LegbaCore Research


A quick reference to some of the technologies we care about.

AMT - Intel Active Management Technology - An application that runs on the ME. This application is meant primarily for remote system management, and can provide capabilities such as remote screen visibility (including pre-OS screen, such as the BIOS configuration screen), BIOS updating, network traffic filtering, a custom serial-over-lan protocol, and more.

Attestation - The act of providing some information (typically measurements meant to indicate the system integrity state) to an “appraiser” that will evaluate whether the system is in a trustworthy state or not. Often takes the form of the PCR values from a TPM, signed by a private key that is only available internally to the TPM.

BIOS - “Basic Input/Output System” - This term is still used generically to refer to the firmware of x86-based CPUs. If a BIOS is not UEFI-based it is referred to as a “legacy” BIOS.

DCRTM - Dynamic Core Root of Trust for Measurement - A mechanism to perform a “late launch” of a measured/trusted environment on a system that has not necessarily booted into a trusted state. Intel TXT and AMD SKINIT technologies are examples of this.

Dual Mode Treatment - See STM

EFI - Extensible Firmware Interface - Original Intel specification for a new x86 BIOS architecture, before becoming an industry consortium-specified specification with UEFI.

Firmware - Software that is responsible for initial bootstrap configuration of a system. Because it is responsible for initialization of more complicated devices, it is usually stored in some non-volatile memory chip (such as flash chip) on a simple-to-access bus (such as SPI/LPC).

Flash chip - A form of non-volatile memory where firmware (such as the BIOS, or OROMs) are stored.

ICH - Input/Output Controller Hub - An Intel chip meant to provide an interface between the CPU and relatively slow peripherals. Colloquially referred to as the “Southbridge.” Contains the LPC device PCI configuration space, where some BIOS access control registers reside. Superseded in some functions on newer systems by the PCH.

(G)MCH - (Graphics &) Memory Controller Hub - An Intel chip meant to provide an interface between the CPU and relatively fast peripherals. Colloquially referred to as the “Northbridge.” Contains the host controller/dram controller device PCI configuration space, where some SMM access control registers reside. Superseded in some functions on newer systems by the PCH.

LPC - Low Pin Count bus - Bus that the TPM is typically on.

ME - Management Engine - A microprocessor embedded into the MCH in older architectures, and PCH in newer architectures. Responsible for running off-CPU security critical applications such as AMT, Intel Anti-Theft technology, the Intel firmware TPM (fTPM) , and others. The ME can run even in low-powered states like ACPI S5 sleep (what most people perceive as the system being “off/shut down”), in order to support remote-wake.

MLE - Measured Launch Environment - The code and/or data measured as a consequence of running an Intel TXT GETSEC[SENTER] instruction. The measurements of the MLE are placed into the TPM (PCRs 17 & 18).

OROM - PCI Option ROM - x86-based code that is stored on a PCI expansion card, and read in and executed by the BIOS. If an OROM can be updated with attacker controlled code, it will likely lead to a security vulnerability.

PCI - Peripheral Component Interconnect - Originally an Intel device specification. But the standard interface for talking to PCI expansion cards is also used extensively within the Intel architecture for early boot interaction with hardware such as the ICH/MCH/PCH/memory controller, etc.

PCH - Platform Controller Hub - An Intel chip that has some functionality of the ICH & MCH in newer Intel architectures. Contains the LPC device PCI configuration space, where some BIOS access control registers reside.

PCR - Platform Configuration Register - A storage location within the TPM. Cannot be written to directly, but instead is “extended” into. The “extend” operation is

SCRTM - Static Core Root of Trust for Measurement - The core element that makes a “measured boot” (where early system measurements are stored into the TPM) trustworthy. The SCRTM is considered implicitly trusted, and if it is compromised a measured boot is automatically untrustworthy. In 2013 our “BIOS Chronomancy” talk showed that the SCRTM for many systems was implemented in the BIOS, and therefore untrustworthy.

SGX - Software Guard Extensions - A new Intel technology that will create “inverted sandboxes” wherein un-privileged code can run without privileged code being able to manipulate it. However the hardware with this capability is not yet released.

SMI - System Management Interrupt - the CPU interrupt that tells the CPU to enter SMM.

SMM - System Management Mode - The most privileged execution mode of an x86 CPU. Capable of reading and writing all RAM. But typically configured by the BIOS to be neither readable nor writable

SMX - Safer Mode Extensions - The proper (non-marketing) name for TXT, as given in the Intel manuals.

STM - SMM Transfer Monitor - An isolation mechanism in Intel x86 CPUs that uses hardware support for virtualization to jail the SMI handler. One of LegbaCore’s core goals is to build an STM, and have it ship on commercial systems, so that compromised SMM does not lead to full system compromise.

SPI - Serial Peripheral Interface - The bus which the flash chip that holds the BIOS is typically on. Newer TPM 2.0 devices may also be on this bus.

TBA - Timing-Based Attestation - A special way to construct software self-checks such that if they are altered by an attacker to lie, the alteration will be detectable by a macroscopic change in the runtime to calculate integrity measurements. Our work in this area were the papers “New Results for Timing-Based Attestation” (Oakland 2012), and “BIOS Chronomancy: Improving the Static Root of Trust for Measurement” (ACM CCS 2013). Other work in this area can be found here. This type of trust mechanism does not require trusted hardware, and has been applied to embedded systems in the past. We would like to apply it to the firmware of previously compromised devices such as NICs, HDs, and Embedded Controllers.

TCG - Trusted Computing Group - An industry consortium that creates specifications for trusted computing technologies like the TPM/SRTM/DRTM.

TPM - Trusted Platform Module - A passive chip that can be asked to generate keys, or accept keys, and then perform cryptographic operations such as digital signatures or encryption with those keys. (The TPM is generally understood to be very slow by comparison to the CPU, and should not be thought of as a crypto co-processor.) The TPM is typically used as a trusted storage location for measurements in attestation systems. Because measurements can be stored in its PCRs, and then retrieved with a digital signature, signed by a private key that is never available in main system RAM (to be stolen), but only every available within the TPM. Recent disclosures have indicated that attackers may be able to extract a TPM-internal private key through a power analysis side-channel. However it is not yet clear whether such an attack can be done remotely, or must be done physically, as is typically the case of this side channel analysis.

TXT - Intel Trusted Execution Technology - A capability built into some (typically enterprise-grade) Intel CPUs, wherein a blob of signed Intel x86 assembly (called the SINIT module, that has its signature verified by the CPU) can allow the invocation of a MLE. The MLE can be a standalone application, as in Flicker, or can be the root for measurement of some more complicated system such as a hypervisor, as in tboot.

UEFI - Unified Extensible Firmware Interface - An industry consortium that specifies the components of modern UEFI-based BIOSes. A UEFI-based BIOS that supports SecureBoot was a Microsoft logo requirement for Windows 8, which led to increased adoption.

x86 - CPUs based on the Intel 80x86 design. May be used to refer to the x86-64 architecture as well.

XROM - PCI Expansion ROM - More commonly referred to as OROM.