16 gennaio 2017 necstlab me
play

16 Gennaio 2017 NECSTLab Me Federico Izzo - PowerPoint PPT Presentation

Dec 13, 2022 •488 likes •1.24k views

16 Gennaio 2017 NECSTLab Me Federico Izzo federico.izzo42@gmail.com github.com/Nimayer A thanks to Nicola Corna Who introduced me to coreboot and did the great part of the work on Intel ME nicola@corna.info github.com/corna Index What is

  1. 16 Gennaio 2017 NECSTLab

  2. Me Federico Izzo federico.izzo42@gmail.com github.com/Nimayer

  3. A thanks to Nicola Corna Who introduced me to coreboot and did the great part of the work on Intel ME nicola@corna.info github.com/corna

  4. Index What is coreboot? How do I install it? Intel ME

  5. What is coreboot? coreboot is a project meant to replace the proprietary �rmware (BIOS or UEFI) present in most computers We could say that coreboot is an open source BIOS

  6. However coreboot is not a proper BIOS A BIOS �rmware: performs hardware initialization provides runtime calls for the OS coreboot does just the hardware initialization Modern Windows versions and Linux don't use BIOS calls anymore You can still run DOS using SeaBIOS on coreboot

  7. Benefits FOSS software Safer Hackable BIOS backdoor free Very fast! (0.5/1 s from o� to Linux kernel boot) Written almost completely in 32-bit C language Unlike commercial BIOSes that are written in 16-bit assembler Follows the rule " initialize the hardware, then get out of the way "

  8. Downsides Few hardware supported Complex compilation Hard to install New CPU generations make development and installation harder Intel Boot Guard

  9. How does it work? coreboot code is split in four main stages: Bootblock Romstage Ramstage Payload

  10. Bootblock In this stage coreboot: Reads CMOS con�guration Decides in which mode to start ( Normal or Fallback )

  11. Romstage This is the most critical stage, here coreboot initializes RAM memory and Intel ME. Initializes debugging peripherals Initializes the chipset Con�gures the memory Allocates the shared memory Intel ME requires

  12. Ramstage During this stage coreboot initializes the remaining peripherals and then jumps into the payload. After this stage coreboot has done its work and won't execute any code until suspension or shutdown .

  13. Payloads Now that the hardware is initialized we can let another software continue the boot process. The most interesting payloads are: SeaBIOS Tianocore (UEFI) GRUB Linux

  14. Payloads There are also secondary payloads that can be booted: nvramcui: con�guration utility coreinfo: information dump Memtest86+: memory test Tint: tetris GRUB invaders: you get the idea

  15. SeaBIOS

  16. SeaBIOS A complete x86 BIOS implementation. coreboot + SeaBIOS provides you a complete BIOS system , good starting point for a coreboot setup.

  17. Tianocore

  18. Tianocore Tianocore is Intel's UEFI reference implementation , released under open source licenses. Duet is part of Tianocore, it should give you UEFI support on coreboot if you are able to make it work, I failed. Tianocore can also include SeaBIOS as CSM, to get an UEFI + BIOS system.

  19. GRUB

  20. GRUB You already know GRUB. Probably you don't know that GRUB can be run directly from coreboot, without a BIOS. This is due to the fact that Linux does not use BIOS legacy calls.

  21. GRUB It has some advantages with respect to SeaBIOS: Faster Has less code Built-in crypto Can unlock LUKS volumes Can verify kernel/initramfs signatures

  22. Linux

  23. Linux coreboot can boot directly a Linux Kernel from the onboard ROM. Has some drawbacks: you need to �ash again the ROM each time you want to update the kernel or even change the cmdline. It gives you even more flexibility than GRUB, For example look at the HEADS bootloader which uses tpm for �rmware and �lesystem measurement .

  24. nvramcui An utility to change CMOS con�guration.

  25. coreinfo An utility to view system info.

  26. Memtest86+ A tool to check the RAM health.

  27. TinT (Tint is not Tetris) TETRIS!!!

  28. GRUB invaders Space invaders!!!

  29. coreboot: how do I install it?

  30. The installation is divided into four steps: Prepare the building environment Dump your original BIOS Compile coreboot Flash the coreboot image

  31. The building environment here you can �nd the o�cial guide, that follows a questionable order. What you have to do is: Clone the coreboot repository $ git clone --recursive http://review.coreboot.org/p/coreboot $ cd coreboot Compile the cross-compiler , coreboot runs in 32bit mode make crossgcc-i386 CPUS=4 Con�gure coreboot make menuconfig

  32. Try it with QEMU! It is possible to try coreboot+payload on QEMU before messing with the hardware Do make menuconfig to con�gure coreboot check that the Mainboard menu looks like this: vendor: Emulation model: QEMU x86 q35/ich9 Leave the menucon�g and do make -jN to compile The coreboot.rom �le inside the build subfolder is your image You can run QEMU using qemu-system-x86_64 -M q35 -bios build/coreboot .rom

  33. To build an image for your laptop you will need a dump of the �ash content, to extract: Intel Flash Descriptor Intel ME Firmware Gigabit Ethernet Firmware Intel GPU VBIOS (optional)

  34. What there is inside an Intel PC flash: The Intel ME region is accessible only by ME itself , also, the BIOS region can be write-protected . However it is possible to read or write the entire �ash by connecting an external programmer to the �ash chip.

  35. Dumping the hard way The �ash chip uses the SPI protocol, So we can read its content using the SPI interface of a Raspberry Pi or a similar board with 3.3V GPIO

  36. Find the flash SOIC-8 SOIC-16 DIP-8 PLCC-32

  37. Clips! You can �nd the �ash chip pinout inside its datasheet You can use these to connect the chip SOIC-8 testclip SMD clips I found the SMD clips more reliable

  38. Connect the wires First of all unplug your charger and remove the battery Raspberry Pi pins to be connected in this order RPi Flash GND GND CS0 CS SPI0 SCLK CLK 3.3V PWR 3.3V SPI0 MISO MISO SPI0 MOSI MOSI

  39. Flashrom Compile �ashrom from the github repo or install it from your package manager The Raspberry Pi command is: flashrom -p linux_spi:dev=/dev/spidev0.0 -r dump.bin Flashrom may ask you to specify your chip model if he cannot detect it automatically, you can use the option -c <chipname> (e.g. on a Thinkpad X220 the option would be -c W25Q64.V ) A good practice is to make two dumps and compare the results (using diff ) to be more safe

  40. Extract the blobs The utility ifdtool included in the coreboot tree can be used to extract our dump Compile the utility cd coreboot/util/ifdtool make Extract the �ash regions mkdir extracted_dump cp dump.bin extracted_dump/ ./util/ifdtool/ifdtool -x extracted_dump/dump .bin You will �nd the extracted �ash regions in the folder: BIOS ME blob GbE blob Flash Descriptor

  41. Configuration coreboot uses a Linux kernel like con�guration Use make menuconfig to open the con�guration tool and the help button to get a description of the elements. I will show you a standard con�guration, it's up to you to try the other settings (hint: normal/fallback)

  42. Configuring coreboot pt.I The main options to set are: Mainboard Mainboard vendor: your computer brand Mainboard model: your computer model Rom chip size: the �ash chip size Chipset Include microcode in CBFS: Generate from tree Add Intel descriptor.bin �le: we extracted it before Add Intel ME/TXT �rmware: same thing Add gigabit ethernet �rmware: same thing

  43. Configuring coreboot pt.II Devices Use native graphics initialization: usually works Enable PCIe Clock Power Management: good idea Display Keep VESA framebu�er: graphical mode instead of text Generic Drivers Enable TPM support Payload Add a payload: SeaBIOS or one of your choice Secondary Payloads: see here

  44. Compiling To compile run make -jN The resulting image will be in coreboot/build/coreboot.rom

  45. Flashing coreboot To �ash the image the �rst time we need to use the SPI connection, as we did for the dump From the next time we can �ash directly from linux because in coreboot the write protection of the BIOS/ME blob is optional The command to �ash using a Raspberry Pi is: flashrom -c <chipname> -p linux_spi:dev=/dev/spidev0.0 -w coreboot.rom

  46. force_I_want_a_brick Once you have booted Linux, you can update coreboot using: flashrom -c <chipname> -p internal:laptop=force_I_want_a_brick -w coreboot .rom After updating coreboot, the best thing is to turn o� completely your computer in order to run the newly �ashed BIOS/ME blob

  47. Intel ME

  48. Intel ME Intel Management Engine is a secondary processor integrated in all Intel motherboard chipsets from 2008 onwards. It is mainly used for Intel AMT (Advanced Management Technology) on CPUs with vPRO enabled. Intel AMT is an out-of-band management technology, o�ering: network tunnel over untrusted network remote power control remote KVM network packet �lter PAVP for DRM media more ...

  49. Intel ME

  50. Intel ME

  51. ME capabilities Intel ME has access to: Any memory region The PCI bus The GPU Wired and wireless NIC (with dedicated MAC address) more ...

  52. The firmware Its �rmware is proprietary, so not security auditable, and it's signed with RSA by Intel It's not encrypted but a lot of modules are Hu�mann compressed with unknown hardware dictionary, so their code cannot be easily accessed.

  53. How do I disable it?

Recommend

NUOVI FARMACI E TRAPIANTO Udine 21-22 gennaio 2016 Integrazione dei nuovi farmaci nel programma

NUOVI FARMACI E TRAPIANTO Udine 21-22 gennaio 2016 Integrazione dei nuovi farmaci nel programma

NUOVI FARMACI E TRAPIANTO Udine 21-22 gennaio 2016 Integrazione dei nuovi farmaci nel programma trapiantologico della leucemia linfoblastica acuta: UN CASO CLINICOPEDIATRICO Which ALL is eligible for HSCT? 10% of children with

372 views • 36 slides
CAPTO Gennaio 2010 1 The problem to solve Nowadays information published on internet is

CAPTO Gennaio 2010 1 The problem to solve Nowadays information published on internet is

CAPTO Gennaio 2010 1 The problem to solve Nowadays information published on internet is not manageable any more; the consequence is that any internet search is not precise. Due to the overwhelming amount of information and the

317 views • 11 slides
Ernesto U. Savona Direttore e Professore di Criminologia Universit Cattolica del S. Cuore

Ernesto U. Savona Direttore e Professore di Criminologia Universit Cattolica del S. Cuore

24 gennaio 2017 Modulo Jean Monnet III ed. Universit di Catania conferenza su Nuove Competenze per Nuove Sfide: politiche nazionali ed europee per la lotta alla Criminalit Organizzata MAFIE IN EUROPA E NON SOLO: LE INFILTRAZIONI DELLA

283 views • 27 slides
M. Seri marco.seri@unibo.it Bologna 24 Gennaio 2009 Definitions Definitions Gene Gene :

M. Seri marco.seri@unibo.it Bologna 24 Gennaio 2009 Definitions Definitions Gene Gene :

M. Seri marco.seri@unibo.it Bologna 24 Gennaio 2009 Definitions Definitions Gene Gene : Introduced by Johansson in : Introduced by Johansson in Copenhagen for Mendels unit of inheritance Copenhagen for Mendels unit of inheritance

287 views • 16 slides
Quaderni del Dipartimento di Matematica e Informatica Universit` a degli Studi di Parma

Quaderni del Dipartimento di Matematica e Informatica Universit` a degli Studi di Parma

Quaderni del Dipartimento di Matematica e Informatica Universit` a degli Studi di Parma Gianfranco Rossi 1 , Federico Bergenti 2 Nondeterministic Programming in Java with JSetL 29 gennaio 2013 n. 510 Il presente lavoro ` e stato finanziato

325 views • 30 slides
The Role of Information and Communication Technologies in the Development of Inclusive Society for

The Role of Information and Communication Technologies in the Development of Inclusive Society for

The Role of Information and Communication Technologies in the Development of Inclusive Society for Persons with Disabilities Sub-ti Belgrade, 8-9 October 2015 1 www.FRED.fm ROMA, gennaio 2011 THE FRED AT SCHOOL PROJECT Sub-ti 3 THE

347 views • 22 slides
1 LN LNF DAFNE-light DAFNE BTF SPARC FLAME 2 DANE 3 F.Riggi, Microcosmo e macrocosmo,

1 LN LNF DAFNE-light DAFNE BTF SPARC FLAME 2 DANE 3 F.Riggi, Microcosmo e macrocosmo,

1 LN LNF DAFNE-light DAFNE BTF SPARC FLAME 2 DANE 3 F.Riggi, Microcosmo e macrocosmo, Vacanze studio Gennaio 2002 ATLAS experiment at LHC CERN e Athena 0.5 g of matter &amp; 0.5 g of antimatter -&gt; Hiroshima bomb E=mc 2 1 g of

1.07k views • 53 slides
LO SVILUPPO DELLOTTICA QUANTISTICA IN ITALIA ______ OTTICA QUANTISTICA E INFORMAZIONE

LO SVILUPPO DELLOTTICA QUANTISTICA IN ITALIA ______ OTTICA QUANTISTICA E INFORMAZIONE

LO SVILUPPO DELLOTTICA QUANTISTICA IN ITALIA ______ OTTICA QUANTISTICA E INFORMAZIONE QUANTISTICA Francesco De Martini Universita di Roma La Sapienza LEOS, Roma, 30 gennaio 2008 GLI ANTESIGNANI* F. Tito Arecchi, A. Sona CISE

397 views • 25 slides
Entry regulations and labour market outcomes: Evidence from the Italian retail trade sector

Entry regulations and labour market outcomes: Evidence from the Italian retail trade sector

La valutazione dellimpatto di interventi pubblici: metodi e studi di caso Firenze, 18-19 Gennaio 2007 Entry regulations and labour market outcomes: Evidence from the Italian retail trade sector Eliana Viviano Bank of Italy Introduction:

456 views • 26 slides
THE X-RAY VIEW OF MISALIGNED AGNs Eleonora Torresi INAF/IASF Bologna, ITALY with many thanks to

THE X-RAY VIEW OF MISALIGNED AGNs Eleonora Torresi INAF/IASF Bologna, ITALY with many thanks to

THE X-RAY VIEW OF MISALIGNED AGNs Eleonora Torresi INAF/IASF Bologna, ITALY with many thanks to Paola Grandi INAF/IASF Bologna Fermi and Jansky: Our Evolving Understanding of AGN, St. Michaels, MD luned 9 gennaio 12 MISALIGNED AGN (MAGN)

904 views • 35 slides
3/3/2017 Rick Guidotti 1 3/3/2017 2 3/3/2017 ALBINISM 3 3/3/2017 4 3/3/2017 5

3/3/2017 Rick Guidotti 1 3/3/2017 2 3/3/2017 ALBINISM 3 3/3/2017 4 3/3/2017 5

3/3/2017 Rick Guidotti 1 3/3/2017 2 3/3/2017 ALBINISM 3 3/3/2017 4 3/3/2017 5 3/3/2017 6 3/3/2017 MARFAN Syndrome Billy 7 3/3/2017 Dr. Nadia Caleb living with Achondroplasia Lily living with 4P-/ Wolf- Hirschshorn

566 views • 11 slides
Global and regional prospects 7 6.5 2017 (Jan16) 6.2 2017 (Apr16) 6 2017 (Jul16) 2017

Global and regional prospects 7 6.5 2017 (Jan16) 6.2 2017 (Apr16) 6 2017 (Jul16) 2017

19/09/2017 Global and regional prospects 7 6.5 2017 (Jan16) 6.2 2017 (Apr16) 6 2017 (Jul16) 2017 (Oct16) 4.7 5 2017 (Jan17) 2017 (Apr17) 4 3.6 3.5 By Klaus Schade 2017 (Jul17) 2.7 2.6 3 2.1 1.9 1.8 1.7 1.7 2 19 September

543 views • 4 slides
Normal 1 24/05/2017 We now think of it as normal 2 24/05/2017 3 24/05/2017 4

Normal 1 24/05/2017 We now think of it as normal 2 24/05/2017 3 24/05/2017 4

24/05/2017 What is Zero Carbon? Normal 1 24/05/2017 We now think of it as normal 2 24/05/2017 3 24/05/2017 4 24/05/2017 - but theres a Catch-22 5 24/05/2017 A plan that delivers what the physics &amp; the ambition of

648 views • 54 slides
6/12/2017 1 6/12/2017 2 6/12/2017 3 6/12/2017 1. To attract, manage and monitor tourism for

6/12/2017 1 6/12/2017 2 6/12/2017 3 6/12/2017 1. To attract, manage and monitor tourism for

6/12/2017 1 6/12/2017 2 6/12/2017 3 6/12/2017 1. To attract, manage and monitor tourism for the benefit of residents, industry and visitors 2. To make visiting Sedona a positive and seamless process 3. To sustain a reasonable balance

742 views • 24 slides
1 9/6/2017 Whats going on here? From America to Zanzibar exhibit 9/6/2017 4 Change the

1 9/6/2017 Whats going on here? From America to Zanzibar exhibit 9/6/2017 4 Change the

9/6/2017 Guided Play in Early Education: Becoming Brilliant Kathy Hirsh-Pasek, Ph. D . 9/6/2017 1 What do you hear? Repeat after me 9/6/2017 2 Now change the lens Collaboration (Following others) Repeat after me 9/6/2017 3 1

589 views • 26 slides
V1a 4/29/2017 Statistical Literacy: 2017 V1A 2017 CME 1 V1A 2017 CME 2 . Audience .

V1a 4/29/2017 Statistical Literacy: 2017 V1A 2017 CME 1 V1A 2017 CME 2 . Audience .

V1a 4/29/2017 Statistical Literacy: 2017 V1A 2017 CME 1 V1A 2017 CME 2 . Audience . 40%: School teachers: Current or previous 30%: College faculty: Current or previous 20%: Education, non-profit 10%: Industry, commercial V1A 2017

880 views • 55 slides
Vision: Introductory Lecture 2017 Prof Mitch Glickstein 1 16/01/2017 2 16/01/2017 It

Vision: Introductory Lecture 2017 Prof Mitch Glickstein 1 16/01/2017 2 16/01/2017 It

16/01/2017 Vision: Introductory Lecture 2017 Prof Mitch Glickstein 1 16/01/2017 2 16/01/2017 It becomes necessary to suppose the number limited, for instance to three principal colours. 3 16/01/2017 4 16/01/2017 5 16/01/2017

795 views • 11 slides
1 2 5 7 2016: 72% 2016: 20% 2016: 8% 2017: 67% 2017: 24% 2017: 9% 8 10 11 12 IDA

1 2 5 7 2016: 72% 2016: 20% 2016: 8% 2017: 67% 2017: 24% 2017: 9% 8 10 11 12 IDA

1 2 5 7 2016: 72% 2016: 20% 2016: 8% 2017: 67% 2017: 24% 2017: 9% 8 10 11 12 IDA Ireland Mid-Term Strategy Review Reorganisation of global footprint focusing on 4 territories NA, Europe, Growth Markets &amp; UK; UK to be

455 views • 16 slides
Novem ember er 2 nd nd , , 2017 2017 Q3 2017 Results November 2 nd , 2017 1 1 SAFE HARBOUR

Novem ember er 2 nd nd , , 2017 2017 Q3 2017 Results November 2 nd , 2017 1 1 SAFE HARBOUR

Q3 2017 Results lts Novem ember er 2 nd nd , , 2017 2017 Q3 2017 Results November 2 nd , 2017 1 1 SAFE HARBOUR STATEMENT This document, and in particular the section entitled 2017 Outlook, contains forward-looking statements. These

713 views • 30 slides
Firs rst t Qua uart rter er 2017 17 Result lts April 26, 2017 Q1 2017 Results Q2 2017

Firs rst t Qua uart rter er 2017 17 Result lts April 26, 2017 Q1 2017 Results Q2 2017

Firs rst t Qua uart rter er 2017 17 Result lts April 26, 2017 Q1 2017 Results Q2 2017 Results April 26, 2017 April, 2017 # 1 Safe Harbor Statement This document, and in particular the section entitled 2017 of competition in

584 views • 24 slides
Monday, 16 October 2017 Monday, 16 October 2017 Monday, 16 October 2017 Monday, 16 October 2017

Monday, 16 October 2017 Monday, 16 October 2017 Monday, 16 October 2017 Monday, 16 October 2017

24 Hour Property Purchase Buying a home in one day Paul Wareham Managing Director of Surveying and Conveyancing Services Countrywide Monday, 16 October 2017 Monday, 16 October 2017 Monday, 16 October 2017 Monday, 16 October 2017 Monday, 16

428 views • 16 slides
2017 Navigating the Annual Report and Proxy Season January 17, 2017 2017: Looking Ahead A

2017 Navigating the Annual Report and Proxy Season January 17, 2017 2017: Looking Ahead A

1/13/2017 2017 Navigating the Annual Report and Proxy Season January 17, 2017 2017: Looking Ahead A Cloudy Crystal Ball Christine Long New SEC Commissioners Jay Clayton Trump Nominee for Chair Sullivan &amp; Cromwell 3 1 1/13/2017

542 views • 25 slides
Data Supplied For: 2017-18 Board 2017-18 Approved 2017-18 2017-18 Original Operating

Data Supplied For: 2017-18 Board 2017-18 Approved 2017-18 2017-18 Original Operating

Second Interim Etiwanda Elementary TABLE OF CONTENTS 36 67702 0000000 San Bernardino County Form TCI G = General Ledger Data; S = Supplemental Data Data Supplied For: 2017-18 Board 2017-18 Approved 2017-18 2017-18 Original Operating

2.03k views • 143 slides
Is assessment an art or a science? 2 18/07/2017 3 18/07/2017 What do you see .? How many

Is assessment an art or a science? 2 18/07/2017 3 18/07/2017 What do you see .? How many

Is assessment an art or a science? 2 18/07/2017 3 18/07/2017 What do you see .? How many times do the players in white pass the ball? https://www.youtube.com/watch?v=vJG 698U2Mvo 18/07/2017 5 Simons &amp; Chabris (1999) 6 The

804 views • 55 slides

More recommend