[GTALUG] Intel - secure boot

D. Hugh Redelmeier hugh at mimosa.com
Mon Mar 30 01:26:07 UTC 2015


| From: R. Russell Reiter <rreiter91 at gmail.com>

| Here's a link to a talk on secure boot exploits etc. There's a bit on 
| exploits which come in over the video aperture in order to flip the bits 
| and get write permission on the secured stack, which I found 
| interesting.

An interesting video, thanks.

But it is nothing actually to do with video.  It is all to do with the
many different ways memory addresses get mapped in the x86
architecture and how each of them can create ways of addressing
physical resources that need to be protected.

Many protection mechnisms work on limiting address ranges and various
address mappings, if not carefuly restricted themselves, can evade the
primary protections.

In the cases he mentioned. System Management Mode code and data is
protected by some address restriction method.  But if the apperture is
set to point into the SMM area, certain ops can clobber SMM memory.
The details are technical and I have not retained them in the few
hours since I saw it.

This just emphasizes that complexity is the enemy of security.  All
the systems that they attacked seemed complicated to me.  Sometimes
because of how the x86 has evolved as a set of interlocking hacks.

I wonder if we can use the A20 gate to fool some of these checks.  Now
there is cruft.


More information about the talk mailing list