Intel CPU firmware decryption tool released

Intel CPU firmware decryption tool released

Infosec experts have released a tool to decode and unpack the microcode for a class of low-power Intel CPUs, providing a look at how the chipmaker has implemented various security fixes and features, as well as things like virtualization.

Released Monday on GitHub, the Intel Microcode Decryptor is a collection of three Python scripts that users can run to decode the microcode — including the SGX XuCode — of certain Atom, Pentium, and Celeron CPUs running on Intel’s Goldmont and Goldmont Plus microarchitectures. The work was carried out by three researchers – Maxim Goryachy, Mark Ermolov and Dmitry Skylarov – who previously uncovered several vulnerabilities in Intel processors.

Researchers noted that the tool cannot be used to create a custom microcode update because the “microcode has an RSA signature for integrity protection.” In other words, there are checks in place to prevent people, including rogues, from creating their own microcode updates to change the operation of CPU cores.

In response to questions from The registryIntel seemed fairly relaxed about the tool’s release, although the US giant said it was not informed in advance of the researchers’ plans.

An Intel spokesman told us that because of the tool’s availability, “there shouldn’t be any security risks.” In fact, the company said that if more people could review Intel’s microcode, it could help the chipmaker identify more vulnerabilities in the future. For anyone who does this successfully, it means potentially making some money through Intel’s bug bounty program.

“The ability for researchers to analyze microcode could enable the discovery of new vulnerabilities. Since this microcode has been uncovered, Intel welcomes researchers to participate in the microcode bug bounty program if any problems are discovered,” we were told.

Why accessing microcode is a big deal

If Goryachy alerted internet users to the microcode decryption scripts on Twitter, it’s caught the eye of more than a few minds in the IT and security circles.

This is an important achievement as it lifts the lid on the complex world of processor design.

Chip designers like Intel have long used microcode to translate low-level machine instructions into circuit-level operations within CPU cores. Microcode can be loaded from memory by the processor, and thus updates to that code can be issued to fix bugs. These updates usually come as system software patches and BIOS upgrades.

Goryachy said the Intel Microcode Decryptor can be used to understand, for example, how the chip giant mitigated the Specter vulnerability in Goldmont CPUs. He added that the scripts can also help people understand how Intel has implemented various technologies, such as Intel Trusted Execution Technology (TXT), Intel Software Guard Extensions (SGX), and Intel Virtualization Technology (VT-x).

Ermolov, one of the other tinkerers, added that the tool’s availability means that users can now research XuCode, a 64-bit mode variant of the x86 code used to implement parts of Intel SGX, loaded as a microcode update. SGX is Intel’s technology for creating secure enclaves in memory: these are protected areas that other software and users cannot tamper with, not even the operating system or hypervisor.

XuCode is quite interesting: the special x86 instructions for managing SGX enclaves are so involved that they are broken down into sequences of XuCode instructions that perform the desired operations.

These XuCode instructions are standard 64-bit x86 with some extensions, and are further broken down into the usual x86 micro-ops by the processor. When an application uses a high-level SGX instruction, the processor can jump to its XuCode to do the work.

These XuCode sequences are stored in microcode and can now be extracted using the above Python scripts and analyzed using standard x86 reverse engineering suites.

At runtime, the XuCode is stored in specially protected RAM, so some SGX instructions are effectively jumps to x86-like subroutines.

The genesis of the tools and a mix of reactions

According to the researchers, the Intel Microcode Decryptor was made possible after the trio found vulnerabilities in Intel’s chipsets in early 2020 that allowed them to enable an undocumented debugging mode called Red Unlock. This prompted the tinkerers to find the decryption key that would allow them to extract and decrypt the microcode.

Intel had a slightly different account of how the tool came about. The company spokesman told us that researchers reported the Red Unlock vulnerability to the chipmaker in 2017. The tinkerers used this vulnerability to analyze and document the microcode structure in May 2021, which included the release of a disassembler script, Intel pointed out. The disclosure of the Red Unlock issue prompted Intel to launch a bug bounty program for microcode vulnerabilities.

The reaction to the latest online tools has been a mixture of awe, intrigue and horror, with some people fearing the scripts could be used for malicious purposes while others hailed it as a breakthrough in understanding how at least some of Intel’s incredibly complex silicon works works works. Just have a look quote tweets and wrinkles for Goryachy’s original tweet.

The release of the scripts was spearheaded by Gal Diskin, a former Intel employee who led product security for SGX and contributed to the feature’s design and architecture.

When asked if accessing the SGX microcode could lead to new types of attacks, Diskin responded had this to say: “We always assumed that one day our code would be open source and never allowed security by obscurity. At least that’s how we worked when I was leading the security evaluation for SGX.” However, Diskin noted that he hasn’t been with Intel since 2013. ®


#Intel #CPU #firmware #decryption #tool #released

Leave a Comment

Your email address will not be published.