[off-topic] Yes, M$ of course. Not to take that too seriously, but I don't like some companies. M$, Dell and Intel are three of them...Sony as well. Regarding bioses, it was Asus that tried to avoid biosmodding already. But no digital signature and only at a few bioses. (OEMX table) Anyway Asus is a good company IMHO, I have got a lot of good ASUS mobo.. I would be proud if I could break that sigital signature of Intel. I'm afraid I cannot. [/off-topic]
I doubt it will be me. The sony table id lock was easy compared to this. Hats off to middleton..... Andy
Regret. Bios is not flashing. So currently flashed bios is checking signature. Tried in recovery mode.
I would guess the problem would be getting their private key. It appears (I think) to be a normal public/private key type certificate.... Andy
Here is my thoughts of Intel UEFI BIOS modding. - iflash2.exe don't flash BIOS, it simply places capsule in memory and transfers control to UEFI BIOS. BIOS performs reboot keeping memory contents and tries to flash a new firmware. - It is the old BIOS that checks digital signature validity. So even if we patch all the checks in a new BIOS it won't help us to flash this BIOS. Is there any workaround? I see 2 ways: 1) Modification of the old BIOS. 2) Modification of the new BIOS by using security hole which allows to insert a code in BIOS logo picture (Yen gave a link to pdf-file which describes this technique). I don't like the way #2, because Intel can fix the bug at any moment. As for modification of the old BIOS, I see 3 ways to do that: - Flashing BIOS chip on programmator. - Using recovery mode of Intel motherboards. Though the clever old BIOS don't flash the modded BIOS in this mode (because of improper digital signature), the code of modded BIOS is nevertheless executed from RAM. So we can call BIOS flashing procedure for modifying firmware volume's file which performs validity checks. - When UEFI BIOS transfers control to an OS loader, the latter get pointers to UEFI BIOS procedures. So we can modify the OS loader and try to call BIOS flashing procedure for modifying firmware volume's file which performs validity checks. All above written is not absolute true, feel free to criticise it.
I thought the existing BIOS might be responsible.... it makes sense from a security point of view. However another key question would be - does the existing BIOS verify IT'S OWN digital certificate at any time?? If NO, then perhaps the next step would be to look at the existing BIOS on the EEPROM to see how it is derived from the capsule, then design our own and flash with EEPROM/SPI programmer to at least prove the modded BIOS works. Then work on doing it ? thru recovery mode..... The next useful thing then would be for someone with an EEPROM programmer to extract the BIOS image of their chip so we can compare. Cheers, Andy
I have briked mb trying to push moded bios there. heh. As result of my foult Recovery Mode is not working and MB in not working too. So replaced it with MSI board. Now I'll try to look for the man who can make flashing vua SPI programer. I know one but I'm not sure he can work with Intel MB
I'll get my EEPROM programmer on this week. I can extract bios from my Intel DQ45CB mb. Bios located in SPI FLASH chip (WINBOND 25x32xxxx).
I guess 2) is fixed by Intel already, I've posted the link to. The Idea to boot a stub OS is also described: The relevant BIOS data structures (say, IDT, page tables) are not wiped before handing control to OS; so if OS takes care not to trash them, all the required offsets can be found in memory. So, we can create a small "Stub-OS", infect MBR with it, reboot the system, and gather the offsets. We have not implemented this.
Not all problems are best attacked at the hardware level... Call me pathetic, or a naive twit, but I think that maybe contacting Intel, or a local reseller, and letting them know that there is a "thriving BIOS modification community", that flashes altered BIOSs in order to gain "performance benefits", and asking for an "owner override", may help. If a lot of people do it. And we sound sincere. That means that just using a template letter would do no good, but the basic points are easy enough to get across. Also, it should be made clear that such an override can be made safely. And it can! Allow me to explain: An option to allow flashing of modified UEFI is put in the setup screen, and disabled by default. Then, if enabled, and a modified UEFI is loaded, before writing it to EEPROM, the BIOS brings up a warning screen, like the one you get when you take ownership of a TPM. The modified UEFI is not flashed unless the user presses F10. THis cannot be spoofed. And, the screen should have "DO NOT PRESS F10 UNLESS YOU WERE EXPECTING THIS MESSAGE" in big red letters. Maybe don't go into that much detail, but let intel know that *you*, too, are interested in the ability to modify your BIOS. Intel is a hardware company, not software. Anything that makes their boards more likely to sell will fly with them.
We write to Intel, and ask them nicely to put it in. Okay, it's not exactly a dead cert, but there's nothing to lose! EDIT: if you meant how would it be enabled if it were there (which I just realised you might have), then I meant it would be set to "disabled" by default. As in, you'd just go into setup and switch it to enabled if you wanted to flash an unsigned bios.
Well... All it requires is showing the user a screen before flashing the UEFI that asks them to press F10 if they want to do it. It's a known way of verifying physical presence and consent, as I said, the TPM uses it.