ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-03-14 08:16:44 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'gaspar-ilom/poc_t480' into poc_t480

Browse Source 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2025-02-24 17:38:30 -05:00
commit e00944f034
No known key found for this signature in database
GPG Key ID: 9A53E1BB3FF00461
2 changed files with 42 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
blobs/xx80/README
View File

@ -1,30 +0,0 @@
The ME blobs dumped in this directory come from the following link: https://dl.dell.com/FOLDER04573471M/1/Inspiron_5468_1.3.0.exe
This provides ME version 11.6.0.1126. In this version CVE-2017-5705 has not yet been fixed.
See https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html
Therefore, Bootguard can be disabled by deguard with a patched ME.
1.0.0:Automatically extract, neuter and deguard me.bin
download_clean_me.sh : Downloads vulnerable ME from Dell verify checksum, extract ME, neuters ME, relocate and trim it, then apply deguard patch and place it into me.bin
sha256sum:
1990b42df67ba70292f4f6e2660efb909917452dcb9bd4b65ea2f86402cfa16b me.bin
1.0.1: Extract blobs from original rom:
extract.sh: takes backup, unlocks ifd, apply me_cleaner to neuter, relocate, trim and deguard it, modify BIOS and ME region of IFD and place output files into this dir.
sha256sum: will vary depending of IFD and ME extracted where IFD regions of BIOS and ME should be consistent.
1.1: More blobs
--------------------
ifd.bin was extracted from a T480 from an external flashrom backup.
sha256sum:
f2f6d5fb0a5e02964b494862032fd93f1f88e2febd9904b936083600645c7fdf ifd.bin
sha256sum:
d3af2dfbf128bcddfc8c5810a11478697312e5701668f719f80f3f6322db5642 gbe.bin
------------------------
Notes: as specified in first link, this ME can be deployed to:
T480 and T480s

42
blobs/xx80/README.md Normal file
View File

@ -0,0 +1,42 @@
# T480 Blobs
The following blobs are needed:
* `ifd.bin`
* `gbe.bin`
* `me.bin`
## me.bin: automatically extract, neuter and deguard
download_clean_me.sh : Download vulnerable ME from Dell, verify checksum, extract ME, neuter ME and trim it, then apply the deguard patch and place it into me.bin
The ME blob dumped in this directory comes from the following link: https://dl.dell.com/FOLDER04573471M/1/Inspiron_5468_1.3.0.exe
This provides ME version 11.6.0.1126. In this version CVE-2017-5705 has not yet been fixed.
See https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html
Therefore, Bootguard can be disabled by deguard with a patched ME.
As specified in the first link, this ME can be deployed to:
* T480
* T480s
## ifd.bin and gbe.bin
Both blobs were taken from libreboot: https://codeberg.org/libreboot/lbmk/src/commit/68ebde2f033ce662813dbf8f5ab21f160014029f/config/ifd/t480
The GBE MAC address was forged to: `00:DE:AD:C0:FF:EE MAC`
## Integrity
Sha256sums: `blobs/xx80/hashes.txt`
# CAVEATS for the board:
See the board configs `boards/t480-[hotp-]maximized/t480-[hotp-]maximized.config`:
> This board is vulnerable to a TPM reset attack, i.e. the PCRs are reset while the system is running.
> This attack can be used to bypass measured boot when an attacker succeeds at modifying the SPI flash.
> Also it can be used to extract FDE keys from a TPM.
> The related coreboot issue contains more information: https://ticket.coreboot.org/issues/576
> Make sure you understand the implications of the attack for your threat model before using this board.