guard.
Ngakho, lobu bungozi buvumela umhlaseli ukuthi:
- dala i-rootkit efihliwe, engasuswa yenhloso engaziwa ohlelweni;
- khipha ikhodi yakho kwenye yama-chipset cores ngaphakathi kwe-Intel SoC, okungukuthi, ku-Intel ISH (sibhekisise isithombe).
Nakuba amandla e-Intel ISH subsystem engakahlolisiswa, kubonakala kuyi-vector yokuhlasela ethokozisayo ngokumelene ne-Intel ME.
okutholakele
- Ucwaningo lunikeze incazelo yezobuchwepheshe yokuthi ubuchwepheshe be-Intel Boot Guard busebenza kanjani. Khipha izimfihlo ezimbalwa ekuvikelekeni kwe-Intel ngemodeli yokufihlakele.
- Kwethulwa isimo sokuhlasela esivumela ukudala i-rootkit engasuseki ohlelweni.
- Sibonile ukuthi ama-Intel processors anamuhla ayakwazi ukwenza amakhodi amaningi okuphathelene nangaphambi kokuba i-BIOS iqale.
- Amapulatifomu anezakhiwo ze-Intel 64 aya ngokuya ngokuya encipha ekusebenziseni isofthiwe yamahhala: ukuqinisekiswa kwezingxenyekazi zekhompiyutha, inani elandayo lobuchwepheshe bokuphathelene namasistimu angaphansi (ama-cores amathathu ku-chipset ye-SoC: x86 ME, x86 ISH kanye ne-ARC PMC).
Ukunciphisa
Abathengisi abashiya ngamabomu imodi yokukhiqiza ivuliwe kufanele nakanjani bayivale. Kuze kube manje, bavala amehlo abo kuphela futhi izinhlelo ezintsha ze-Kaby Lake zibonisa lokhu.
Abasebenzisi bangakhubaza i-Intel BG kumasistimu abo (athintwa ubungozi obuchaziwe) ngokusebenzisa i-Flash Programming Tool ngenketho ethi -closemnf. Okokuqala, kufanele uqiniseke (usebenzisa i-MEinfo) ukuthi ukumiswa kwe-Intel BG esifundeni se-ME kunikeza ukucisha lobu buchwepheshe ngemva kokuhlelwa kuma-FPF.
Source: www.habr.com