It was certainly "inconvenient" to perform BIOS updates, but back in those days BIOS updates weren't all that common either. I don't think it should ever be "convenient" to do something like that with basic system firmware - by its very nature, it is supposed to be stable and rarely changed. Somehow this is making me terribly nostalgic... for the days when BIOSes seemed far less buggy and in need of constant change. Now, I hear stories of laptops with factory-installed crap that silently updates the BIOS in the background(!), bricking the machine when something else unfortunate happens coincidentally with it (e.g. hard reset.) I remember the ritual of "boot from a floppy to a plain DOS prompt, run the updater, and wait for a few tense seconds as it updated the BIOS".
The mention of "Thunderbolt Option ROM" makes it clear that Thunderbolt is basically an external version of PCI(e). In other words, even without being able to modify any firmware, plenty of other maliciousness is already possible - the same with any other device that has direct access to the system bus. In the same way that you probably wouldn't plug a random untrusted PCI(e) adapter into your system, you should exercise the same caution with Thunderbolt...
[...] make it impossible for the BIOS to be corrupted
by software, malicious or otherwise
Jumper JP4 controls the protection scheme that
prevents accidental damage to or rewriting of the data
stored in Flash memory.
Of course, this is assuming Chromebooks' bootloader doesn't have any secured problems.
this is a physical access attack. when you have physical access, the game is up. (and your bios switch isn't any use).
i appreciate that inserting a thunderbolt device is easier than getting access to a switch, but it's not that much harder.
Summarizing as “when you have physical access, the game is up” is the same as saying that employees who pick up abandoned USB thumbdrives on parking lots and plug them into work computers are guilty.
Plugging things in are what Thunderbolt/USB ports are FOR. This is how you transmit data and how you extend the computer with new peripherals. It may be impossible to prevent a Thunderbolt or USB peripheral from bricking the computer, but that doing so can end up giving control of it to a third party is an unacceptable security failure, is not the user's fault, and needs to be fixed.
A physical hardware switch located inside the box would be quite appropriate. Everyone knows that you don't need to open the computer to read from an external drive.
This has been true for as long as USB has existed. The broader version -- "don't attach untrusted hardware" -- has been true for as long as there have been computers.
There is a reason secure installations do not allow employees to bring in arbitrary electronics.
oh my science they most certainly are.
> Plugging things in are what Thunderbolt/USB ports are FOR
yes, but the moment you insert them into a machine they are assumed to be trusted. (this is my opinion, it could be incorrect)
Remember how that was only for a short 1-2 years as a knee jerk reaction to CIH virus?
Older PCs had bios in EPROM (UV window on the chip) instead of EEPROM. That was the only physical protection.
Later Intel introduced firmware hub (FWH) with software protection against flashing (you had to unlock certain memory region/io access), then we got SPI flash chips with some copy protection (again software controlled).
Jumper was a short lived, useless (after the fact) feature that died because nobody needed/wanted/asked for it.
The bulk of the firmware, that's clear, nowadays will be fetched from a serially connected flash, which this initial code will copy to the (then initialized) DRAM, also probably in several stages. But where do the first few instructions hide? Mask-rom in the CPU, or the chipset?
I know how initial bootup works on my day-job-default-CPU (a m68k/coldfire that basically just starts executing from a parallel connected flash), on a few ARMs and some PPC, but I have no idea about a "typical" intel core/i5..7/... CPU.
There are some good articles here:
I trust you that this logically will certainly be true, but: what memory will that access to ffff:fff0 be mapped to if the "bios" in my PC is stored in a SPI flash that certainly can't be connected directly to anything resembling a "address/data-bus" in a modern PC...
If you're really interested in this stuff the articles in the above link are a good read, as well as datasheets for the various chipsets involved. I'd recommend even looking at the original IBM PC/AT Technical Reference, with BIOS listings and full schematics.
There's quite some information also in the "7-series chipset datasheets" (and 8-series) from Intel, it seems that they have a very elaborate SPI implementation, in the chipset, in hardware...
Start at 0xfffffff0, the boot vector for x86, executing in 16-bit "I can run DOS 1.0" mode.
It just jumps to the entry to 32-bit mode
Turn on FPU
Turn on SSE
Configure the cache not to require a backing DRAM so that it can be used temporarily as RAM.
Now that "RAM" is available for use as a stack, the next steps can be written in plain-ole C
From there, mainboard-specific code sets up things like which SuperIO chip to configure, the i2c addresses to interrogate for information on RAM geometry and timing, and how the chipset is wired to connectors on the board. Commong chipset (northbridge and southbridge) init code is run using that configuration data.
Then DRAM is initialized (the Haswell example is a bit lame in that currently a binary blob of compiled code from Intel does this job.) The Sandybridge DDR3 init was recently reverse-engineered and re-implemented and fully exemplifies the training processes required.
Now that Gigagbytes of RAM are available, another boot stage is fetched from flash. When generic framework gets back to cpu-specific stuff, power management is configured,Inter-Processor Interrupt handlers are installed, and other cores go through a quick init sequence.
Then essentially the PCI tree is walked to setup all the chipset devices.
Once hardware is running, Coreboot loads a "payload" that is in turn responsible for loading the OS.
"Anti Evil Maid is an implementation of a TPM-based static trusted boot with a primary goal to prevent Evil Maid attacks.
The adjective trusted, in trusted boot, means that the goal of the mechanism is to somehow attest to a user that only desired (trusted) components have been loaded and executed during the system boot. It's a common mistake to confuse it with what is sometimes called secure boot, whose purpure is to prevent any unauthorized component from executing."
-- BadUSB shows that the USB controller can fake keystrokes, modify the recipient USB controller, etc.
-- This attack now shows an even more dangerous attack that can be mounted by a malicious thunderbolt adapter (the one that you unknowingly connected by habit at a conference, say).
Trammell is giving a longer talk about this work at CCC next week. (http://events.ccc.de/congress/2014/Fahrplan/events/6128.html)
The attack is implemented (he has a demo macbook with "ThunderStruck" bootloader), and it has been disclosed to apple >400 days ago.
One aspect of the attack can be patched with 2-byte change, but apparently apple hasn't bothered.
Yes. eSATA is one example. 10 gigabit Ethernet is another. DisplayPort is, for certain applications.
Although I may be wrong, it's certainly a related vulnerability and an interesting presentation to watch. Skip to ~54mins if you just want to see the demo.
"The first high-end laptop that respects your freedom and privacy. The Purism Librem 15 is the first laptop in the world that ships without mystery software in the kernel, operating system, or any software applications."
Intel cant even get rid of binary blobs from their official open source Atom platform (minnowboard).
Intel UEFI bios is >100K lines of hand tuned spaghetti code that never saw version control system, thats straight from the mouth of Intel employee.
A Bios vendor takes that code, drops in a bunch of hardware init code from Intel (or AMD), adds thier own user interface, "csm16" old-school BIOS implementation, and value-adds like debugging and automation for factory test and provisioning.
In order to comprehend anything in the codebase, the first step is probably to get acquainted with the local vernacular.
Interesting thread on exactly how free this laptop is:
(Edit: This post seems a bit harsh. My view is that any movement towards a more free laptop is welcome, especially since things like Android are going rapidly in the opposite direction)
And ARM is worse, since a majority of the ARM ecosystem just acts like bootloaders and their gpu drivers don't even exist.
Do you need more than what he says there?
I have watched Trammel demonstrate this attach right in front of me about a year ago. Apple has repeatedly ignored the fact that they are vulnerable.
It should also be noted that while this talk is Apple focused, it not a Apple thunderbolt specific attack. It affects all badly implemented thunderbolt ports.
Apple's growing popularity and strong hardware standardization makes them especially susceptible to the wormificaiton of this attack. How many offices have a supply cabinet with thunderbolt to HDMI/Ethernet/other connectors that are shared around the office freely?
- "Tripwire" for firmware - host-based (not perfect) & bootable live cd/usb/image (still not perfect)... Perhaps some JTAG verifying device that could be hard-wired to all supported chips directly? (Very painful to setup, but potentially interesting.)
- Host-based peripheral firewall (not perfect, but more usable) - e.g.: selectively disable, ask user permission and/or limit rights to connecting devices from the various buses: USB, FW, PCI, SD card, SATA/SAS, BT, TB, SPI, FC, ... On OSX, it's doable considering VMware Fusion "patches" IOKit (check out IORegistryExplorer) selectively based on user preferences (whether to redirect a USB device to a guest or to the host).
IMO this shouldn't really be a problem. If the SPI payload disables writes before executing anything unsigned, then it's really quite hard to bypass.
Presumably the bug is a result of EFI capsule on disk support. The design is sh*t for exactly this reason.
The firmware could lock the flash, detect the capsule after initializing option ROMs, copy it to RAM, do a full reset, then find the capsule in RAM and verify a signature prior to re-locking the flash, though.
Most non-Apple computers don't have an external PCI bus, so there's that.