# BARing the System New vulnerabilities in Coreboot & UEFI based systems Presenting: Yuriy Bulygin (@c7zero), Oleksandr Bazhaniuk (@ABazhaniuk) Andrew Furtak, John Loucaides, Mikhail Gorobets # **Agenda** - Recap of SMM Pointer Vulnerabilities - Intro to Memory-Mapped I/O - MMIO BAR Issues - MMIO BAR Issues in UEFI Firmware - MMIO BAR Issues in Coreboot Firmware - Limitations - Mitigations - Tools - Conclusion Recap of SMM pointer vulnerabilities # Pointer Arguments to SMI Handlers # **Exploiting SMM pointers...** Exploit tricks SMI handler to write to an address in SMRAM (Attacking and Defending BIOS in 2015) # Attacking hypervisors via SMM pointers... Even though SMI handler check pointers for overlap with SMRAM, exploit can trick it to write to VMM protected page (Attacking Hypervisors via Firmware and Hardware) # **Example: SMIFlash SMI Handler** ``` VOID SMIFlashSMIHandler ( 2 3 SwSmi = (UINT8) DispatchContext->SwSmiInputValue; CpuState = pSmst->CpuSaveState; AddrHi = CpuState[Cpu].Ia32SaveState.ECX; AddrLo = CpuState[Cpu].Ia32SaveState.EBX; Buff = AddrHi; Buff = Sh164(Buff, 32); 8 Buff += AddrLo; 9 10 11 switch (SwSmi) { 12 13 case 0x21: ReadFlashData( (FUNC BLOCK *)Buff ); 14 15 16 case 0x25: ReadFlashInfo( (INFO BLOCK *)Buff ); 17 18 19 EFI STATUS ReadFlashData(IN OUT FUNC BLOCK *func) 20 21 22 sts = Flash->Read( 23 (UINT8*) (FlashStart + func->BlockAddr), func->BlockSize, (UINT8*) func->BufAddr 25 26 ); ``` Reported by ATR to BIOS vendor in June 2014 Similar to <u>publication</u> by Sogeti ESEC Lab ``` void EFIAPI SwSMIDispatchFunction(EFI HANDLE DispatchHandle, EFI SMM SW DISPATCH CONTEXT // ... struct smiflash arg *pointer; // see bellow for the struct int smi number = DispatchContext->SwSmiInputValue; // Retrieve a pointer from user provided value pointer = ecx << 32 | ebx; if (smi number != 0x25) pointer->unknown = 0; // some init ... switch (smi number) { case 0x20: // ... break: case 0x21: swsmi handler21 (pointer); ``` # SMI handlers now validate input pointers - SMI handlers now validate pointer + offsets received from the OS for overlap with SMRAM before using it (SmmIsBufferOutsideSmmValid). This does not block exploits using SMI handlers as proxies to attack hypervisor pages (Hyper-V, Windows 10 Virtual Secure Mode) - Most recently, EDKII implemented CommBuffer at fixed memory location to mitigate attacks on hypervisors and reporting to Windows through the Windows SMM Mitigations ACPI Table (WSMT) | Table 2. Protection Flags Field | | | | | | |---------------------------------|------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--| | Length | Bit offset | Description | | | | | þ | 0 | FIXED_COMM_BUFFERS If set, expresses that for all synchronous SMM entries, SMM will validate that input and output buffers lie entirely within the expected fixed memory regions. | | | | | 1 | 1 | COMM_BUFFER_NESTED_PTR_PROTECTION If set, expresses that for all synchronous SMM entries, SMM will validate that input and output pointers embedded within the fixed communication buffer only refer to address ranges that lie entirely within the expected fixed memory regions. | | | | | 1 | 2 | SYSTEM_RESOURCE_PROTECTION If set, expresses that firmware has taken steps ensuring that configuration for any system resources that are not configurable through an architectural mechanism (e.g. ACPI or PCI MMIO) must be locked by firmware before transitioning to Windows. | | | | Memory-Mapped I/O (MMIO) # **PCI Express** - PCI Express Fabric consists of PCIe components connected over PCIe interconnect in a certain topology (e.g. hierarchy) - Root Complex is a root component in a hierarchical PCIe topology with one or more PCIe root ports - Components: Endpoints (I/O Devices), Switches, PCIe-to-PCI/PCI-X Bridges - All components are interconnect via PCI Express Links - Physical components can have up to 8 physical or virtual functions - Some endpoints are integrated into Root Complex # **PCIe Config Space Layout** Source: PCI Express Base Specification Revision 3.0 # PCI/PCIe Config Space Access 1. Software uses processor I/O ports CF8h (control) and CFCh (data) to access PCI configuration of bus/dev/fun. Address (written to control port) is calculated as: - 2. Enhanced Configuration Access Mechanism (ECAM) allows accessing PCIe extended configuration space (4kB) beyond PCI config space (256 bytes) - Implemented as memory-mapped range in physical address space split into 4kB chunks per B:D.F - Register address is a memory address within this range ``` MMCFG base + bus*32*8*1000h + dev*8*1000h + fun*1000h + offset ``` # Memory-Mapped I/O - Devices need more space for registers - → Memory-mapped I/O (MMIO) - MMIO range is defined by Base Address Registers (BAR) in PCI configuration header - Access to MMIO ranges forwarded to devices | MMIO vs DRAM | High DRAM | Memory | |----------------------|----------------------------------|--------| | 4GB | Direct-mapped BIOS,<br>APIC, TPM | | | | Low MMIO | MMIO | | | BAR 1 – BAR n | | | Top of Low DDAM | ECAM | | | Top of Low DRAM ———— | Graphics Memory | | | | SMM Memory | | | | Low DRAM | Memory | # **MMIO BARs** | MMIO Range | BAR | Base | Size | En | Description | |-------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------|----|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | GTTMMADR SPIBAR HDABAR GMADR DMIBAR MMCFG RCBA MCHBAR | 00:02.0 + 10<br> 00:1F.0 + F0<br> 00:03.0 + 10<br> 00:02.0 + 18<br> 00:00.0 + 68<br> 00:00.0 + 60<br> 00:1F.0 + F0<br> 00:00.0 + 48 | 00000000F0000000<br> 0000000FD1F800<br> 0000007FFFFFF000<br> 00000000E0000000<br> 0000000FED18000<br> 0000000FED1C000<br> 00000000FED10000 | 00000200<br> 00001000<br> 00001000<br> 00001000<br> 00004000 | 1 | Graphics Translation Table Range SPI Controller Register Range HD Audio Register Range Graphics Aperture Root Complex Register Range PCI Express Register Range PCH Root Complex Register Range Memory Controller Register Range | # **MMIO** Range Relocation - MMIO ranges can be relocated at runtime by the OS - OS would write new address in BAR registers - Certain MMIO ranges cannot be relocated at runtime - Fixed (e.g. direct-access BIOS range) - Or locked down by the firmware (e.g. MCHBAR) ## MMIO BAR Issues ## Firmware use of MMIO #### **MMIO BAR Issue** # **Examples of MMIO BARs accessed in SMM** - EHCI (USB 2.0) controller MMIO BAR (B0:D26:F0, B0:D29:F0) - GBe LAN MMIO BAR (B0:D25:F0) - Root Complex Block Address (RCBA) on earlier platforms (B0:D31:F0) - SPI BAR on Skylake or later generations (B0:D31:F5) - AHCI (SATA) controller MMIO BAR (B0:D31:F2, B0:D31:F5) - xHCI (USB 3.0) controller MMIO BAR (B0:D20:F0) - Integrated Graphics Device MMIO BAR (B0:D2:F0) - B1:D0.F0 MMIO BAR • ... # SPI Controller MMIO BAR (Access to SPI Flash) ``` # chipsec_util.py uefi var-write B 55555555-4444-3333-2211-0000000000 B.bin # chipsec_util.py mmio dump SPIBAR ``` # Finding MMIO BAR issues at runtime Goal: Find all MMIO registers modified by SMI handler - 1. Dump MMIO range - 2. Trigger SMI - 3. Dump MMIO range and compare all registers **Problem:** many registers are modified by devices all the time! Up to 30,000 registers change in Graphics Device MMIO # Finding MMIO BAR issues at runtime #### Goal: Find all MMIO registers modified by SMI handler - 1. Dump MMIO range multiple times - 2. Find all registers which frequently change without SMM - 3. Dump MMIO range - 4. Trigger SMI - 5. Dump MMIO range and compare all registers - 6. Find registers which don't normally change - 7. Repeat this multiple times to confirm suspected registers are actually being modified in SMM - 8. Copy original contents of MMIO range to memory - 9. Relocate MMIO range (change its base address) to this memory - 10. Generate SMI - 11. Monitor changes in memory at suspected offsets ``` [x][ Module: Monitors MMIO changes done by SMI handlers [*] Configuration: MMIO BAR names: ['USBBAR'] Generate SMI: True SMI codes: [0x00:0x00] [*] SMM comm buffer (EBX) : 0x0000000009469000 [*] MMIO BAR 'USBBAR': base = 0x00000000F063C000, size = 0x00001000 [*] reading contents of MMIO BARs ['USBBAR'] reading 'USBBAR' [*] calculating normal MMIO BAR differences.. [*] 'USBBAR' normal difference (5 diffs): diff0: 0 regs [] diff19: 2 regs [70, 74] 2 regs changed: [70, 74] [*] fuzzing SMIs.. [*] SMI# 00: data 00, func (ECX) 0x00000000 reading 'USBBAR' generating SMI reading 'USBBAR' diffing 'USBBAR' (1024 regs) 2 regs changed: [70, 77] new regs: [77] [!] New changes found! repeating SMI reading 'USBBAR' diffing 'USBBAR' (1024 regs) 2 regs changed: [70, 74] new regs: [] ``` Monitoring changes in **USB MMIO BAR** ## MMIO BAR Issues in UEFI Firmware # Finding MMIO BAR issues in binaries - 1. Consider MMIO BAR (MBARA) of GBe LAN device (B0:D25:F0) at offset 0x10 - 2. Legacy PCIe config address is ``` (25 << 11) + 0x10 = 0xC810 ``` 0x8000C810 if with Enable bit (31) set 3. Memory-mapped ECAM address is ECAM base + offset to 4kB page of B0:D25:F0 + BAR register offset $$0xF8000000 + 0xC8010 = 0xF80C8010$$ 4. Look for these constants in the binaries of SMI handlers # GBe LAN MMIO BAR (B0:D25:F0) ``` int16 GBE MMIO access func() 2 ( signed int v0; // ebp@1 unsigned int *v1; // rax@1 int64 MBARA MMIO; // rbx@3 unsigned int v3; // er12@4 int v4; // er14@4 unsigned int v5; // edi@4 Read GBe MMIO BAR register from MMCFG: int v6; // er13@5 0xF8000000 + 0x19 << 15 + 0x10 = int v7; // er8@10 0xF80C8010 int v8; // edx@10 11 int *v9; // rdi@18 12 13 UG = G; 14 15 LOWORD(v1) = MEMORY[0xF80F8048]; if ( !(*(_WORD *)((MEMORY[0xF80F80F0] & 0xFFFFF 0x3414i64) & 0x20) ) 16 17 18 LOWORD(U1) = MEMORY[0xF80C80CC]; if ( !(MEMORY[0xF80C80CC1 & 3) ) 19 20 MBARA MMIO = MEMORY[0xF80C8010]; 21 22 LODWORD(v1) = *(DWORD *)(MEMORY[0xF80C8010] + 0x5800i64); Access to MBARA if ( (unsigned int8)v1 & 1 ) 23 MMIO registers 24 v3 = *(DWORD *)(MEMORY[0xF80C8010] + 0x5400i64); 25 V4 = *(DWORD *)(MEMORY[0xF80C8010] + 0x5404i64); 26 27 v5 = 0: *( DWORD *)(MEMORY[0xF80C8010] + 0xF00i64) |= 0x20u; 28 ``` # GBe LAN MMIO BAR (B0:D25:F0) Access to unchecked MBARA MMIO ``` MemorySetResetValues32((unsigned int *)(unsigned int)(MBARA MMIO + 3856), v8, v7); *(_DWORD *)(unsigned int)(MBARA_MMID + 32) = 71237632; sub 18000156C(0xFA0ui64, 6144); v0 = 70845440: if ( *(_DWORD *)(MBARA_MMIO + 3856) & 8 ) v0 = 0x4390440; if ( *(_DWORD *)(MBARA MMIO + 3856) & 4 ) v0 |= 4u; *( DWORD *)(unsigned int)(MBARA MMIO + 32) = ∪0; if ( !(sub 1800002A0((unsigned int)MBARA MMIU) & 0x800000000000000000164) ) *(_DWORD *)(unsigned int)(MBARA_NMIO + 32) = 71263232; v9 = (int *)(unsigned int)(MBARA MMIO * 32); ``` # EHCI MMIO BAR (B0:D29:F0) ``` v0 = 0; Calculate EHCI BAR register address 17 dev1 = 0x1D: // EHCI controller dev2 = 0x1A; // EHCI controller in MMCFG: 19 v9 = 0: 20 v11 = 0; 0xF8000000 + 0x1D << 15 + 0x10 result = sub 180001878(); if ( (unsigned int8)result > Ou ) 23 24 do 25 26 v2 = (unsigned int8)*(&v9 + 2 * v0) << 12; 27 v3 = ((unsigned int8)*(&dev1 + 2 * v0) << 15) + 0xF8000000164; Men BAR = *(unsigned int *)(v3 + v2 + 0x10);~ 28 29 v5 = ( int16 *)(v3 + v2 + 4); 30 v6 = *(WORD *)(v3 + v2 + 0x54); Read EHCI MMIO BAR 31 u7 = *u5: 32 if ( ( DWORD) Mem BAR != -1 ) 33 34 if ( (*(_WORD *)(((unsigned __int8)*(&dev1 + 2 * v0) << 15) 35 + 0xF8000000164 36 + ((unsigned int8)*(&v9 + 2 * v0) << 12) 37 + 0x54) & 3) == 3) Modify MMIO register 38 39 *( WORD *)(((unsigned int8)*(&dev1 + 2 * v0) << 15) 0x20 in EHCI MMIO + 0xF8000000164 40 + ((unsigned int8)*(&v9 + 2 * v0) << 12) 41 range + 0x54) = v6 & 0xFFFC; 42 43 *( DWORD *)(v3 + v2 + 0x10) = Mem BAR; 44 sub 180001A28(v3 + v2 + 4, 2i64); 45 46 if ( !(*( DWORD *)(Mem BAR + 0x20) & 1) ) 47 MemorySetResetValues32((unsigned int *)(unsigned int)(Mem BAN + 0x20), 0, 48); 48 49 MemorySetResetValues32((unsigned int *)(unsigned int)(New BAR + 0x20), 1, 0); 50 v5 = (int16 *)(v3 + v2 + 4); 51 ``` # Finding MMIO BAR issues in binaries Identify functions reading PCI config registers via legacy or ECAM access and find ones reading BAR registers using above constants #### Legacy PCI config read Access to register 0x88 in B0:D31:F0 ``` __int64 sub_10000320() { unsigned __int32 v0; // eax@1 v0 = pcie_read_dword(0i64, 0x1Fu, 0, |0x88u); return pcie_write_dword(0, 0x1Fu, 0, 0x88u, v0); } ``` #### Extended PCIe config access through MMCFG ``` unsigned __int32 __fastcall pcie_read_dword(__int64 a1, unsigned __int8 a2, unsigned __int8 a3, unsigned __int16 a4) { if ( a4 >= 0x100u ) return *(_DWORD *)((a3 << 12) + (a2 << 15) + ((unsigned __int8)a1 << 20) + (unsigned int)a4 - 0x8000000); outdword(0xCF8u, a4 & 0xFC | ((a3 | 8 * (a2 | 32 * (unsigned __int8)a1)) << 8) | 0x80000000); return indword(0xCFCu); }</pre> ``` # MMIO BAR Issues in Coreboot Firmware # Finding MMIO BAR issues in the source code - 1. Find functions within SMI handlers which read MMIO BAR PCI config registers (offsets $0 \times 10 0 \times 24$ or chipset specific offsets for integrated devices) - BAR registers can be read using memory-mapped config reads (offsets in ECAM memory space). In this case, normal memory reads will be used ``` reg_base = (void *)((uintptr_t)pci_read_config32(SA_DEV_IGD, PCI_BASE_ADDRESS_0) & ~0xf); ``` 2. Find all memory accesses to offsets off of BAR addresses within SMI handlers ``` write32(reg_base + PCH_PP_CONTROL, pp_ctrl); <<< memory write of modified pp_cntrl value read32(reg_base + PCH_PP_CONTROL);</pre> ``` 3. Can often search the names of the BAR registers and MMIO ranges (e.g. ``` SPI_BARO, RCBA/RCRB, PCI_BASE_ADDRESS etc.) ``` # mainboard\_io\_trap\_handler SMI handler ``` static void mainboard smi brightness down (void) □ { u8 *bar; if ((bar = (u8 *)pci_read_config32(PCI_DEV(1, 0, 0), 0x18))) printk(BIOS DEBUG, "bar: %08X, level %02X\n", (unsigned int)bar *(bar+LVTMA BL MOD LEVEL) &= 0xf0; if (*(bar+LVTMA BL MOD LEVEL) > 0x10) * (bar+LVTMA BL MOD LEVEL) -= 0x10; 8 9 10 11 12 static void mainboard smi brightness up(void) 13 14 15 if (*(bar+LVTMA BL MOD LEVEL) < 0xf0) *(bar+LVTMA BL MOD LEVEL) += 0x10; 16 18 19 20 int mainboard io trap handler(int smif) 21 □ { 22 23 switch (smif) { 24 25 case SMI BRIGHTNESS UP: 26 mainboard smi brightness up(); break: 28 29 case SMI BRIGHTNESS DOWN: 30 mainboard smi brightness down(); ``` bar pointer points to MMIO range of device B1:D0.F0 which can be modified by an attacker pointer to write to LVTMA\_BL\_MOD\_LEVEL offset (when adjusting brightness level) SMI handler can be invoked by properly configuring I/O Trap hardware with BRIGHTNESS UP/DOWN function # southbridge\_smi\_sleep SMI handler ``` static void backlight off (void) reg base pointer points 3 void *reg base; relocateable IGD MMIO uint32 t pp ctrl; uint32 t bl off delay; reg base = (void *)((uintptr t)pci read config32(SA DEV IGD, PCI BASE ADDRESS 0) & ~0xf); SMI handler then uses /* Check if backlight is enabled */ reg base to read-modify- pp ctrl = read32 (reg base + PCH PP CONTROL); 10 write PP CONTROL register 11 if (!(pp ctrl & EDP BLC ENABLE)) 12 return: southbridge smi sleep(void) 13 /* Enable writes to this register */ 14 15 pp ctrl &= ~PANEL UNLOCK MASK; /* Figure out SLP TYP */ 16 pp ctrl |= PANEL UNLOCK REGS; reg32 = inl(ACPI BASE ADDRESS + PM1 CNT); 17 printk(BIOS SPEW, "SMI#: SLP = 0x%08x\n", reg32); /* Turn off backlight */ 18 slp typ = (reg32 >> 10) & 7; 19 pp ctrl &= ~EDP BLC ENABLE; switch (slp typ) { 20 21 write32(reg base + PCH PP CONTROL, pp ctrl); case SLP TYP S5: read32 (reg base + PCH PP CONTROL); 22 printk(BIOS DEBUG, "SMI#: Entering S5 (Soft Power off) \n"); Vulnerable backlight off is /* Turn off backlight if needed */ backlight off(); invoked when system goes to S5 ``` ### Limitations - 1. Exploit can overwrite specific offsets off of aligned addresses - MMIO ranges are typically normally (size) aligned - Most MMIO ranges are 4kB large (Graphics MMIO is 2-4MB) - Example: 16kB aligned Root Complex Base + 0x38xx (SPI registers) - PCI architecture allows MMIO ranges as small as 16 bytes - 2. Exploit may not be able to control values written - Firmware SMI handlers typically write specific values to MMIO registers - Often do Read-Modify-Write: reg +/- 0x10 - Certain SMI handler may write attacker-supplied data - SetVariable SMI handler write contents of UEFI variable supplied by the OS to SPI\_DATAx registers in SPIBAR MMIO range ### Limitations - Many conditions for SMI handler to start communicating with I/O device/controller - Device present/enabled, mode/feature supported - Is platform in ACPI mode? - Other SMM code may also use fake MMIO (and hang) - SMI may get triggered on difficult events power button, on S3 resume, etc. - 2. Often, SMI handlers implement protocol rather than just reading or writing to MMIO registers - IF Bit X in Reg1 is set THEN Write to Reg2 - Poll until certain bits are set/cleared in MMIO register (wait until SPI cycle complete) - When SMI handler waits for the device to respond or cycle to complete then it'll hang after MMIO BAR is relocated - 3. Non PCI-architectural BAR registers are locked down by boot firmware and cannot be relocated (MCHBAR, DMIBAR etc.) # **Mitigations** Option 1. SMI handlers can verify MMIO BAR doesn't overlap with SMRAM **Option 2.** Firmware can verify that MMIO BAR is not in DRAM (e.g. between TOLUD and 4GB or above TOUUD). This would ensure all BARs used by firmware are within MMIO **Option 3.** Firmware can reserve default MMIO range for all BARs. Before accessing MMIO range, SMI handlers can relocate BARs to the default range if they point to somewhere else # **SPIBAR Mitigation Example** - On latest platforms, SPI MMIO is a separate 4kB range rather than a part of Root Complex MMIO - Firmware reserves 0xFE010000 page for SPI MMIO and programs SPI BAR0 register in SPI controller with this address. - On any PCH SMI, SMI handler checks SPI\_BAR0 and restores it to 0xFE010000 if it's been relocated. Relocating SPI BAR var-write triggers SMI writing variable to SPI to memory PCI 00:1F.05 + 0x10: 0xFE010000 BAR. It succeeded! CPU0: RDMSR(0x34) = 00000000000000075 (EAX=00 500/5, EDX=000000000) write 0x89F50000 to PCI 00:1F.05 + 0x10 PCI 00:1F.05 + 0x10: 0x89F50000 writing EFI variable Name='test' GUID={55555555-4444-3333-2211-0000000000000} from 'test.bin' writing EFI variable was successful PCI 00:1F.05 + 0x10: 0xFE010000 SMI handler restored SPI CPU0: RDMSR(0x34) = 00000000000000079 BAR to the original location IN 0x00B2 -> 0x000000EC (size = 0x01) # Tools to assist in finding/analyzing these issues tools.smm.rogue\_mmio\_bar Attempts to create fake MMIO ranges in memory, relocate hardware MMIO BARs to the fake memory, then observe changes made by SMI handlers in relocated MMIO ranges tools.smm.bar Simply monitors changes made by SMI handlers in MMIO registers of specified MMIO BARs ### Conclusion - The root cause is that firmware assumes hardware is trusted - Hardware registers like PCI Base Address Registers can be modified by runtime software (some are locked down) - Firmware shouldn't assume addresses in BAR registers are correct and should treat them as untrusted input - Boot firmware should also validate contents of BAR registers upon resume from sleep if it restores them from S3 boot script Thank You!