0:00:00.000,0:00:18.070
<i>36c3 preroll music</i>

0:00:18.070,0:00:27.750
Herald: Okay, let's go? You're ready?[br]Let's hand for Cyrevolt, please.

0:00:27.880,0:00:31.260
<i>applause</i>

0:00:31.680,0:00:36.400
Cyrevolt: Alright, hello everyone. I am[br]Daniel. You might have seen me before, I

0:00:36.400,0:00:42.240
sometimes speak about open source[br]firmware. And at some point I also had to

0:00:42.240,0:00:48.560
start to look into more specific stuff. So[br]this talk here is about the Intel

0:00:48.560,0:00:54.160
Management Engine, sometimes also known as[br]the unmanageability engine, it always depends

0:00:54.160,0:00:57.920
on, you know, what website you find or[br]what person you ask, you might get either

0:00:57.920,0:01:08.720
response or both. So let's see. A little[br]disclaimer first: I am not trying to blame

0:01:08.720,0:01:14.560
Intel for anything they have done, or[br]something. This year is not about whether

0:01:14.560,0:01:20.400
we can trust Intel as a company or any[br]other chip vendor or vendor in general,

0:01:21.440,0:01:27.520
because I cannot read their minds. I don't[br]know their intentions. What we can only do

0:01:27.520,0:01:33.760
is see what they put out in the public or[br]what we find in the machines that we buy.

0:01:37.760,0:01:43.440
And on the other hand, we don't really[br]know that much because especially with the

0:01:43.440,0:01:49.120
Intel ME there is not very much public[br]information. So people try to figure

0:01:49.120,0:01:54.800
things out, there are forums, there are[br]certain small projects, like analysis

0:01:54.800,0:02:02.160
tools and stuff, but all of these are[br]based on reverse engineering or educated

0:02:02.160,0:02:10.080
guessing or whatever people could just[br]figure out. And me especially I don't know

0:02:10.080,0:02:15.200
very much about it, actually. So I'm just[br]here because I'm interested in the field

0:02:15.200,0:02:20.880
and at some point there was an event which[br]made me look into it, but more about that

0:02:20.880,0:02:28.560
later. The agenda for today: I will give a[br]very brief introduction, it will be a very

0:02:28.560,0:02:36.240
bold introduction, though, into the entire[br]field around firmware, then I will be

0:02:36.240,0:02:43.520
switching over to the open source firmware[br]stuff we do, I will briefly try to explain

0:02:44.320,0:02:53.600
the hardware we know as Intel's x86[br]platforms, then I will try to give you a

0:02:53.600,0:02:57.840
motivation to also look into what I have[br]been looking into and tell you what made

0:02:57.840,0:03:04.960
me look into it, I will give you some[br]entry points for analysis, and eventually

0:03:04.960,0:03:12.730
we will just get a conclusion and start to[br]think about what we just heard. So for the

0:03:12.730,0:03:18.800
introduction: Who of you in the audience[br]has already done something with

0:03:18.800,0:03:25.680
microcontrollers? Please raise your hands.[br]Okay, we see lots of hands here. And in

0:03:25.680,0:03:30.000
fact we actually have like hundreds or[br]thousands or millions of microcontrollers

0:03:30.000,0:03:38.640
here, right, so all the lights we see over[br]here, there are ESP8266, that board, you

0:03:38.640,0:03:45.120
see in the middle there's Arduino and[br]there's something which I like to call NOT

0:03:45.120,0:03:48.800
- the network of things, because[br]apparently you just need a network you

0:03:48.800,0:03:53.040
don't really need the Internet for it. And[br]we can connect all of those devices. We

0:03:53.040,0:04:00.160
can remotely control them. And I'm now[br]going to show you, that what you have in

0:04:00.160,0:04:10.663
your laptop is actually the very same[br]thing. Now this is lots of bullet points,

0:04:10.663,0:04:16.664
and I'm very sorry for it, but this gives[br]you a feeling of what we are dealing with

0:04:16.664,0:04:25.280
here. In your laptop you have multiple[br]such controllers which are very similar to

0:04:25.280,0:04:32.400
the Arduino or ESP microcontrollers that[br]you already know. Some of them are for

0:04:32.400,0:04:38.480
very, very specific functionality - so[br]everyone knows the USB controllers, we

0:04:38.480,0:04:46.160
have USB controllers, we have PCI, where[br]other devices are connected, we have GPUs,

0:04:47.600,0:04:56.560
we have a whole lot more. But the very[br]core - that's what is known as the chipset

0:04:57.200,0:05:05.200
and the CPU. It can sometimes also be one[br]single chip, like in this graphic here,

0:05:05.200,0:05:10.240
which I have borrowed from Intel - just[br]adjusted the colors a bit to make it fit

0:05:10.240,0:05:14.400
with the slides - and here you can see[br]lots of lines connecting all of those

0:05:14.400,0:05:22.000
controllers. Now there's some other[br]controllers which I also started to look

0:05:22.000,0:05:28.080
into. They are called the embedded[br]controller which is an additional

0:05:28.080,0:05:35.200
microcontroller on your laptop for power[br]management, for controlling the charging

0:05:35.200,0:05:41.840
circuit. When you connect your charger to[br]your battery you will see an LED, that's

0:05:41.840,0:05:45.760
what this device is doing. It might be[br]connected to a keyboard, to your mouse.

0:05:47.120,0:05:53.120
And there is a very similar concept also[br]for servers. It's called BMC or Baseboard

0:05:53.120,0:06:00.480
Management Controller. It's purpose is to[br]remotely control a server, so you don't

0:06:00.480,0:06:05.200
have to actually go to a data center.[br]Imagine you're administrating 5 data

0:06:05.200,0:06:09.920
centers all across the world, you can't[br]literally be in all of them at the same

0:06:09.920,0:06:15.600
time. So that's why they came up with an[br]interface to remotely control it and

0:06:15.600,0:06:20.480
they've made a dedicated chip for it which[br]is also connected to many devices on the

0:06:20.480,0:06:25.940
server platform. Then there is one thing[br]you might also have heard about: a so

0:06:25.940,0:06:33.920
called TPM - a Trusted Platform Module -[br]and it's main purpose is to give you a

0:06:33.920,0:06:40.160
very small trust anchor from which you can[br]run all of your top-level applications,

0:06:40.160,0:06:47.200
below which is an operating system, which[br]is actually running after a bootloader,

0:06:47.200,0:06:51.200
which is actually started from your[br]firmware, which is actually loaded from

0:06:51.200,0:06:59.280
your chipset. And that's how deep the[br]rabbit-hole goes. Now let's look at open

0:06:59.280,0:07:08.640
source projects. We have projects for all[br]sorts of features around the CPU. The CPU,

0:07:08.640,0:07:15.360
before your laptop can even start up, it[br]has to be initialized. It also has to know

0:07:15.360,0:07:20.640
the RAM. When you boot up a machine it[br]doesn't yet really know anything about

0:07:20.640,0:07:29.885
RAM. That's what the coreboot project is[br]doing. Now today we have a bit of a

0:07:29.885,0:07:35.801
problem, because we don't have enough[br]information to actually program coreboot

0:07:35.801,0:07:43.960
for modern machines. So there is a[br]different approach now. You know the UEFI

0:07:43.960,0:07:52.466
or Unified Extensible Firmware Interface?[br]It's a bit of a different approach also to

0:07:52.466,0:07:58.284
initialize hardware but also to hand over[br]to an operating system. But the thing is

0:07:58.284,0:08:02.095
there is lots of drivers in there and[br]stuff. So we want to replace that with the

0:08:02.095,0:08:06.068
Linux kernel - that's what the LinuxBoot[br]approach is doing - there're different

0:08:06.068,0:08:12.355
implementations - there is Heads, there is[br]u-root. And that's how we can start modern

0:08:12.355,0:08:18.916
machines with a bit more knowledge. For[br]embedded controllers we have the projects

0:08:18.916,0:08:24.438
from Google for the Chromebooks. There's[br]lots of open source implementations but

0:08:24.438,0:08:29.287
they only apply to very specific hardware.[br]You could find all of those stuff on the

0:08:29.287,0:08:35.823
web of course. And, then System76 is also[br]currently working in that field for their

0:08:35.823,0:08:43.600
laptops, and eventually for the BMCs I[br]just introduced you to, there is also two

0:08:43.600,0:08:51.520
projects there is the OpenBMC project and[br]the euro project. Okay, so that's how far

0:08:51.520,0:08:56.720
we are, but that's not what I'm talking[br]about today, I'm talking about something

0:08:56.720,0:09:06.240
else. And that's why we have to take a[br]closer look at Intel x86 hardware. This

0:09:06.240,0:09:11.840
here is an example of a platform which has[br]a dedicated chipset and a processor.This

0:09:14.960,0:09:20.240
is also a graphic I borrowed from Intel,[br]once again. It shows you where all of

0:09:20.240,0:09:26.720
those peripherals are connected, so,[br]again, we have USB, we have Ethernet, but

0:09:26.720,0:09:32.960
there is more to it, actually. And, you[br]can clearly see that this chipset here,

0:09:32.960,0:09:38.720
it's quite a large box and there is a[br]reason for it, because that's where

0:09:38.720,0:09:46.000
actually most of the chips are connecting.[br]That's why Intel calls it the Platform

0:09:46.000,0:09:53.280
Controller Hub, or a PCH for short. Now[br]let's look closer at the Denverton

0:09:53.280,0:09:58.240
platform. Denverton is one of those model[br]names for the platforms - Intel always

0:09:58.240,0:10:05.200
comes up with these names and here we have[br]a very brief summary of what peripherals

0:10:05.200,0:10:11.840
we have and if you look very closely in[br]the upper right corner, there is two so-

0:10:11.840,0:10:20.000
called engines mentioned: one of them is[br]the Innovation Engine, the other one is

0:10:20.000,0:10:24.788
the Management Engine, which we're dealing[br]with today. The Innovation Engine has a

0:10:24.788,0:10:32.447
very brief description, it says it's[br]something about innovation, it's something

0:10:32.447,0:10:37.067
about firmware, but actually I have not[br]yet found any use for it but it's there in

0:10:37.067,0:10:41.829
your hardware. So if you have a Denverton[br]chip in your laptop, or wherever you might

0:10:41.829,0:10:47.145
find it, you have some features there but[br]I don't know what they are for. Okay, so

0:10:47.145,0:10:53.560
let's look at the Management Engine,[br]today. Because the thing is: Hardware is

0:10:53.560,0:11:01.560
evolving. The Management Engine today is[br]not the Management Engine from a few years

0:11:01.560,0:11:07.266
ago. So with new hardware we get different[br]chips over time, the y are attached to

0:11:07.266,0:11:13.836
different other peripherals over time, and[br]they're given different purposes. So

0:11:13.836,0:11:21.511
basically the ME itself is just a[br]microcontroller like Arduino and it's part

0:11:21.511,0:11:28.072
of your chipset. If you have a combined[br]chipset and main processor, it's in that

0:11:28.072,0:11:32.544
one single chip and that's where it is.[br]But that's not where it started. It

0:11:32.544,0:11:39.639
actually started as the so called Active[br]Management Technology. The idea was that

0:11:39.639,0:11:45.451
you could remotely control a device and[br]provision it, just like what I described

0:11:45.451,0:11:51.964
you as the Baseboard Management Controller[br]for servers. It's the same thing but for,

0:11:51.964,0:11:57.360
let's say, laptops, desktop PCs. Imagine[br]you're running a very huge company and you

0:11:57.360,0:12:02.560
have hundreds of devices to maintain. Now,[br]you have to this BMC thingy for servers

0:12:03.200,0:12:06.832
and this thing here for your desktop[br]devices. Now the question is: why is it

0:12:06.832,0:12:16.634
actually connected to all of those[br]peripherals? First of all there was a bit

0:12:16.634,0:12:24.865
of a renaming recently: it's no longer[br]just called the ME, it's called the CSME:

0:12:24.865,0:12:33.100
Converged Security and Manageability or[br]Management Engine. It can load your

0:12:33.100,0:12:40.120
firmware and verify it and with that[br]firmware we are now talking about the host

0:12:40.120,0:12:46.423
CPU firmware. That thing that coreboot can[br]be doing or what your vendors UEFI

0:12:46.423,0:12:54.324
firmware is doing. If that firmware is not[br]as expected, which means it's not signed

0:12:54.324,0:13:03.235
with a certain key from either Intel or[br]your OEM, the equipment manufacturer which

0:13:03.235,0:13:12.144
can be HP or Asus or whatever, then your[br]laptop might not boot. That's a feature

0:13:12.144,0:13:19.960
it's a security feature. Now the problem[br]is: if we want to legitimately replace the

0:13:19.960,0:13:26.515
firmware with our own implementations we[br]can't do it. If this certain feature is

0:13:26.515,0:13:31.802
activated. It's also known as boot guard.[br]But, again, this is not what we're talking

0:13:31.802,0:13:41.525
about today, I want to look at something[br]else. This here is how your machine boots

0:13:41.525,0:13:49.636
up: On the left-hand you see the flow I[br]just described you, what the ME is doing.

0:13:49.636,0:13:55.228
You press the power button on your[br]machine. The ME is coming up, it's

0:13:55.228,0:14:01.672
initializing itself first with its own[br]firmware, that's the RBE-phase - a bit

0:14:01.672,0:14:10.400
more about that later. Then there is a[br]bringup phase, which hands over to the ME

0:14:10.400,0:14:16.000
operating system, if that version of your[br]ME actually has an operating system, which

0:14:16.000,0:14:25.760
is not necessarily the case. It will reset[br]the CPU itself. It will trigger the

0:14:25.760,0:14:32.000
firmware on the CPU to start, that's where[br]coreboot could take over or your vendors

0:14:32.000,0:14:39.120
UEFI firmware, it notes some microcode[br]updates, it comes to the initialization

0:14:39.120,0:14:44.720
phase where you get RAM and the CPU and[br]eventually all the features you have in

0:14:44.720,0:14:51.600
your chipset itself, until you can boot[br]your host operating system. Now at the

0:14:51.600,0:14:56.720
same time there is two more chips even[br]being powered on: one is the PMC, the

0:14:56.720,0:15:02.000
Power Management Controller, which also[br]gets some updates or patches from the ME

0:15:02.000,0:15:07.040
firmware, and the EC, the Embedded[br]Controller, I already described you, which

0:15:07.040,0:15:15.520
is just running in parallel. But in fact[br]these are all connected to each other. And

0:15:15.520,0:15:20.480
here's some of the features summarized[br]which we have in ME: so the Active

0:15:20.480,0:15:25.040
Management Technology is implemented for[br]example in the Linux kernel, there is a

0:15:25.040,0:15:33.040
driver for it. It could do hardware[br]monitoring, it can monitor if your chips

0:15:33.040,0:15:40.240
are overheating, it can have other sensors[br]connected to it, it can do power control,

0:15:40.960,0:15:44.800
that's why I just described you, just like[br]a BMC you can power cycle your system

0:15:44.800,0:15:49.920
through it. You could update your[br]operating system out-of-band, so not like

0:15:49.920,0:15:55.280
using apt-get upgrade or something. No,[br]instead you would just do it from outside.

0:15:57.520,0:16:03.600
So you could reformat an entire disk,[br]replace it with a new image. You have a

0:16:03.600,0:16:09.840
bit of storage and you even have a proxy[br]for a keyboard and mouse and the video

0:16:09.840,0:16:16.640
interface, so it's like VNC literally.[br]That's what we know from the public

0:16:16.640,0:16:23.520
documentation. Now the interface that is[br]implemented in the Linux kernel has been

0:16:23.520,0:16:29.840
extended a bit. Now we have a dedicated[br]chip, which was pulled out of the ME, the

0:16:29.840,0:16:35.920
ISH, or Integrated Sensor Hub. It just[br]does the very basic things I just

0:16:35.920,0:16:39.838
described you about sensors just in a[br]dedicated chip. That's a good development

0:16:39.838,0:16:45.390
actually because now we don't have a[br]single point of failure which has

0:16:45.390,0:16:51.012
everything, we have a single point of[br]failure which has everything but this

0:16:51.012,0:16:58.359
part. There is BIOS extensions. In your[br]host firmware there can also be certain

0:16:58.359,0:17:06.095
libraries or drivers which are connecting[br]to the ME. You can control the ME through

0:17:06.095,0:17:13.036
it. If you have a business laptop you[br]might be running the corporate version of

0:17:13.036,0:17:19.425
the ME firmware and then you might press[br]F6 or Ctrl+P when booting up, and you

0:17:19.425,0:17:25.760
might get a prompt. If you are still in[br]the manufacturing mode or you just bought

0:17:25.760,0:17:30.128
the machine very fresh, just type "admin"[br]that's the default password - that's

0:17:30.128,0:17:34.840
publicly documented by the way it's not[br]something I found somewhere but in Intels

0:17:34.840,0:17:40.015
own documentation. And then you can start[br]using that feature. So this might apply, I

0:17:40.015,0:17:45.202
haven't confirmed it, but it might apply[br]to the HP EliteBooks for example which are

0:17:45.202,0:17:50.180
for business use or certain Lenovo[br]ThinkPads from the T-series. You could try

0:17:50.180,0:17:59.200
it on your machines, maybe. Now I've[br]already described you that there are lots

0:17:59.200,0:18:05.840
of different variants and versions of the[br]Management Engine. We have a very, very

0:18:05.840,0:18:11.200
long timeline here, we are talking about[br]years starting from 2004 until now, so

0:18:11.200,0:18:20.720
it's 15 years since the Active Management[br]Yechnology was announced until today where

0:18:20.720,0:18:25.238
we have version 12 of the Management[br]Engine. The problem with this timeline

0:18:25.238,0:18:32.734
here is, again the disclaimer, I cannot[br]really verify all of this information. I

0:18:32.734,0:18:38.083
have mostly gathered it from different[br]sources, so don't take all of this for

0:18:38.083,0:18:43.294
granted. Some of this might also just[br]include some educated guessing from my

0:18:43.294,0:18:48.972
side. If you find any errors, you will get[br]the links later, you can file me bugs or

0:18:48.972,0:18:54.410
send your pull requests. So we're at[br]version 12 now. For each version of the

0:18:54.410,0:19:00.307
Management Engine there's release notes,[br]they are public. So in ME 12 they just

0:19:00.307,0:19:08.171
dropped version 1 for TLS, 1.2 is now in[br]and we have a few other features. Some of

0:19:08.171,0:19:11.311
them I don't even know but you can look it[br]up on Intels documentation. Those are the

0:19:11.311,0:19:22.520
variants we already know, consumer,[br]corporate, a slim version apparently,

0:19:22.520,0:19:28.283
there's the SPS version which was made for[br]servers and now there is something called

0:19:28.283,0:19:36.880
Ignition. Which actually brings us to our[br]motivation here. This is an email from the

0:19:36.880,0:19:44.160
EDK to non-osi mailing list. They[br]announced a version of the ME binary which

0:19:44.160,0:19:48.880
can finally be distributed. So you can[br]give it to other people. You couldn't do

0:19:48.880,0:19:54.400
that before. Well, at least not[br]officially. Of course when you get

0:19:54.400,0:19:59.840
firmware updates from your supplier, you[br]get those binaries in a way, but it's not

0:19:59.840,0:20:05.840
like you download them from Intel[br]directly. Which means that now we can

0:20:05.840,0:20:12.800
offer full images of custom firmware based[br]on coreboot, based on this ME binary here

0:20:13.440,0:20:22.720
and whatever we want to tailor it for. So[br]let's follow the yellow-brick road. This

0:20:22.720,0:20:30.800
is the license. The license allows[br]basically only redistribution, you may not

0:20:30.800,0:20:37.040
make any changes, you may not reverse it,[br]you may not decompile it, you may not

0:20:37.040,0:20:42.720
disassemble it. Now how do we actually[br]verify, that it works as desired and as

0:20:42.720,0:20:48.560
promised? Pay no attention to the man[br]behind the curtain! If you have seen The

0:20:48.560,0:20:55.013
Wizard of Oz, you know the scene. That's[br]literally what they want. Their philosophy

0:20:55.013,0:21:04.640
is kind of a shallow thing, so they don't[br]really want to be very open with

0:21:04.640,0:21:09.680
information. This here is from a training[br]slide, it's an official training that

0:21:09.680,0:21:14.560
Intel is giving at certain events. They[br]tell people: "Well, we have lots of

0:21:14.560,0:21:18.560
firmware developers, we want to support[br]them in a way, but not too much actually."

0:21:21.920,0:21:28.080
I have to be a bit quick because I have[br]more slides than time.Here's the vendor's

0:21:28.080,0:21:32.560
perspective from Intel's FSP white paper.[br]FSP is the Firmware Support

0:21:32.560,0:21:39.680
Package.They're saying they're working[br]towards, well, releasing something, but

0:21:39.680,0:21:43.920
actually not. So if you have a binary and[br]it works as desired then it's okay,

0:21:43.920,0:21:50.320
otherwise, well, not so much but they[br]promise it works. And the same applies for

0:21:50.320,0:21:56.640
ME, I guess. Which is where Dexter's law[br]applies, which is saying that only

0:21:56.640,0:22:04.000
proprietary software vendors actually want[br]proprietary software. And now that's the

0:22:04.000,0:22:08.640
issue, if somebody is attacking your[br]system, they do not play by the rules.

0:22:11.040,0:22:15.141
Let's take some first steps into that[br]direction. There are some analysis tools,

0:22:15.141,0:22:21.330
there's the me_cleaner, MEAnalyzer and[br]more. There has been some reverse

0:22:21.330,0:22:26.109
engineering, not from my side, because of[br]course the license doesn't allow it. More

0:22:26.109,0:22:30.628
information can be found in other talks.[br]There was the Plundervolt attack, just

0:22:30.628,0:22:38.161
recently, which was actually based on[br]reverse engineering. And now I'm afraid I

0:22:38.161,0:22:41.879
have to cut it here. We have security[br]issues. We want to analyze firmwaer.

0:22:41.879,0:22:54.205
Here's a bit of data structures, I will[br]just briefly skim through those now. You

0:22:54.205,0:23:03.920
can approach me later for more. And I want[br]to briefly come to this conclusion because

0:23:03.920,0:23:08.960
this is the important part. So for[br]security all firmware has to be open

0:23:08.960,0:23:17.040
source. Here's the list of acronyms, some[br]other talks to refer to again. Thanks to

0:23:17.040,0:23:20.800
everyone who has actually helped me with[br]this, that's all the hacker spaces, I hang

0:23:20.800,0:23:25.600
out at, the Chaos West team and the stage[br]here, of course, and the open source

0:23:25.600,0:23:30.720
firmware projects. Please come to our[br]assembly, it's right over there, if you

0:23:30.720,0:23:39.680
want to know more. So thanks, first. If[br]you have any questions, please approach me

0:23:39.680,0:23:45.520
now or, well, just in a bit at the[br]assembly. I guess we have time for one

0:23:45.520,0:23:49.415
very small question, now.[br]Herald: Yeah, thank you very much, let's

0:23:49.415,0:23:53.105
have a hand.[br]<i>Applause</i>

0:23:53.105,0:24:00.658
Herald: There'll be two mics, they're lit.[br]We have time for one question or maybe two

0:24:00.658,0:24:08.553
but short ones. Anybody has a question?[br]No? About all the fun you can have and not

0:24:08.553,0:24:21.280
supposed to have. Okay. Thank you very[br]much. Okay, in which case let's close it

0:24:22.640,0:24:30.470
and take your trash, please, and be[br]excellent to each. Thank you very much.

0:24:30.470,0:24:33.573
<i>Applause</i>

0:24:33.573,0:24:35.720
<i>36c3 postroll music</i>

0:24:35.720,0:24:59.000
Subtitles created by c3subtitles.de[br]in the year 2020. Join, and help us!