[121947] in cryptography@c2.net mail archive
Re: Just update the microcode (was: Re: defending against evil in all layers of hardware and software)
daemon@ATHENA.MIT.EDU (Sebastian Krahmer)
Tue Apr 29 11:28:05 2008
Date: Tue, 29 Apr 2008 08:08:25 +0200
From: Sebastian Krahmer <krahmer@suse.de>
To: John Ioannidis <ji@tla.org>
Cc: Cryptography <cryptography@metzdowd.com>
In-Reply-To: <48164CAC.20201@tla.org>
The "signature" in the microcode update has not the same
meaning as within crypto. For intel chips it has 31bits and basically
contains a revision number. The requirements for the BIOS for
checking microcode updates are in short: check the crc and ensure
that older revisions cant replace new ones by comparing the "signature".
I did not try myself, but I think one can probably update anything
if you just hexedit the update header.
Afaik these chips do not own any crypto-related functionallity
or storage capability (except precise timing and rand maybe) and
they are not tamper-proof. Thats why TPM was invented :-)
l8er,
Sebastian
On Mon, Apr 28, 2008 at 06:16:12PM -0400, John Ioannidis wrote:
> Intel and AMD processors can have new microcode loaded to them, and this
> is usually done by the BIOS. Presumably there is some asymmetric crypto
> involved with the processor doing the signature validation.
>
> A major power that makes a good fraction of the world's laptops and
> desktops (and hence controls the circuitry and the BIOS, even if they do
> not control the chip manufacturing process) would be in a good place to
> introduce problems that way, no?
>
> /ji
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
--
~~
~~ perl self.pl
~~ $_='print"\$_=\47$_\47;eval"';eval
~~ krahmer@suse.de - SuSE Security Team
~~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
