Secure boot

Let's be honest: most x86 systems are garbage when platform security is concerned. Intel does not have sầu the best traông chồng record with building secure chips & AMD doesn't vày much better. That's why Apple has recently been improving their boot & platkhung security with the T2 chip. The common belief is that Hackintoshes cannot be as secure as a Mac due khổng lồ various patches & that it is miles behind a Mac with T2. But how true is that belief?

In this article, we will explore the boot và platform security of Hãng sản xuất Intel x86, the Hades Canyon NUC, & Macs. We will compare the security offerings on these similar platforms và present an argument that we can make the Hades Canyon Hackintosh as secure as most Macs.

Bạn đang xem: Secure boot


Threat Model


Before starting, it is important lớn clarify what part of the security architecture is being discussed here. Specifically, we mainly focus on boot-time security from remote attackers. Specifically, we wish to lớn protect against an attachồng where a compromised OS (OSX/Windows/Linux) installs a "bootkit" that persists across a reboot và across a fresh re-install (with a wiped disk). We vày not consider the security of OSX vs Windows. Finally, we bởi vì not consider the security of a local attacker with physical access to the device. chú ý that the T2 does attempt to lớn protect against local attackers, but this is a much more nibịt issue.


Intel Boot Guard


*

Chain of trust overview from "Safeguarding rootkits: Hãng Intel BIOS Guard part 2".
The first liên kết in the secure boot chain is owned solely by Hãng sản xuất Intel on every motherboard with an Hãng sản xuất Intel chipset. When your computer first powers up, a small 32-bit x86 CPU that is in the Platsize Controller Hub (PCH or chipset) called the Hãng sản xuất Intel Management Engine (ME or CSME) starts running from its unpatchable on-die boot ROM. First it reads the Serial Flash Discoverable Parameters (SFDP) from the SPI flash chip connected to the PCH khổng lồ determine how khổng lồ read from the flash, and it then reads the Hãng sản xuất Intel Flash Descriptor (IFD) from offphối 0 khổng lồ locate the ME region of the flash.

The ME boot ROM code then loads the ME firmware partion table (FPT) from the region offset in the SPI flash chip inlớn the ME's on-die SRAM. The FPT is not signed, which allows the various partitons to be relocated around the flash. The ME finds the Factory Partition (FTPR) in the table và copies the signed header from this partion from the flash into SRAM and validates the signature on the partition against a Intel's public key, whose hash is fixed in the on-die ROM. If these vày not match, then the ME shuts down and the computer won't boot.

If the FTPR signature matches, then the ME finds the Bring Up (BUP) module in the FTlăng xê & copies it inkhổng lồ SRAM. It compares the hash of the module with the hash stored in the signed FTPR, and if these match then it starts executing the code in BUPhường, which transitions away from the on-die code. However, the on-die code remains resident, similar to a shared library of functions for the modules stored in the flash. Also note that the other modules in the FTPR are not validated at this time, allowing limited editing of the contents of the ME's flash partitions to remove functionality.

The ME's BUPhường module is what begins booting the real CPU in the system by releasing it from remix. At reset time, the last few megabytes of the BIOS region of the SPI flash are mapped inkhổng lồ the top 4GB of memory, so reads to lớn the addresses from 0xFF000000 lớn 0xFFFFFFFF are routed to the PCH & turned inlớn reads from the SPI flash. The first thing the CPU does is locate the Firmware Interface Table (FIT) pointer, stored at 0xFFFFFFC0. The FIT, which is not signed directly, contains pointers lớn the microcode updates for various CPUs, as well as pointers to lớn the rephối vector & BIOS entry points.

Xem thêm: Tỉ Lệ Khách Hàng Rời Bỏ ( Customer Churn Là Gì, Cách Tính Tỷ Lệ Churn Rate Là Gì

The CPU's internal boot ROM walks the FIT khổng lồ find the microcode updates và reads their headers lớn determine if they apply khổng lồ this CPU, và if so the microcode update is copied linearly into cađậy và Intel's signatures are validated by the boot ROM. If this passes, then they are decrypted with an Intel key that is also in the boot ROM và the update is applied to the boot CPU.

The boot ROM then goes bachồng to the FIT to find the Startup Authenticated Code Module (ACM) in the SPI flash chip. This is copied inlớn cabít by the boot ROM & Intel's signature on the ACM is validated by the boot ROM before executing it in 32-bit non-evict (aka Cache-as-RAM) based on the GDT stored in the ACM. The ACM is signed with an Hãng Intel owned key & the hash of the public key lớn verify the signature is inside the boot ROM, although the signature checks are only enforced if the OEM has set the Bootguard configuration fuses in the PCH lớn bởi vì so. It is especially dangerous if the configuration is left unfused in the PCH since malware could then fuse its own keys and the system would not boot without the malware in the SPI flash.

The Startup ACM contacts the ME to lớn receive the Bootguard OEM hash and fuse configuration. The ACM returns lớn the FIT to locate the Bootguard Key Manifest (KEYM), which contains an OEM public key that matches the hash provided by the ME as well as other public keys the OEM uses to lớn sign the firmware. The OEM hash is used to by the ACM to lớn validate that the KEYM is provided by the OEM, và the ACM then loads the Bootguard Boot Policy (ACBP) from the FIT, which is signed by the Key Manifest public key in the KEYM.

The ACBPhường contains the menu of the Initial Boot Bloông chồng (IBB) segments that are khổng lồ be copied into cađậy as well as the overall hash of the regions & the real entry point for the legacy BIOS (typically 0xFFFFFFF0). Depending on the Bootguard fuse configuration, a hash comparison failure might lead to lớn an immediate CPU halt, a PCR extension with the failure code, or just a global variable mix in memory. If the result is not a halternative text, the ACM loads the legacy BIOS entry point from the ACBP. và executes a GETSEC instruction to shift baông chồng inlớn real mode và exit the ACM, jumping into lớn the traditional x86 CPU rephối vector.

lưu ý that any vulnerability in the ME boot ROM, the x86 boot ROM, or the ACM can be used khổng lồ exploit every Intel system out there including all Macs (including T2 Macs). There have been bugs found in the ME's boot ROM, TOCTOU attacks against the ACM have sầu been successful, and many vendors have sầu made mistakes with Bootguard configurations or executed code from unsigned regions of the flash.

The ME is the most important part of x86 security because not only does it have full DRAM access, it also feeds the OEM public key và security policies to lớn the ACM on the CPU. The ACM will load the next stage called the Initial Boot Block from the SPI flash. The ACM code then will kiểm tra the signature of the IBB against the OEM public key from the ME only if enabled. Note that many/most OEMs do not enable this & therefore ANY IBB can run if flashed into lớn the SPI flash. On the Hades Canyon, only an Intel signed IBB can be executed (& this cannot be disabled). On T2 Macs, Apple does additional verification of the IBB and won't even attempt to feed it to lớn the Hãng sản xuất Intel CPU if it fails. Although there is a dearth of details in Apple's whitepaper, presumably this allows for previous IBB khổng lồ be revoked while on Intel-only systems like the NUC any vulnerable IBB can be downgraded khổng lồ by an attacker with physical SPI access.

This whole process is referred lớn as Hãng Intel Boot Guard by Hãng Intel and is only found on relatively recent (Haswell+) systems. There is also an adjacent technology called Intel BIOS Guard which can prsự kiện unauthorized BIOS updates from being flashed if Boot Guard is disabled. In systems with Boot Guard is enabled, BIOS Guard can also be used to prevent downgrades to an vulnerable IBB. However, this is strictly worse than T2 because BIOS Guard requires the integrity of the boot chain up until the OS is booted while the T2 can assume that everything down to the IBB is compromised. The Hades Canyon has both Boot Guard and BIOS Guard enabled, which, from a non-scientific survey of Google search results seems to be quite rare.

This is a very high-màn chơi overview of the first part of the boot chain. Primary references used for this section are as followed: