
Bypassing Intel Boot Guard - ryanlol
https://embedi.com/blog/bypassing-intel-boot-guard
======
iliketosleep
The most scary thing here is that in some cirsumstances it allows an attacker
to make malicious code permanent:

 _" This brings an amazing opportunity for an attacker with capabilities to
inject program code into BIOS: to turn Intel BG technology on manually making
any modifications in BIOS permanent. It only requires configuring Intel BG by
programming the chipset fuses (via pure software way) after the modification
is done."_

~~~
userbinator
...and even manually reflashing the whole BIOS image with a hardware "chip
clip" can't fix it? That is _really_ scary.

The only hope is that those "chipset fuses" actually can be reset via hardware
(but not software, since that would defeat the point)... but that chance also
seems slim.

I'm probably one of the few people to which anything advertised as "trusted"
or being for "security and safety" has, instead of implying peace and bliss,
taken on a much more sinister connotation: to lock you out of what you own...
boot guard, secure boot, SGX, etc. All in theory can be used for the user, but
in practice are just enabling walled gardens and DRM.

~~~
iliketosleep
Yes, if it was truly for the security of the end users, they'd at least
provide the end user a mechanism to unlock this stuff when things go wrong,
such as a hardware jumper combined with software access code. A key principle
of infosec is "availability" for authorized users. Therefore, I argue that
such devices are not very secure for end users.

------
chrissnell
Site is down. Can somebody paste a cached copy?

~~~
novium
[https://web.archive.org/web/20171006051839/https://embedi.co...](https://web.archive.org/web/20171006051839/https://embedi.com/blog/bypassing-
intel-boot-guard) (Looks a bit funky tho, text and images are there, so should
be fine)

------
forapurpose
Everything used to be open and relatively well-defined on the platform, unless
my memory is colored rosey: BIOS, MBR, HDD, etc. Generally, it still is
beginning with BIOS (AFAIK, you can usually disable UEFI).

But 'pre-BIOS' vendors have created a mostly proprietary, closed hodge-podge
of hardware and software. I've been trying to merely identify those components
and subsystems on a new computer and it's taking many hours and information is
sparse. There's TPM, PTT, ME, TXT, Boot Guard, AMT, etc. etc.

All seem to serve one or more of three purposes: 1) Manageability (for
corporate IT), 2) end-user control via a Root of Trust (practical only for
corporate IT for the most part), and 3) Vendor control (DRM and more) via a
root of trust and closed, undocumented, obscure systems.

Is there any guide to all this? Any standardization? There were and are
multiple BIOS vendors, but generally I knew what a BIOS did and does.

~~~
gh02t
I dunno, BIOS was pretty opaque and all the major BIOS vendors stuff was
completely proprietary (and often full of bugs). The difference is that BIOS
was simpler and hence easier to understand. It was also not as well-protected
and if you wanted to you could extract and reverse engineer the BIOS with
easily available tools. Nowadays the firmware in your machine is better
protected as well as much more complex, making it harder to access and harder
to understand.

~~~
userbinator
The parent comment is saying "used to be", and that was actually _very_ true
before the IBM PS/2 and the AT clones --- IBM published the schematics and
BIOS source code for the PC, XT, and AT in the PC Technical Reference books.

[https://archive.org/details/bitsavers_ibmpcat618ferenceMar86...](https://archive.org/details/bitsavers_ibmpcat618ferenceMar86_25829277)

Even in the "AT clone" era (better known as "IBM PC Compatible"), the
standards were relatively more open and there wasn't much in the way of DRM at
all.

------
sdsmith
This article is about a security flaw, and yet the website is leaking database
error information. Seems safe.

