3r33333. 3r3-31.  3r33333.
 3r33333. The principle of "3r337. safety through obscurity
”Has been criticized by experts for years, but this does not prevent large electronics manufacturers, under the pretext of protecting intellectual property, from signing non-disclosure agreements to obtain technical documentation. The situation is worsening due to the increasing complexity of microcircuits and the integration of various proprietary firmware into them. This actually makes it impossible to analyze such platforms for independent researchers, which puts at risk both ordinary users and equipment manufacturers.
 3r33333.
 3r33333. An example is the Intel Management Engine (Intel ME) technology, as well as its versions for server (Intel SPS) and mobile (Intel TXE) platforms (for more on this technology, see 3r3338. W2w2w212. 3r33333., 3rr3342. W2w2w213. 3r3333355. In this article we will explain how using undocumented commands (if the term “documented” is generally applicable to Intel ME), you can overwrite SPI flash memory and implement the worst scenario — local exploitation of vulnerability in ME (INTEL-SA-00086). Intel ME turned out to be an undocumented mode of operation - Manufacturing Mode. 3r317. 3r33355.
 3r33333.
 3r33333.

What is Manufacturing Mode

 3r33333. Intel ME Manufacturing Mode - service mode of operation, designed to configure, configure and test the final platform at the production stage; it must be disabled before the equipment goes on sale and shipped to the user. Neither this mode nor its potential risks are described in the Intel public documentation. A regular user does not have the ability to turn it off independently, since the utility for managing it from the Intel ME System Tools package is not officially available. Note that no software protection is able to protect the user, in case this mode is turned on, or at least notify him about it. Even the utility Chipsec [2]3r33333. which is specifically designed to detect chipset and processor configuration errors at the UEFI firmware level (in particular, incorrect configuration of access rights to SPI flash regions), does not know anything about Intel Manufacturing Mode.
 3r33333.
 3r33333. This mode allows you to set critical platform parameters stored in single write memory (FUSES). An example of such parameters that are “sewn up” in FUSES are the BootGuard parameters (mode, policies, digital signature key checksum for ACM and UEFI modules). Some of them are called FPF (Field Programmable Fuses). The list of FPFs that can be written to FUSES (incomplete, in fact, a number of FPFs cannot be specified directly) can be obtained through the FPT (Flash Programming Tool) utility from the Intel ME System Tools package.
 3r33333.
 3r33333.  3r33333.
 3r33333. Figure 1. Result of the work of the –FPFs option of the FPT 3r-3299 utility.
 3r33333.
 3r33333. It should be noted that FPFs account for only a fraction of the total FUSE array, and most of this memory is used by Intel itself for storing a variety of platform parameters. For example, part of the space of this array is called IP Fuses and is intended for storing the configuration parameters of individual hardware modules (Intelligent Property). For example, a special DFx Aggregator device stores at FUSE whether the platform is serial or test.
 3r33333.
 3r33333. In addition to FPF, in the Manufacturing Mode, the hardware manufacturer has the ability to set the parameters of the Intel ME firmware, which are stored in the internal file system of the firmware - MFS, on SPI flash media. These parameters can be changed if SPI flash is reprogrammed. They are called CVARs (Configurable NVARs, Named Variables).
 3r33333.
 3r33333. Intel ME firmware module mca_server is responsible for installing CVARs. MCA is the abbreviation of the Manufacture-Line Configuration Architecture, a generic name for the platform configuration process during production. CVARs, like FPF, can be specified and read using FPT.
 3r33333.
 3r33333. 3r360.
 3r33333.
 3r33333. [i] Figure 2. List of CVARs displayed by the FPT utility for the Broxton P 3r3-33299 platform.
 3r33333.
 3r33333. The CVARs variable list depends on the platform and version of the Intel ME firmware. For chipsets that support Intel AMT, one of these variables is the password to enter the MEBx (ME BIOS Extension).
 3r33333.
 3r33333. Installing FPFs and virtually all CVARs variables is possible only if the Intel ME firmware operates in Manufacturing Mode. The installation of the FPFs itself is divided into two stages: setting the values ​​of FPFs (which are stored in temporary memory) and transferring the values ​​of FPFs to the array of fusions. In this case, the first stage is possible only in Manufaturing Mode, and the actual “burning” occurs automatically after exiting the Manufacturing Mode, if during operation in this mode the manufacturer specified FPF values ​​and the corresponding range in the array of fusions has never been recorded yet. Thus, if the system operates in the Manufacturing Mode, the FPF variables are most likely not initialized.
 3r33333.
 3r33333. The Disabling Manufacturing Mode attribute is stored in the /home /mca /eom file on the MFS, so when overwriting the SPI flash firmware with the base file system (for details see 3r35454. W2w2w???r3355.), The platform can function again in the Manufacturing Mode (but rewrite FUSES will not work).
 3r33333.
 3r33333.

OEM public key

 3r33333. Thus, the procedure for configuring Intel platforms is quite complicated and consists of several stages. If the manufacturer of the equipment broke or changed the sequence, then the platform is at serious risk. Even if the Manufacturing Mode is complete, the manufacturer could not write down FUSES, which would allow an attacker to do it for him by writing his values ​​instead of the key for signing the start code of the BootGuard (ACM) and UEFI modules and thus allowing the platform to boot only with its malicious code, and full time. This will lead to irretrievable loss of equipment, since the fraudulent key will be stored in permanent memory forever (details of this attack can be found in the study of Safeguarding rootkits: Intel BootGuard, 3r3503. W2w2w215. ).
 3r33333.
 3r33333. In the new systems (Apollo Lake, Gemini Lake, Cannon Point), FPF stores not only the key for BootGuard, but also the OEM public key (or rather, the SHA-256 from the RSA OEM public key), on which several ME protection mechanisms are based. For example, a special SPI flash section, called the Signed Master Image Profile (SMIP), stores the manufacturer-specified PCH Straps (PCH hardware configuration). This section is signed on the key, SHA-256 from which is placed in a special file on SPI flash. This file is called oem.key, located in the FTPR section and contains various public keys supplied by the OEM to sign a wide variety of data. Here is a complete list of data sets that are signed by the manufacturer, each on a unique key, for the Cannon Point platform:
 3r33333.
 3r33333.  3r33333.
 3r33333. [i] Figure 3. The list of signed OEM data of the CNP 3r32-2399 platform.
 3r33333.
 3r33333. The oem.key file itself is signed by the OEM shared root key, the hash sum of which should be written to FPFs.
 3r33333.
 3r33333. 3r3114.
 3r33333.
 3r33333. [i] Figure 4. OEM Signing
 3r33333.
 3r33333.

Bypassing the lock entry in the ME-region 3r3309.
 3r33333. Until recently (before Intel Apollo Lake), Intel ME firmware was located in a separate SPI-region, which had independent access rights for CPU, GBE and ME. Thus, with the correct configuration of access attributes from the CPU (main system), it was impossible to either read or write ME firmware. However, modern Intel chipset SPI controllers have a special Master Grant mechanism. This technology assigns to each SPI master a strictly defined part of the SPI flash, this master is the owner of its region, regardless of the access rights specified in the SPI descriptor. Each master has the opportunity to provide access (for reading or writing) to his (and only his) region to another master as he wishes.
 3r33333.
 3r33333.  3r33333.
 3r33333. Figure 5. An excerpt of Intel documentation describing the SPI Master Grant
 3r33333.
 3r33333. Thus, even if a ban on access to the SPI region of the ME by the host is registered in the SPI descriptor, the ME can still provide access to its data. In our opinion, this is done to enable the upgrade of the Intel ME firmware bypassing the standard algorithm.
 3r33333.
 3r33333.
Host ME Region Flash Protection Override

 3r33333. The Intel ME firmware has a special HECI command that allows you to open write access to the ME-region SPI from the CPU. It is called HMR FPO (Host ME Region Flash Protection Override). In one of our previous studies, we described this[5]command in detail. . She has a few features.
 3r33333.
 3r33333. After receiving the HMR FPO command, the firmware will allow access to its region 3r-3298. 3r33320. only after 3r3321. 3r33232. reboot. The ME itself also provides protection: the command is perceived only during the execution of the UEFI BIOS, up to the so-called End of Post moment (EOP). EOP is another HECI command that the UEFI BIOS sends before it transfers control to the operating system (ExitBootServices). In some BIOS Setup you can find an option that ensures that the HMRFPO command is sent to EOP.
 3r33333.
 3r33333.  3r33333.
 3r33333. Figure 6. Opening the ME region in BIOS
 3r33333.
 3r33333. After receiving the EOP, the ME firmware ignores the HMR FPO, returning the corresponding status. 3r33320. But this happens only after the completion of the Manufacturing Mode [/b] . Thus, ME firmware in Manufacturing Mode perceives HMR FPO 3r-3320. at any time, regardless of End of Post [/b] . If the manufacturer has not closed the Manufacturing Mode, the attacker (formally, administrative rights are required for this, but even the OS kernel cannot overwrite the ME firmware initially) can change the ME firmware at any time. At this stage, the attacker can overwrite the image of ME, for example, to exploit the INTEL-SA-00086 vulnerability. In this case, it is necessary to reboot, but this is not a hindrance on almost all platforms except the MacBook. Precisely on Apple computers, there is an additional check in UEFI, which is carried out at the time of launch and blocks the launch of the system if the ME region is opened using HMRFPO. However, as we will show later, this protection mechanism is overcome if ME firmware operates in Manufacturing Mode.
 3r33333.
 3r33333.

Reboot ME without rebooting the main CPU 3r3309.
 3r33333. In modern computers there are several options for restarting the platform. Of these, they are documented: global reboot and reboot only the main CPU (without rebooting ME). However, if there is a way to reboot the ME without rebooting the main CPU (also executing the HMRFPO command), access to the region will open, and the main system will continue to function.
 3r33333.
 3r33333. 3r3195.
 3r33333.
 3r33333. Figure 7. Manage reboot type
 3r33333.
 3r33333. Examining the internal ME firmware modules, we found that there is a HECI command ( "??? ??? 0b ??? ???" 3r3-3321., For details on sending commands, see[5]) To reboot only (!) The kernel Intel ME, which can be sent to Manufacturing Mode at any time, even after EOP.
 3r33333.
 3r33333.  3r33333.
 3r33333. [i] Figure 8. Listing of the disassembler of the function that performs the processing of HECI-commands restart ME 3r-3299.
 3r33333.
 3r33333. 3r33320. Thus, the attacker, sending these two HECI-commands, opens the ME-region and can write any data there, without rebooting the platform 3r3321. . At the same time, it does not matter what the SPI descriptor contains, that is, the correct protection attributes of the SPI regions do not protect the ME firmware from being modified if the system is operating in the Manufacturing Mode.
 3r33333.
 3r33333.
Practical case: vulnerability CVE-2018-4251 3r3309.
 3r33333. We analyzed several platforms from different manufacturers. Among them were Lenovo laptops and Apple MacBook Pros. In the studied computers from the Yoga and ThinkPad line, we did not find any problems related to the Manufacturing Mode, but Apple-based laptops based on Intel chipsets operate in Manufacturing Mode . After sending this information to Apple, this error (CVE-2018-4251) was fixed in the macOS High Sierra ??? OS update.
 3r33333.
 3r33333.
Local operation of INTEL-SA-00086

 3r33333. So, using the CVE-2018-4251 vulnerability, an attacker can write old ME firmware versions that contain the INTEL-SA-00086 vulnerability, and at the same time, he does not need any SPI programmer or access to the HDA_SDO jumper (that is, physical access). Thus, the most dangerous - local - vector of this vulnerability is implemented (execution of arbitrary code in ME firmware). It is noteworthy that in the explanations to the security bulletin INTEL-SA-0008? Intel does not mention the open Manufacturing Mode as a means to exploit this vulnerability locally, without physical access, but only indicates that local operation is possible only if SPI regions are configured incorrectly. that is not true. To protect users, we decided to describe how to check the availability of the Manufacturing Mode and how to disable it.
 3r33333.
 3r33333.
How to protect yourself 3r3309.
 3r33333. The package of system utilities for developers of equipment based on chipsets and Intel processors (Intel System Tools) includes the MEInfo utility (TXEInfo, SPSInfo for mobile and server platforms, respectively), which is designed to obtain advanced diagnostic information about the current firmware management engine and the whole platform as a whole. We have demonstrated this utility in aboutbottom of our previous research on the disconnection of ME and undocumented mode HAP (High Assurance Platform)[6]. This utility, invoked with the –FWSTS flag, gives a detailed description of the status HECI registers and reports the status of the Manufacturing Mode (the 4th bit of the FWSTS status register indicates that Manufacturing Mode is active).
 3r33333.
 3r33333.  3r33333.
 3r33333. Figure 9. Example output from the MEInfo utility 3r-3299.
 3r33333.
 3r33333. We also developed the[7]program. , with which you can check the status of the Manufacturing Mode, if the user for any reason does not have access to Intel ME System Tools.
 3r33333.
 3r33333.  3r33333.
 3r33333. [i] Figure 10. Example of the mmdetect script
 3r33333.
 3r33333. The question arises of how to complete the Manufacturing Mode on its own, if it turned out that the manufacturer did not. To complete the Manufacturing Mode, the FPT utility has a special option, –CLOSEMNF, which, in addition to its main purpose, also allows you to set the recommended access rights to the SPI flash regions in the descriptor.
 3r33333.
 3r33333.  3r33333.
 3r33333. [i] Figure 11. The result of the work of the FTP utility with the option –CLOSEMNF 3r3-33299.
 3r33333.
 3r33333. In this example, we used the NO option of the –CLOSEMNF option to not perform a platform reboot, which is done by default immediately after the completion of the Manufacturing Mode.
 3r33333.
 3r33333.
Conclusion 3r3309.
 3r33333. Our research shows that the problem of Manufacturing Mode firmware Intel ME exists and even such large manufacturers as Apple are able to make mistakes when configuring Intel platforms. Worst of all, there is no public information on this topic and end users do not even realize such a serious problem that could lead to the loss of confidential information, the appearance of unrecoverable rootkits and the irretrievable removal of equipment.
 3r33333.
 3r33333. In addition, we have suspicions that being able to reboot ME without rebooting the main CPU may also lead to other security problems due to the out of sync BIOS /UEFI and ME states.
 3r33333.
 3r33333. 3r33320. Authors: Mark Ermolov and Maxim Goryachiy
 3r33333.
 3r33333.[1] Intel Management Engine Critical Firmware Update, Intel-SA-00086
 3r33333.[2]3r33333. GitHub - chipsec /chipsec: Platform Security Assessment Framework
 3r33333.[4] Fast, secure and flexible OpenSource firmware, Coreboot
 3r33333.[5]3r33338. Mark Ermolov, Maxim Goryachy, PHDays VI, 2016
 3r33333.[6]3r33333. Mark Ermolov, Maxim Goryachy, Disabling Intel ME 11 via undocumented mode, Positive Technologies ’blog
 3r33333.[7] Intel ME Manufacturing Mode Detection Tools
 3r33333.[8]3r33350. Alexander Ermolov, Safeguarding rootkits: Intel BootGuard
 3r33333.[9]3r33354. Dmitry Sklyarov, Intel ME: Flash File System. Explained
3r33333. 3r33333. 3r33333.
3r33333. 3r33333. 3r33333. 3r33333. 3r33333. 3r33333.