Advanced x86:
BIOS and System Management Mode Internals
PCI {Op(on/Expansion} ROMs
Xeno Kovah && Corey Kallenberg
LegbaCore, LLC
All materials are licensed under a Creative
Commons “Share Alike” license.
http://creativecommons.org/licenses/by-sa/3.0/
2
ABribuEon condiEon: You must indicate that derivaEve work
"Is derived from John BuBerworth & Xeno Kovah’s ’Advanced Intel x86: BIOS and SMM’ class posted at hBp://opensecuritytraining.info/IntroBIOS.html”
3
4
hBps://trmm.net/Thunderstrike_31c3
Pierre Chifflier, UEFI and PCI Bootkits, PacSec 2013 [34]
6
Thunderstrike 2:
Sith Strike
Trammell Hudson – Two Sigma
Xeno Kovah, Corey Kallenberg – LebgaCore
TWO SIGMA
PCI/PCIe Expansion ROMs (XROMs)
aka Option ROMs (OROMs)
• A PCI/PCIe Expansion ROM is x86 native executable code
located on a PCI device
– Can technically have multiple architectures’ native code on it, so that the
device can load just as well on a PPC device as an x86 one.
• Not every device will have one
– Graphics cards, network cards will likely have one
– A device can have multiple XROMs (for multiple architectures)
• Benign or otherwise this code gets executed by the CPU/
BIOS during the boot process
• They are handled the same on PCI Express as they are in
PCI
• They are configured via a separate BAR called the Expansion
ROM Base Address Register
7
Expansion ROMs
• XROMs have their own BAR
called the Expansion ROM
Base Address Register
– On general type PCI devices
it’s located at offset 30h
– On bridge type devices it’s at
38h
• BIOS initializes the XROM
BAR like the other BARs, but
hands off execution control to
the code it points to
• XROMs are copied to memory
before being executed
– On legacy systems they are
copied to C0000 to DFFFFh
range
• The XROM BAR operates
similarly to the other BARs but
the interpretation of the field’s
bits is slightly different
8
Expansion ROM Base Address Register
• The LSB determines whether accesses to the Expansion
ROM are permitted. When asserted to 1, they are permitted
• Even when a device has an Expansion ROM, its BAR may still
be 0 (meaning access to it is not permitted)
• Like the PCI BARs, the Expansion ROM BAR is also R/W
9
Command Register and Address Space Access
• An expansion ROM will only
respond to accesses if the
Expansion ROM Enable bit and
the memory space bit in the
Command Register are both set
1
10
1
How CPU/BIOS Discovers XROMs
• To determine whether the device has implemented an
Expansion ROM base:
• All 1’s are written to the top 21 bits (31:11) of the Expansion
ROM BAR
• If the device returns anything other than 0, then it has
implemented an Expansion ROM
0
CPU/BIOS writes FFFF_F800h
1111 1111 1111 1111 1111 1
Expansion ROM Base Address Register
11
How CPU/BIOS Discovers XROMs
• The return address indicates both the size of the ROM and
the memory alignment (mask) required by the ROM:
• Per the above example:
• Size = ~FFFE_0000 +1 = 2_0000h bytes
• ROM must be mapped to a 128KB-aligned memory address
– So addresses like XXX00000, XXX20000, XXX40000, etc
0
Device returns FFFE_0000h
1111 1111 1111 1110 0000 0
Expansion ROM Base Address Register
12
How CPU/BIOS Discovers XROMs
• Next the CPU/BIOS maps the ROM to an unused portion of
memory
• Then it sets the enable bit so that the ROM is now accessible
at the address defined by the BIOS
1
CPU/BIOS maps the ROM and enables it
( Some memory address )
Expansion ROM Base Address Register
13
How CPU/BIOS Discovers XROMs
• If anything other than the “AA55” signature is present, there is
actually no Option ROM provided by the device, despite the
fact that it returns a mask as if there were
– I have some ice cream. Want a lick? Psych!
• There may still be an option ROM, however, some companies
implement them in non-standard ways
CPU/BIOS checks memory for Option ROM structure
PCI Express Revision 3.0
14
CPU/BIOS Expansion ROM Discovery
• A PCI device can share a decoder between the Expansion
ROM BAR and other BARs
• For example:
• Some vendors mirror their Expansion ROMs at BAR[n] or at
an offset from BAR[n]
– NVidia sometimes puts them at BAR[0] + 30_0000h (per the
developers of Flashrom )
–
http://flashrom.org/Flashrom
• It is possible that there simply is no Expansion ROM present
on the device
– Could be located in a compressed module in the BIOS binary
15
Expansion ROM Discovery:
User Example (Same as BIOS)
• This example pertains to the nVidia VGA card on the E6400 laptop
• Verify that the memory-enable space bit 1 in the command register
(offset 04h) is asserted
• Writing FFFF_F800h to offset 30h returns FFFE_0000h indicating
that an Expansion ROM [might be] present
– Bit 17 is the LSB, which indicates a 128KB ROM
– Size = ~FFFE_0000 + 1 = 2_0000h bytes
16
Expansion ROM Discovery:
User Example (Same as BIOS)
• We (or the BIOS) should be able to choose a memory
address for the ROM to be mapped to
• Address must meet alignment requirements
• Address must provide enough room for the XROM
• Must enable the XROM decoding (assert bit 0, enable)
00100001
17
Expansion ROM Discovery:
User Example (Same as BIOS)
• If there is anything other than the “AA55” XROM signature,
then there is actually no option ROM present
• As it turns out, in this case, there is no option ROM located on
the device
• This option ROM is located on the BIOS flash as a
compressed module
00100001
18
Expansion ROM Hacking
• Hacking an Expansion ROM typically requires reflashing the
firmware on the device
– Often the “RO” in “ROM” is a misnomer
– Although in the case we just saw, modifying the BIOS itself could permit
an attacker to insert a malicious XROM
• If a vendor offers a utility to update the flash then you know
the flash is writeable
• Good reference on XROM hacking:
•
http://resources.infosecinstitute.com/pci-expansion-rom/
• It’s important for Option ROMs to be measured (measured
boot) before being executed
19
Secure Boot
•
Systems that support UEFI/Windows 8 Secure
Boot require XROMs to be signed before it will
execute them
–
Assuming you didn’t turn off SecureBoot
•
Apple systems don’t support SecureBoot,
therefore what worked in 2012 sEll works today
–
The fact that systems load XROMs off external
peripherals like the Thunderbolt Ethernet adapter
make it just that much easier to aBack Macs this way
20
References
•
https://sites.google.com/site/pinczakko/building-a-kernel-in-
pci-expansion-rom
(Darmawan Salihun)
•
http://www.blackhat.com/presentations/bh-dc-07/Heasman/
Paper/bh-dc-07-Heasman-WP.pdf
(John Heasman)
•
http://pacsec.jp/psj13/psj2013-day2_Pierre_pacsec-uefi-
pci.pdf
(Pierre Chifflier)
•
http://ho.ax/downloads/
De_Mysteriis_Dom_Jobsivs_Black_Hat_Slides.pdf
(Snare)
•
https://trmm.net/Thunderstrike
(Trammel Hudson)
•
http://legbacore.com/Research_files/ts2-blackhat.pdf
(Trammel Hudson, Xeno Kovah, Corey Kallenberg)
21
Dostları ilə paylaş: |