Just update the microcode (was: Re: defending against evil in all layers of hardware and software)
Sebastian Krahmer
krahmer at suse.de
Tue Apr 29 02:08:25 EDT 2008
The "signature" in the microcode update has not the same
meaning as within crypto. For intel chips it has 31bits and basically
contains a revision number. The requirements for the BIOS for
checking microcode updates are in short: check the crc and ensure
that older revisions cant replace new ones by comparing the "signature".
I did not try myself, but I think one can probably update anything
if you just hexedit the update header.
Afaik these chips do not own any crypto-related functionallity
or storage capability (except precise timing and rand maybe) and
they are not tamper-proof. Thats why TPM was invented :-)
l8er,
Sebastian
On Mon, Apr 28, 2008 at 06:16:12PM -0400, John Ioannidis wrote:
> Intel and AMD processors can have new microcode loaded to them, and this
> is usually done by the BIOS. Presumably there is some asymmetric crypto
> involved with the processor doing the signature validation.
>
> A major power that makes a good fraction of the world's laptops and
> desktops (and hence controls the circuitry and the BIOS, even if they do
> not control the chip manufacturing process) would be in a good place to
> introduce problems that way, no?
>
> /ji
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
--
~~
~~ perl self.pl
~~ $_='print"\$_=\47$_\47;eval"';eval
~~ krahmer at suse.de - SuSE Security Team
~~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list