SoylentNews is people
SoylentNews
from the put-all-your-secrets-in-one-basket dept.
Intel x86 Root of Trust: loss of trust
The scenario that Intel system architects, engineers, and security specialists perhaps feared most is now a reality. A vulnerability has been found in the ROM of the Intel Converged Security and Management Engine (CSME). This vulnerability jeopardizes everything Intel has done to build the root of trust and lay a solid security foundation on the company's platforms. The problem is not only that it is impossible to fix firmware errors that are hard-coded in the Mask ROM of microprocessors and chipsets. The larger worry is that, because this vulnerability allows a compromise at the hardware level, it destroys the chain of trust for the platform as a whole.
[...] Intel CSME is the cryptographic basis for hardware security technologies developed by Intel and used everywhere, such as DRM, fTPM, and Intel Identity Protection. In its firmware, Intel CSME implements EPID (Enhanced Privacy ID). EPID is a procedure for remote attestation of trusted systems that allows identifying individual computers unambiguously and anonymously, which has a number of uses: these include protecting digital content, securing financial transactions, and performing IoT attestation. Intel CSME firmware also implements the TPM software module, which allows storing encryption keys without needing an additional TPM chip—and many computers do not have such chips.
Intel tried to make this root of trust as secure as possible. Intel's security is designed so that even arbitrary code execution in any Intel CSME firmware module would not jeopardize the root cryptographic key (Chipset Key), but only the specific functions of that particular module. Plus, as the thinking went, any risks could be easily mitigated by changing encryption keys via the security version number (SVN) mechanism.
[...] Unfortunately, no security system is perfect. Like all security architectures, Intel's had a weakness: the boot ROM, in this case. An early-stage vulnerability in ROM enables control over reading of the Chipset Key and generation of all other encryption keys. One of these keys is for the Integrity Control Value Blob (ICVB). With this key, attackers can forge the code of any Intel CSME firmware module in a way that authenticity checks cannot detect. This is functionally equivalent to a breach of the private key for the Intel CSME firmware digital signature, but limited to a specific platform.
[...] A single key is used for an entire generation of Intel chipsets. And since the ROM vulnerability allows seizing control of code execution before the hardware key generation mechanism in the SKS is locked, and the ROM vulnerability cannot be fixed, we believe that extracting this key is only a matter of time. When this happens, utter chaos will reign. Hardware IDs will be forged, digital content will be extracted, and data from encrypted hard disks will be decrypted.
[...] We will provide more technical details in a full-length white paper to be published soon. We should point out that when our specialists contacted Intel PSIRT to report the vulnerability, Intel said the company was already aware of it (CVE-2019-0090). Intel understands they cannot fix the vulnerability in the ROM of existing hardware. So they are trying to block all possible exploitation vectors.
[...] any platform device capable of performing DMA to Intel CSME static memory and resetting Intel CSME (or simply waiting for Intel CSME to come out of sleep mode) can modify system tables for Intel CSME pages, thereby seizing execution flow.
Also covered at The Verge and The Register.
For an historical perspective, think back to the Intel Pentium FDIV bug and what it cost Intel to deal with it.
At least take comfort in the fact that most governments have No Such Agency that would be interested in something like this.
(Score: 4, Insightful) by Anonymous Coward on Saturday March 07 2020, @05:20AM (4 children)
First off, the hard news: there is no such thing as a secure computer. Period.
Not because they can all be cracked wide open, or anything like that. It's because it's a contradiction in terms. Computers are not intelligent devices that comprehend human concepts such as privacy and security. You can't tell a computer: "Don't let Bobby find out that Sally likes him!" It doesn't understand that, and even if it did, it doesn't have the frame of reference to handle the ramifications.
They just do what they're told. This means that a computer in the wrong hands will do the wrong thing - by design.
So if you can't get a secure computer, what can you get?
You can get a reliable computer. And reliability starts with the ability to inspect, analyse, audit and verify. Every time we build in more complexity, we make it worse. Every time we add another layer of abstraction, we make it much worse. We've been moving in the wrong direction for decades.
But nobody with money backing a manufacturer gives a damn about any of this, so the prospect of it changing is pretty much zero.
The pine and raspberry pi devices are a bit of a step in the right direction, but they're a minute blip on the graph; a rounding error.
(Score: 0) by Anonymous Coward on Saturday March 07 2020, @03:33PM (3 children)
The problem isn't the manufacturers, it's the whole system from governments to business customers to consumers. At no point along the way have enough governments, or business customers, or consumers or some combination of the three said, "No, stop, we do not accept the latest generation because /it has proprietary DRM/it has too many layers and too much undefined behavior/there is no publicly available openly audited chain of trust in every layer of the hardware and software. The capitalist system doesn't add anywhere near enough incentives to make things go in a direction that favors privacy and security.
I'm not saying socialism, communism, libertarianism, anarchism or feudalism would fix this problem. They all have their own issues that would screw everything up too. But capitalism created this computing mess and it's narrow-minded to just blame Intel, or Intel's customers.
(Score: 2, Insightful) by Anonymous Coward on Saturday March 07 2020, @04:46PM
It has nothing to do with any -ism. It has to do with incentive structures regardless of the -ism involved.
(As far as -isms are concerned, the most helpful one here would maximise the combination of individual choice and access to resources, so that contrarians can actually achieve something.)
The real lesson here is that reliability trumps convenience, and has done so for a long time.
(Score: 5, Interesting) by Runaway1956 on Saturday March 07 2020, @07:21PM (1 child)
That may be so. I don't feel strongly enough to argue it strenuously. But, I think that you might admit that Intel apparently shoulders more of the blame than any other chip manufacturer. Which other mfr has as many serious flaws? And, IMO, most of those flaws are traced right back to Intel's "secure" bullshit. There doesn't seem to be a whole lot that is terribly wrong with the basic CPU. Sure, there are faults, just as there are with any other brand of CPU. But, mostly, it's the screwed up attempts at security.
Intel dreams of having a monopoly similar to what Microsoft enjoys today. "You don't want to update/upgrade? That is of no consequence, we still control our CPU, and it will upgrade in the next day or so. Expect to see the results at next boot!" The results, of course, will be ever finer surveillance by Intel and the state.
(Score: 0) by Anonymous Coward on Saturday March 07 2020, @07:56PM
the people that know the most, or have the most influence in the matter, have the most responsibility to do the right thing.