diff --git a/blobs/xx80/README b/blobs/xx80/README deleted file mode 100644 index d30e6856..00000000 --- a/blobs/xx80/README +++ /dev/null @@ -1,30 +0,0 @@ -The ME blobs dumped in this directory come from the following link: https://dl.dell.com/FOLDER04573471M/1/Inspiron_5468_1.3.0.exe - -This provides ME version 11.6.0.1126. In this version CVE-2017-5705 has not yet been fixed. -See https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html -Therefore, Bootguard can be disabled by deguard with a patched ME. - -1.0.0:Automatically extract, neuter and deguard me.bin -download_clean_me.sh : Downloads vulnerable ME from Dell verify checksum, extract ME, neuters ME, relocate and trim it, then apply deguard patch and place it into me.bin - -sha256sum: -1990b42df67ba70292f4f6e2660efb909917452dcb9bd4b65ea2f86402cfa16b me.bin - -1.0.1: Extract blobs from original rom: -extract.sh: takes backup, unlocks ifd, apply me_cleaner to neuter, relocate, trim and deguard it, modify BIOS and ME region of IFD and place output files into this dir. - -sha256sum: will vary depending of IFD and ME extracted where IFD regions of BIOS and ME should be consistent. - -1.1: More blobs --------------------- -ifd.bin was extracted from a T480 from an external flashrom backup. - -sha256sum: -f2f6d5fb0a5e02964b494862032fd93f1f88e2febd9904b936083600645c7fdf ifd.bin - -sha256sum: -d3af2dfbf128bcddfc8c5810a11478697312e5701668f719f80f3f6322db5642 gbe.bin ------------------------- - -Notes: as specified in first link, this ME can be deployed to: - T480 and T480s diff --git a/blobs/xx80/README.md b/blobs/xx80/README.md new file mode 100644 index 00000000..81931cca --- /dev/null +++ b/blobs/xx80/README.md @@ -0,0 +1,42 @@ +# T480 Blobs + +The following blobs are needed: + +* `ifd.bin` +* `gbe.bin` +* `me.bin` + +## me.bin: automatically extract, neuter and deguard + +download_clean_me.sh : Download vulnerable ME from Dell, verify checksum, extract ME, neuter ME and trim it, then apply the deguard patch and place it into me.bin + +The ME blob dumped in this directory comes from the following link: https://dl.dell.com/FOLDER04573471M/1/Inspiron_5468_1.3.0.exe + +This provides ME version 11.6.0.1126. In this version CVE-2017-5705 has not yet been fixed. +See https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html +Therefore, Bootguard can be disabled by deguard with a patched ME. + +As specified in the first link, this ME can be deployed to: + +* T480 +* T480s + +## ifd.bin and gbe.bin + +Both blobs were taken from libreboot: https://codeberg.org/libreboot/lbmk/src/commit/68ebde2f033ce662813dbf8f5ab21f160014029f/config/ifd/t480 + +The GBE MAC address was forged to: `00:DE:AD:C0:FF:EE MAC` + +## Integrity + +Sha256sums: `blobs/xx80/hashes.txt` + +# CAVEATS for the board: + +See the board configs `boards/t480-[hotp-]maximized/t480-[hotp-]maximized.config`: + +> This board is vulnerable to a TPM reset attack, i.e. the PCRs are reset while the system is running. +> This attack can be used to bypass measured boot when an attacker succeeds at modifying the SPI flash. +> Also it can be used to extract FDE keys from a TPM. +> The related coreboot issue contains more information: https://ticket.coreboot.org/issues/576 +> Make sure you understand the implications of the attack for your threat model before using this board. \ No newline at end of file