-
36c3 preroll music
-
Herald: Okay, let's go? You're ready?
Let's hand for Cyrevolt, please.
-
applause
-
Cyrevolt: Alright, hello everyone. I am
Daniel. You might have seen me before, I
-
sometimes speak about open source
firmware. And at some point I also had to
-
start to look into more specific stuff. So
this talk here is about the Intel
-
Management Engine, sometimes also known as
the unmanageability engine, it always depends
-
on, you know, what website you find or
what person you ask, you might get either
-
response or both. So let's see. A little
disclaimer first: I am not trying to blame
-
Intel for anything they have done, or
something. This year is not about whether
-
we can trust Intel as a company or any
other chip vendor or vendor in general,
-
because I cannot read their minds. I don't
know their intentions. What we can only do
-
is see what they put out in the public or
what we find in the machines that we buy.
-
And on the other hand, we don't really
know that much because especially with the
-
Intel ME there is not very much public
information. So people try to figure
-
things out, there are forums, there are
certain small projects, like analysis
-
tools and stuff, but all of these are
based on reverse engineering or educated
-
guessing or whatever people could just
figure out. And me especially I don't know
-
very much about it, actually. So I'm just
here because I'm interested in the field
-
and at some point there was an event which
made me look into it, but more about that
-
later. The agenda for today: I will give a
very brief introduction, it will be a very
-
bold introduction, though, into the entire
field around firmware, then I will be
-
switching over to the open source firmware
stuff we do, I will briefly try to explain
-
the hardware we know as Intel's x86
platforms, then I will try to give you a
-
motivation to also look into what I have
been looking into and tell you what made
-
me look into it, I will give you some
entry points for analysis, and eventually
-
we will just get a conclusion and start to
think about what we just heard. So for the
-
introduction: Who of you in the audience
has already done something with
-
microcontrollers? Please raise your hands.
Okay, we see lots of hands here. And in
-
fact we actually have like hundreds or
thousands or millions of microcontrollers
-
here, right, so all the lights we see over
here, there are ESP8266, that board, you
-
see in the middle there's Arduino and
there's something which I like to call NOT
-
- the network of things, because
apparently you just need a network you
-
don't really need the Internet for it. And
we can connect all of those devices. We
-
can remotely control them. And I'm now
going to show you, that what you have in
-
your laptop is actually the very same
thing. Now this is lots of bullet points,
-
and I'm very sorry for it, but this gives
you a feeling of what we are dealing with
-
here. In your laptop you have multiple
such controllers which are very similar to
-
the Arduino or ESP microcontrollers that
you already know. Some of them are for
-
very, very specific functionality - so
everyone knows the USB controllers, we
-
have USB controllers, we have PCI, where
other devices are connected, we have GPUs,
-
we have a whole lot more. But the very
core - that's what is known as the chipset
-
and the CPU. It can sometimes also be one
single chip, like in this graphic here,
-
which I have borrowed from Intel - just
adjusted the colors a bit to make it fit
-
with the slides - and here you can see
lots of lines connecting all of those
-
controllers. Now there's some other
controllers which I also started to look
-
into. They are called the embedded
controller which is an additional
-
microcontroller on your laptop for power
management, for controlling the charging
-
circuit. When you connect your charger to
your battery you will see an LED, that's
-
what this device is doing. It might be
connected to a keyboard, to your mouse.
-
And there is a very similar concept also
for servers. It's called BMC or Baseboard
-
Management Controller. It's purpose is to
remotely control a server, so you don't
-
have to actually go to a data center.
Imagine you're administrating 5 data
-
centers all across the world, you can't
literally be in all of them at the same
-
time. So that's why they came up with an
interface to remotely control it and
-
they've made a dedicated chip for it which
is also connected to many devices on the
-
server platform. Then there is one thing
you might also have heard about: a so
-
called TPM - a Trusted Platform Module -
and it's main purpose is to give you a
-
very small trust anchor from which you can
run all of your top-level applications,
-
below which is an operating system, which
is actually running after a bootloader,
-
which is actually started from your
firmware, which is actually loaded from
-
your chipset. And that's how deep the
rabbit-hole goes. Now let's look at open
-
source projects. We have projects for all
sorts of features around the CPU. The CPU,
-
before your laptop can even start up, it
has to be initialized. It also has to know
-
the RAM. When you boot up a machine it
doesn't yet really know anything about
-
RAM. That's what the coreboot project is
doing. Now today we have a bit of a
-
problem, because we don't have enough
information to actually program coreboot
-
for modern machines. So there is a
different approach now. You know the UEFI
-
or Unified Extensible Firmware Interface?
It's a bit of a different approach also to
-
initialize hardware but also to hand over
to an operating system. But the thing is
-
there is lots of drivers in there and
stuff. So we want to replace that with the
-
Linux kernel - that's what the LinuxBoot
approach is doing - there're different
-
implementations - there is Heads, there is
u-root. And that's how we can start modern
-
machines with a bit more knowledge. For
embedded controllers we have the projects
-
from Google for the Chromebooks. There's
lots of open source implementations but
-
they only apply to very specific hardware.
You could find all of those stuff on the
-
web of course. And, then System76 is also
currently working in that field for their
-
laptops, and eventually for the BMCs I
just introduced you to, there is also two
-
projects there is the OpenBMC project and
the euro project. Okay, so that's how far
-
we are, but that's not what I'm talking
about today, I'm talking about something
-
else. And that's why we have to take a
closer look at Intel x86 hardware. This
-
here is an example of a platform which has
a dedicated chipset and a processor.This
-
is also a graphic I borrowed from Intel,
once again. It shows you where all of
-
those peripherals are connected, so,
again, we have USB, we have Ethernet, but
-
there is more to it, actually. And, you
can clearly see that this chipset here,
-
it's quite a large box and there is a
reason for it, because that's where
-
actually most of the chips are connecting.
That's why Intel calls it the Platform
-
Controller Hub, or a PCH for short. Now
let's look closer at the Denverton
-
platform. Denverton is one of those model
names for the platforms - Intel always
-
comes up with these names and here we have
a very brief summary of what peripherals
-
we have and if you look very closely in
the upper right corner, there is two so-
-
called engines mentioned: one of them is
the Innovation Engine, the other one is
-
the Management Engine, which we're dealing
with today. The Innovation Engine has a
-
very brief description, it says it's
something about innovation, it's something
-
about firmware, but actually I have not
yet found any use for it but it's there in
-
your hardware. So if you have a Denverton
chip in your laptop, or wherever you might
-
find it, you have some features there but
I don't know what they are for. Okay, so
-
let's look at the Management Engine,
today. Because the thing is: Hardware is
-
evolving. The Management Engine today is
not the Management Engine from a few years
-
ago. So with new hardware we get different
chips over time, the y are attached to
-
different other peripherals over time, and
they're given different purposes. So
-
basically the ME itself is just a
microcontroller like Arduino and it's part
-
of your chipset. If you have a combined
chipset and main processor, it's in that
-
one single chip and that's where it is.
But that's not where it started. It
-
actually started as the so called Active
Management Technology. The idea was that
-
you could remotely control a device and
provision it, just like what I described
-
you as the Baseboard Management Controller
for servers. It's the same thing but for,
-
let's say, laptops, desktop PCs. Imagine
you're running a very huge company and you
-
have hundreds of devices to maintain. Now,
you have to this BMC thingy for servers
-
and this thing here for your desktop
devices. Now the question is: why is it
-
actually connected to all of those
peripherals? First of all there was a bit
-
of a renaming recently: it's no longer
just called the ME, it's called the CSME:
-
Converged Security and Manageability or
Management Engine. It can load your
-
firmware and verify it and with that
firmware we are now talking about the host
-
CPU firmware. That thing that coreboot can
be doing or what your vendors UEFI
-
firmware is doing. If that firmware is not
as expected, which means it's not signed
-
with a certain key from either Intel or
your OEM, the equipment manufacturer which
-
can be HP or Asus or whatever, then your
laptop might not boot. That's a feature
-
it's a security feature. Now the problem
is: if we want to legitimately replace the
-
firmware with our own implementations we
can't do it. If this certain feature is
-
activated. It's also known as boot guard.
But, again, this is not what we're talking
-
about today, I want to look at something
else. This here is how your machine boots
-
up: On the left-hand you see the flow I
just described you, what the ME is doing.
-
You press the power button on your
machine. The ME is coming up, it's
-
initializing itself first with its own
firmware, that's the RBE-phase - a bit
-
more about that later. Then there is a
bringup phase, which hands over to the ME
-
operating system, if that version of your
ME actually has an operating system, which
-
is not necessarily the case. It will reset
the CPU itself. It will trigger the
-
firmware on the CPU to start, that's where
coreboot could take over or your vendors
-
UEFI firmware, it notes some microcode
updates, it comes to the initialization
-
phase where you get RAM and the CPU and
eventually all the features you have in
-
your chipset itself, until you can boot
your host operating system. Now at the
-
same time there is two more chips even
being powered on: one is the PMC, the
-
Power Management Controller, which also
gets some updates or patches from the ME
-
firmware, and the EC, the Embedded
Controller, I already described you, which
-
is just running in parallel. But in fact
these are all connected to each other. And
-
here's some of the features summarized
which we have in ME: so the Active
-
Management Technology is implemented for
example in the Linux kernel, there is a
-
driver for it. It could do hardware
monitoring, it can monitor if your chips
-
are overheating, it can have other sensors
connected to it, it can do power control,
-
that's why I just described you, just like
a BMC you can power cycle your system
-
through it. You could update your
operating system out-of-band, so not like
-
using apt-get upgrade or something. No,
instead you would just do it from outside.
-
So you could reformat an entire disk,
replace it with a new image. You have a
-
bit of storage and you even have a proxy
for a keyboard and mouse and the video
-
interface, so it's like VNC literally.
That's what we know from the public
-
documentation. Now the interface that is
implemented in the Linux kernel has been
-
extended a bit. Now we have a dedicated
chip, which was pulled out of the ME, the
-
ISH, or Integrated Sensor Hub. It just
does the very basic things I just
-
described you about sensors just in a
dedicated chip. That's a good development
-
actually because now we don't have a
single point of failure which has
-
everything, we have a single point of
failure which has everything but this
-
part. There is BIOS extensions. In your
host firmware there can also be certain
-
libraries or drivers which are connecting
to the ME. You can control the ME through
-
it. If you have a business laptop you
might be running the corporate version of
-
the ME firmware and then you might press
F6 or Ctrl+P when booting up, and you
-
might get a prompt. If you are still in
the manufacturing mode or you just bought
-
the machine very fresh, just type "admin"
that's the default password - that's
-
publicly documented by the way it's not
something I found somewhere but in Intels
-
own documentation. And then you can start
using that feature. So this might apply, I
-
haven't confirmed it, but it might apply
to the HP EliteBooks for example which are
-
for business use or certain Lenovo
ThinkPads from the T-series. You could try
-
it on your machines, maybe. Now I've
already described you that there are lots
-
of different variants and versions of the
Management Engine. We have a very, very
-
long timeline here, we are talking about
years starting from 2004 until now, so
-
it's 15 years since the Active Management
Yechnology was announced until today where
-
we have version 12 of the Management
Engine. The problem with this timeline
-
here is, again the disclaimer, I cannot
really verify all of this information. I
-
have mostly gathered it from different
sources, so don't take all of this for
-
granted. Some of this might also just
include some educated guessing from my
-
side. If you find any errors, you will get
the links later, you can file me bugs or
-
send your pull requests. So we're at
version 12 now. For each version of the
-
Management Engine there's release notes,
they are public. So in ME 12 they just
-
dropped version 1 for TLS, 1.2 is now in
and we have a few other features. Some of
-
them I don't even know but you can look it
up on Intels documentation. Those are the
-
variants we already know, consumer,
corporate, a slim version apparently,
-
there's the SPS version which was made for
servers and now there is something called
-
Ignition. Which actually brings us to our
motivation here. This is an email from the
-
EDK to non-osi mailing list. They
announced a version of the ME binary which
-
can finally be distributed. So you can
give it to other people. You couldn't do
-
that before. Well, at least not
officially. Of course when you get
-
firmware updates from your supplier, you
get those binaries in a way, but it's not
-
like you download them from Intel
directly. Which means that now we can
-
offer full images of custom firmware based
on coreboot, based on this ME binary here
-
and whatever we want to tailor it for. So
let's follow the yellow-brick road. This
-
is the license. The license allows
basically only redistribution, you may not
-
make any changes, you may not reverse it,
you may not decompile it, you may not
-
disassemble it. Now how do we actually
verify, that it works as desired and as
-
promised? Pay no attention to the man
behind the curtain! If you have seen The
-
Wizard of Oz, you know the scene. That's
literally what they want. Their philosophy
-
is kind of a shallow thing, so they don't
really want to be very open with
-
information. This here is from a training
slide, it's an official training that
-
Intel is giving at certain events. They
tell people: "Well, we have lots of
-
firmware developers, we want to support
them in a way, but not too much actually."
-
I have to be a bit quick because I have
more slides than time.Here's the vendor's
-
perspective from Intel's FSP white paper.
FSP is the Firmware Support
-
Package.They're saying they're working
towards, well, releasing something, but
-
actually not. So if you have a binary and
it works as desired then it's okay,
-
otherwise, well, not so much but they
promise it works. And the same applies for
-
ME, I guess. Which is where Dexter's law
applies, which is saying that only
-
proprietary software vendors actually want
proprietary software. And now that's the
-
issue, if somebody is attacking your
system, they do not play by the rules.
-
Let's take some first steps into that
direction. There are some analysis tools,
-
there's the me_cleaner, MEAnalyzer and
more. There has been some reverse
-
engineering, not from my side, because of
course the license doesn't allow it. More
-
information can be found in other talks.
There was the Plundervolt attack, just
-
recently, which was actually based on
reverse engineering. And now I'm afraid I
-
have to cut it here. We have security
issues. We want to analyze firmwaer.
-
Here's a bit of data structures, I will
just briefly skim through those now. You
-
can approach me later for more. And I want
to briefly come to this conclusion because
-
this is the important part. So for
security all firmware has to be open
-
source. Here's the list of acronyms, some
other talks to refer to again. Thanks to
-
everyone who has actually helped me with
this, that's all the hacker spaces, I hang
-
out at, the Chaos West team and the stage
here, of course, and the open source
-
firmware projects. Please come to our
assembly, it's right over there, if you
-
want to know more. So thanks, first. If
you have any questions, please approach me
-
now or, well, just in a bit at the
assembly. I guess we have time for one
-
very small question, now.
Herald: Yeah, thank you very much, let's
-
have a hand.
Applause
-
Herald: There'll be two mics, they're lit.
We have time for one question or maybe two
-
but short ones. Anybody has a question?
No? About all the fun you can have and not
-
supposed to have. Okay. Thank you very
much. Okay, in which case let's close it
-
and take your trash, please, and be
excellent to each. Thank you very much.
-
Applause
-
36c3 postroll music
-
Subtitles created by c3subtitles.de
in the year 2020. Join, and help us!
