On Fri, Apr 10, 2015 at 2:53 AM, Andrew <
kyb...@riseup.net> wrote:
> Radoslaw Szkodzinski:
>> On Thu, Apr 9, 2015 at 8:58 PM, Andrew <
kyb...@riseup.net> wrote:
>>> 7v5w7go9ub0o:
>>>>
>>>>
>>>> On 04/08/15 22:48, Andrew wrote:
>>> I just saw that someone finally figured out the compression scheme for
>>> the AMT modules that Igor Skochinsky didn't manage to decode:
>>>
http://io.smashthestack.org/me/.
>>>
>>> Hopefully this means we'll see some disassemblies soon. Looks like
>>> arc-gnu-tools are now free again since the Synopsys acquisition:
>>>
https://github.com/foss-for-synopsys-dwc-arc-processors.
>>
Disassembling the kernel won't do much. The important parts are in
complex interaction between EFI, NIC firmware and ME... plus the true
bugs might be in the ROM code.
>>>
>>> Anyway, the page mentions this repo:
>>>
https://github.com/zamaudio/intelmetool. Judging from that code, it
>>> looks like I can answer a few of my own questions:
>>>
>>>> 1) Does Qubes' Xen automatically set those VT-d mappings to restrict
>>> the AMT core's DMA?
>>>
>>> No.
>>
>> This might even be impossible, these mappings are set in EFI DMAR.
>
> Disclaimer: I am woefully uninformed about the modern PC boot process,
> which as far as I can tell is basically a nightmare ;).
>
> If they are set by the EFI code, though, then it should be possible to
> have the EFI firmware change them after loading the Management Engine
> code, right? Or even just never set them in the first place.
Yes, that is possible. Or perhaps the hypervisor can do it and in this
way break AMT. That has partially happened in the past with broken
DMAR - hypervisor setting mappings such that iGPU to VM mapping
overrode the ME mapping.
In fact, those regions might even be set up as RMRR too nowadays,
which the hypervisor likely won't touch.
To decode these acronyms, read:
https://www.kernel.org/doc/Documentation/Intel-IOMMU.txt
> I realize I may be completely wrong on this, and that this is anyway
> probably more appropriate for the coreboot list.
Partly. Or check with FSF guys who actually managed to get rid of ME
on an older chipset - probably at the cost of features.
That might be tricky with the newer chipsets...
>>>> 2) How do I check?
>>
>>> You can check that a device has been passed through to a domain with
>>> $ xl pci-list <domain>
>>>
>>> (according to
http://wiki.xen.org/wiki/VTd_HowTo).
>>>
>>> I really don't know how to check that the VT-d mapping is *truly* set,
>>> though. Maybe booting with iommu=verbose will tell?
>>
>> Add "debug" option to Xen kernel line.
>
> Thanks. Also iommu=verbose shows '[VT-D]iommu.c: ... unmap bdf = ...'
> and '[VT-d]iommu.c: ... map bdf = ...' messages.
Those are only for the new mappings, you will need messages describing
current DMAR and RMRR - this should be dumped by the Linux kernel on
dom0 boot and likewise by Xen in debug mode.
> Marek: is there any reason to build this as a module? And in which
> source can I find the implementation for rd.qubes.hide_all_usb?
That implementation is in the Qubes initramfs script for Dracut, as
Marek mentioned.
I think it was built as a module to simplify binding and unbinding
during initramfs part of the boot. Could be rewritten to use sysfs
instead.
>> Earlier than that is not possible yet, could be turned into a Xen
>> kernel option to preset the mapping and not show the device directly
>> to the dom0. Nobody has written this kind of patch - could be useful
>> for PVH Dom0 with hardware redirected into PVH DomU. Ask xen-devel
>> perhaps?
>
> Hmm, OK. I wonder now, though, what the benefit would be. The two
> things that appear to matter are:
> 1) Preventing communication with the MEI interface, which could be
> accomplished by building xen-pciback into the kernel, or just deleting
> the mei_me.ko module (right?)
This doesn't buy you that much, but redirecting it would reduce attack surface.
> 2) Actually isolating the AMT core from the rest of the system, to the
> extent possible. This might be do-able by modifying the EFI BIOS. At
> the least we can limit the MEI controller's access.
Not sure how much IOMMU can limit low level access to memory by ME, if at all.
See, some ME operations are done in a mode that is even higher in
security model than SMM (System Management Mode).
>>>> 4) Is this the AMT core's bus presence?
>>>
>>> Still not sure. It's at least the presence for the host interface.
>>
>> This is just the MEI control, used for IPMI signalling (reboot
>> control), toggling antitheft, toggling remote network operation,
>> setting password locally, setting IDE mappings etc.
>
> OK, so we definitely want this assigned to a quarantine domain.
Separate domain, perhaps. But you should handle IPMI messages in there
- for reboots.
>> ME can additionally framegrab the iGPU (framebuffer in system memory),
>> provide PS/2 input devices then memory bounce data MMIO-like for
>> network firmware to read.
>
> ...Jesus Christ. Assigning the network card to a separate domain (i.e.
> NetVM) should prevent its access to the NIC at least, right? Right??!
Not really - I think this is done via DMAR or RSRR mapping for ME,
then the NIC directly uses its own DMA engine to read this configured
memory area and turn it into packets.
(This including wifi and cellular modules.)
This is why AMT is not available in some devices and mainboards with
the cheap versions of network chips, without DMA engine.
>> The interface used to listen for the network
>> interfaces is not known to me. Rafał Wojtczuk knows much more than
>> that - and as part of ITL has managed to exploit the network interface
>> firmware to do generic DMA using this back in 2009.
>
> So the slides he made appear contradictory: at the same time, he says an
> AMT rootkit can change the DMAR tables itself and therefore bypass VT-d,
> but then says that assigning the ME PCI device to a driver domain
> prevents access to Dom0 memory.
The latter is still true, if you reassign it, you only leave its own
mappings that have been set by the firmware - and remove all others
thanks to remapping.
This doesn't prevent bugs in ME code or network firmware from
installing a rootkit in this firmware, if that is possible; especially
one surviving only a warm reboot, which is enough to get full memory
access.
> How are both possible?
The confusion is caused due to talking about operations at different
times. Changing early DMAR is only possible around reboot, while
access to dom0 memory is possible right after running the exploit, if
mappings are not reconfigured. (such as by forwarding the device)
> And really:
> what is the 'special interface' to the NIC? Do I need to remove my PCIe
> NIC and use only a generic USB WiFi card?
That is usually for a built-in mainboard NIC only. It will not work
with any other kind... well, maybe if said NIC supports DMA engine,
the firmware could configure it properly.
Alternatively, if an EFI driver is loaded it might work in some way
through an EFI service - never heard of such a way though, but it's
not impossible.
>> How it is setup has not yet been reverse engineered, but it is in the
>> special firmware mode which is disabled after startup.
>>
>> The framegrabbing and related networking parts actually use IOMMU - it
>> is pre-setup in DMAR by the EFI code. When IOMMU is enabled and AMT is
>> also enabled, the firmware uses a different DMAR table. There were
>> bugs related to that - garbage in the alternate tables.
>
> I really don't know what this means :). Can you explain a bit more?
Uh, read the kernel doc I linked.
Also this might help a bit:
http://firmware.intel.com/sites/default/files/resources/A_Tour_Beyond_BIOS_Using_Intel_VT-d_for_DMA_Protection.pdf
>>>> 5) If so, is it true that the AMT core can be isolated from the rest
>>> of the system by restricting this device?
>>>
>>> Still have no idea!
>>
>> You could try, but I think there is not really a way to countermand a
>> base DMAR mapping set by firmware. Trying it will probably just fail
>> with an error.
>
> But is it possible to change the firmware itself and prevent the AMT
> core from having access to any memory/MMIO devices other than its own range?
Not completely, some of these mappings are set by ME itself, possibly.
The situation with those is not yet well researched.
Adding a mapping for all unmapped memory (such as by moving the MEI
controller into a VM) will (partly?) disable the ability to read/write
dom0 memory (replacing it with chosen domU), but not the network
device, fake PS/2 devices or iGPU, which already have a mapping.
If you can modify DMAR setup code in firmware, you might be able to
disable those mappings. If they are not protected, this can also be
done by the hypervisor.
Heck, it might be enough to toggle AMT in the ME to not have them.
That said, ME <-> NIC interface is always on, as there is a way to
remotely setup and enable ME.
(Not sure if it is still possible with latest ME code versions, > 7.x.)
--
Radosław Szkodziński