Pinned
Finally, the casket is opened: we (+@h0t_max and @_Dmit) have extracted Intel x86 microcode! One more Intel "top secret" information gets revealed...
github.com/chip-red-pill/…
Mark Ermolov
1,599 posts
Mark Ermolov
@_markel___
I research security of Intel platforms. I don't work for Intel
Москва, Россия
Joined September 2014
- Intel HW is too complex to be absolutely secure! After years of research we finally extracted Intel SGX Fuse Key0, AKA Root Provisioning Key. Together with FK1 or Root Sealing Key (also compromised), it represents Root of Trust for SGX. Here's the key from a genuine Intel CPU😀
- The very important goal has been achieved, for the benefit of the entire information security society: we decrypted Intel XuCode!
- A very bad thing happened: now, the Intel Boot Guard on the vendor's platforms can no longer be trusted... ☹️
- Replying to @_markel___They really tried hard to protected the key: the part of ucode works perfectly but they forgot to clear the internal buffer in the core IP holding all fuses (including FK0) acquired from Fuse Controller
- Intel x86 Root of Trust: loss of trust: blog.ptsecurity.com/2020/03/intelx…
- Here're all the technical details of the undocumented x86 instructions which we (+@h0t_max and @_Dmit) found: github.com/chip-red-pill/…
- Lack of coordination between Intel CSME security/firmware team and PCH HW team has led to a very big fail: Fuse Encryption Key has been extracted!
- Replying to @_markel___The last step is remaining nevertheless to fully compromise Intel SGX - knowing of FK0 Fuse Encryption Key (FK0 FEK), but we hope to do it like we did for CSME...
- Replying to @_markel___They're decoded in all modes (even in User Mode) but the ucode in MSROM throws #UD if not in Red Unlocked state. All details a little later...
- I can't believe it: Intel decided to be open about the debugging capabilities of their chips. Our work definitely bears fruit: software.intel.com/content/www/us…
