|
|
|
|
|
|
by azalemeth
1892 days ago
|
|
|
This is an excellent, detailed reply. I've never had much experience debugging anything related to hardware beyond (linux) kernel drivers and JTAG on (far slower) devices. As an outsider who is interested, what's the best source to read about Intel's Yellow & Red modes, and its toolchain (which I is analogous to AMD's)? I've always felt that this is the level in which "the way things work" goes from being well-documented and google-able to "leet hax0rz", accessible only behind corporate NDAs – very complex, very hard to read about, and rather hidden. Of course, this could be just my ignorance talking – but I want to learn! IME seems complex and hidden enough! |
|
|
Unfortunately we (the public) know very little about Yellow and Red. (Most of the time it's just called "Red" and "Red Unlock", because Red is a superset of Yellow and most conceivable exploits that could elevate to Yellow would also elevate to Red.)
[1] is a great place to start. It's a tiny bit out of date now (DAL was deprecated a while ago in favor of . . . IPC, I think it's called?). Check out Mark Ermolov's (one of the author's) Twitter [2] for some interesting developments -- he has Red unlock on a Goldmont Atom core via a cool exploit that he published (that has since been patched), leading to microcode (!) readout. (On a side note, I strongly suspect that he has some form of inside information -- there have been times where he knows some facet of the chipset internals that I can't find _any_ reference to online. I don't mean to diminish his work though; it's very cool stuff.)
Another good place to learn is the leak from last summer, referred to as "Ex-confidential lake." It doesn't contain anything damning, but skimming through it, especially the boot/bringup stuff, will help familiarize you with the terminology and also serves as a good reference if you have to dig through a compiled BIOS -- the leak contains the FSP source.
[4], a BlackHat talk, and [5], Intel's response/analysis, are super interesting. You'll definitely have to read them over a few times!
[6] is another great talk from Ermolov that also discusses Red unlock.
Finally, one of my favorite "tricks" is to just google for "<term> "Intel Confidential" filetype:pdf". You'll turn up a surprising amount of internal info that way.
In short, you need to do _a lot_ of research. I spent nearly an entire month just searching the internet for more information. A fun, endless mystery to solve!
(P.S. I'm not sure if you realize this, but it confused me initially: Chipset == Platform Controller Hub (PCH) != Management Engine (ME). The chipset/PCH is the whole piece of silicon that runs the system, whereas the ME is only the small processor core inside of there that performs some higher level operations such as booting and maintaining a root of trust. The PCH has a lot of cool stuff outside the ME!)
(P.P.S. If you're looking for something a bit easier to get started on, but also interesting and impactful, there's a lot of undocumented stuff going on in the PCRs -- the Platform Configuration Registers. It's partially documented in part 2 of the chipset datasheets, but there are a lot of fields that are readable/writable without any description. I wrote some very basic tools relating to it here [7] and here [8]. If you do something interesting with it, I'd love to hear: shoot me an email at my github username at gmail.)
[1]: https://conference.hitb.org/hitbsecconf2017ams/materials/D2T...
[2]: https://twitter.com/_markel___
[3]: https://web.archive.org/web/20190924162111/http://support.pr...
[4]: https://i.blackhat.com/USA-19/Wednesday/us-19-Hasarfaty-Behi...
[5]: https://www.intel.com/content/dam/www/public/us/en/security-...
[6]: https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Goryachy...
[7]: https://github.com/pcgrosen/pcredit
[8]: https://github.com/pcgrosen/pychipset/blob/master/chipset/pc...