1 00:00:00,540 --> 00:00:01,550 You don’t need to hear me. 2 00:00:01,690 --> 00:00:04,230 I’ll just do all the talking, and you can nod your head 3 00:00:04,240 --> 00:00:06,830 sympathetically as if you understand what I’m saying. 4 00:00:07,260 --> 00:00:09,639 It’s similar to what my dog does, except 5 00:00:09,639 --> 00:00:12,209 she’s usually, like, buried in her own crotch. 6 00:00:12,219 --> 00:00:14,620 So, please don’t do that. 7 00:00:15,040 --> 00:00:18,250 And once again, we can all be very blessed and 8 00:00:18,250 --> 00:00:20,300 relieved that this is an audio-only podcast. 9 00:00:20,300 --> 00:00:20,400 [laugh] 10 00:00:29,820 --> 00:00:32,220 . Hello, alleged human, and welcome to the Chaos Lever podcast. 11 00:00:32,809 --> 00:00:35,709 My name is Ned, and I’m definitely not a robot. 12 00:00:35,889 --> 00:00:40,400 I’m a real human person who likes to eat food, 13 00:00:40,450 --> 00:00:46,989 and go sunbathing, and shower on a weekly basis. 14 00:00:47,210 --> 00:00:50,520 That’s right, that’s the correct amount of showering for everyone. 15 00:00:50,849 --> 00:00:52,550 And then we all get clean and smell good? 16 00:00:53,219 --> 00:00:53,659 Right? 17 00:00:54,420 --> 00:00:58,470 With me is Chris, who’s also clean and shiny, and here. 18 00:00:58,910 --> 00:00:59,550 Hi Chris. 19 00:01:00,290 --> 00:01:01,160 Well, I am clean. 20 00:01:01,210 --> 00:01:03,450 I can’t really comment on shiny. 21 00:01:03,490 --> 00:01:05,259 That seems inaccurate. 22 00:01:06,020 --> 00:01:07,500 We just need a little bit of foundation and 23 00:01:07,500 --> 00:01:09,460 powder, and you won’t be nearly so shiny. 24 00:01:10,190 --> 00:01:10,929 It’ll be fine. 25 00:01:11,100 --> 00:01:11,969 I’m out of bronzer. 26 00:01:12,239 --> 00:01:12,269 [laugh] 27 00:01:14,519 --> 00:01:17,730 . Does bronzer make you less shiny, or just turn you more orange? 28 00:01:18,100 --> 00:01:18,869 I don’t know. 29 00:01:19,350 --> 00:01:20,470 It’s just a fun word. 30 00:01:20,800 --> 00:01:21,770 It is a fun word. 31 00:01:22,380 --> 00:01:25,810 I think we’re showing how little we know about makeup, which is not 32 00:01:25,830 --> 00:01:29,870 terribly surprising, if anybody’s watched our video clips in the past. 33 00:01:29,920 --> 00:01:30,390 Right. 34 00:01:31,270 --> 00:01:36,070 If you’ve ever seen anything of us in meat space— 35 00:01:36,640 --> 00:01:39,270 I know that’s the common parlance, but I don’t like it. 36 00:01:39,639 --> 00:01:40,610 I’ve never liked it. 37 00:01:41,410 --> 00:01:44,290 I mean, I feel like the only time that’s 38 00:01:44,640 --> 00:01:47,349 appropriate is if you’re at a butcher shop. 39 00:01:47,590 --> 00:01:48,770 That is meat space. 40 00:01:48,880 --> 00:01:49,179 Right. 41 00:01:49,190 --> 00:01:49,820 There you go. 42 00:01:50,500 --> 00:01:53,710 Maybe that’s part of my problem is, like… we’re not just meat. 43 00:01:54,110 --> 00:01:56,949 I mean, I’m definitely human, and not made out of 44 00:01:56,960 --> 00:02:00,270 metal parts, but like, we’re more than just meat. 45 00:02:01,370 --> 00:02:02,139 I’m sticking with it. 46 00:02:02,429 --> 00:02:05,579 That right there is a self-help book that’s just waiting to be written. 47 00:02:06,010 --> 00:02:06,530 [laugh] . Oh, Jesus. 48 00:02:06,530 --> 00:02:09,960 I can see that in the airport right now. 49 00:02:09,960 --> 00:02:13,220 You’re walking through and just, We’re More Than Just Meat 50 50 00:02:13,600 --> 00:02:18,140 weeks on The New York Times bestseller list, which is pretty 51 00:02:18,140 --> 00:02:22,389 easy to do because that system is just horribly corrupt. 52 00:02:22,840 --> 00:02:23,190 Right. 53 00:02:23,709 --> 00:02:26,280 They have so many subcategories of bestsellers. 54 00:02:26,470 --> 00:02:28,210 Like, you can be a bestseller in— 55 00:02:28,210 --> 00:02:30,089 And it doesn’t even take that many books. 56 00:02:30,450 --> 00:02:32,930 It’s like 10,000 books, and you’re on there. 57 00:02:33,270 --> 00:02:33,709 Oh, really? 58 00:02:33,719 --> 00:02:34,079 That’s— 59 00:02:34,440 --> 00:02:34,590 Yeah. 60 00:02:34,590 --> 00:02:37,730 I bet I could s—well, all right, I know what I’m doing for the rest of my day. 61 00:02:37,730 --> 00:02:40,860 I’m going to have AI write a really terrible 62 00:02:41,139 --> 00:02:43,679 self-help book, and I’ll just slap my name on it. 63 00:02:44,280 --> 00:02:45,730 I think that’s called The Secret. 64 00:02:47,670 --> 00:02:53,470 [laugh] . Burn [laugh] . Oh, should we talk about some tech garbage? 65 00:02:53,809 --> 00:02:55,019 Sure. 66 00:02:55,630 --> 00:03:03,240 I thought we could dig into the world of how PCs actually boot up, 67 00:03:03,890 --> 00:03:10,579 through the lens of a recently discovered issue with Secure Boot and UEFI. 68 00:03:11,790 --> 00:03:12,399 And if you don’t know— 69 00:03:12,399 --> 00:03:12,661 What did you call me? 70 00:03:12,661 --> 00:03:14,060 —what those things are, listener, don’t worry. 71 00:03:14,340 --> 00:03:14,839 What’d you say? 72 00:03:14,849 --> 00:03:14,859 Eufee? 73 00:03:16,020 --> 00:03:17,170 What did you call me? 74 00:03:20,430 --> 00:03:21,070 [laugh] . Eufee. 75 00:03:21,070 --> 00:03:22,310 I don’t know how I feel about that one. 76 00:03:22,740 --> 00:03:23,560 Might be a Pokémon. 77 00:03:24,380 --> 00:03:25,720 It—oh, God, it might be. 78 00:03:26,840 --> 00:03:27,400 All right. 79 00:03:27,670 --> 00:03:31,269 So anyway, it was recently discovered that thousands of system 80 00:03:31,270 --> 00:03:35,009 boards are running code that could leave them open to compromise, 81 00:03:35,609 --> 00:03:39,680 and that code runs at such a low level on the system that even 82 00:03:39,680 --> 00:03:44,080 the best EDR and antivirus software in the world can’t catch it. 83 00:03:44,590 --> 00:03:49,730 What is this low-level code, what’s wrong with it, and why is it such a problem? 84 00:03:50,330 --> 00:03:51,659 That’s what we’re going to cover today. 85 00:03:51,900 --> 00:03:54,310 But first, I’m going to ramble about the history of 86 00:03:54,310 --> 00:03:57,579 computing for the next 20 minutes, as is tradition. 87 00:03:57,790 --> 00:03:59,350 Yay. 88 00:03:59,390 --> 00:04:02,140 Listen, you knew what you signed up for when you 89 00:04:02,140 --> 00:04:05,350 subscribed to this podcast [laugh] . This is what we do. 90 00:04:06,020 --> 00:04:12,080 I actually had to cut out about a page, page-and-a-half of stuff I wrote because 91 00:04:12,080 --> 00:04:16,269 it wasn’t actually relevant to the topic, I just found it really interesting. 92 00:04:16,570 --> 00:04:21,170 I was reading about ENIAC and, man, I just fell down a rabbit hole. 93 00:04:22,770 --> 00:04:23,570 Yeah, that’ll happen. 94 00:04:23,950 --> 00:04:24,420 Yeah. 95 00:04:24,880 --> 00:04:27,580 So, I’m not going to talk about that, or the fact that I 96 00:04:27,580 --> 00:04:31,750 read about half of the operational manual for the IBM 704. 97 00:04:32,330 --> 00:04:34,580 Don’t you have, like, things to do? 98 00:04:34,590 --> 00:04:40,520 God, no [laugh] . I’ve set up my life in such a way that I can sit and read 99 00:04:40,540 --> 00:04:46,110 a manual from 1956 for a system that I have no access to, and enjoy it. 100 00:04:46,779 --> 00:04:50,570 I mean, I would be more harsh about this situation if 101 00:04:50,570 --> 00:04:53,530 I hadn’t spent a non-zero amount of time revisiting the 102 00:04:53,530 --> 00:04:58,490 world of the PDP-11 and various ways to emulate it, so… 103 00:04:58,960 --> 00:05:00,572 Yeah, you don’t really have the high ground to stand on. 104 00:05:00,590 --> 00:05:02,870 Yeah, let’s just move right along. 105 00:05:02,880 --> 00:05:03,500 [laugh] . Okay. 106 00:05:04,309 --> 00:05:08,150 So, the specific exploit we’re talking about deals with the Secure 107 00:05:08,160 --> 00:05:14,570 Boot functionality of modern operating systems that use UEFI BIOS. 108 00:05:14,960 --> 00:05:16,299 Or just UEFI. 109 00:05:17,039 --> 00:05:18,479 BIOS is kind of a separate thing? 110 00:05:18,650 --> 00:05:22,769 Anyway, Secure Boot relies on a chain of trust using 111 00:05:22,770 --> 00:05:27,680 checksums and cryptographic signing that verify the software 112 00:05:27,680 --> 00:05:31,420 components being loaded are valid and allowed to run. 113 00:05:32,070 --> 00:05:36,349 That includes things like EFI drivers and operating systems. 114 00:05:37,259 --> 00:05:41,619 For instance, Windows is signed using a certificate 115 00:05:41,670 --> 00:05:45,770 that UEFI recognizes, and so it’s allowed to boot. 116 00:05:46,400 --> 00:05:51,500 If you wrote your own operating system—which I don’t recommend, but you can—if 117 00:05:51,500 --> 00:05:56,099 you try to load that with Secure Boot enabled, the boot would fail because 118 00:05:56,099 --> 00:06:00,390 you didn’t sign your operating system with keys that Secure Boot recognizes. 119 00:06:01,180 --> 00:06:06,099 This can be both a good thing and a bad thing because talking about some of 120 00:06:06,100 --> 00:06:09,630 the ancient computers we were talking about before, people literally did that. 121 00:06:09,950 --> 00:06:12,319 They were like, “I want it to do this, so I just wrote an 122 00:06:12,320 --> 00:06:15,810 assembly language operating system over my lunch break.” 123 00:06:16,160 --> 00:06:16,510 Mm-hm. 124 00:06:16,809 --> 00:06:19,750 And don’t worry, we will talk about that [laugh] 125 00:06:19,750 --> 00:06:25,110 . [laugh] . But what this helps protect against is people maliciously and 126 00:06:25,110 --> 00:06:30,780 violently modern—modernizing is a strong word; modifying is a better word— 127 00:06:31,040 --> 00:06:31,289 [laugh] . Yes. 128 00:06:31,309 --> 00:06:31,889 —Windows. 129 00:06:32,450 --> 00:06:37,340 Windows or Linux, for that matter, because some flavors 130 00:06:37,340 --> 00:06:41,520 of Linux are also signed, so UEFI will trust it. 131 00:06:42,380 --> 00:06:48,650 Now, where does Secure Boot get its list of trusted keys and certificates, 132 00:06:48,870 --> 00:06:54,540 and what verifies that the UEFI firmware hasn’t been tampered with? 133 00:06:55,100 --> 00:06:58,320 How do you build a chain of trust that starts from the 134 00:06:58,330 --> 00:07:01,560 very moment you push the power button on your computer? 135 00:07:02,010 --> 00:07:04,610 Understand that, we need to understand how 136 00:07:04,610 --> 00:07:08,330 computers used to boot up and how they do it now. 137 00:07:08,969 --> 00:07:12,829 Like I said, I did a lot of reading for this, and I really considered taking 138 00:07:12,830 --> 00:07:17,270 this all the way back to World War II and the bomb machines used at Bletchley 139 00:07:17,270 --> 00:07:22,790 Park—in part because I just finished reading a book called The Rose Code, which 140 00:07:22,790 --> 00:07:27,720 is fantastic, and I recommend reading it—and these are the types of computing 141 00:07:27,720 --> 00:07:33,730 devices that predate something like ENIAC or modern silicon-based transistors. 142 00:07:34,490 --> 00:07:37,789 Still, it is interesting to consider how a computer 143 00:07:37,850 --> 00:07:41,260 actually gets up and running from a powered-off state. 144 00:07:41,830 --> 00:07:46,229 How does it go from nothing, a useless hunk of plastic, metal, 145 00:07:46,230 --> 00:07:50,110 and silicon, to running Crisis at 120 frames per second, 146 00:07:50,110 --> 00:07:53,500 or, I don’t know, whatever the magical equivalent is today. 147 00:07:53,500 --> 00:07:54,920 I haven’t really been paying attention. 148 00:07:55,470 --> 00:07:56,359 Oh, Ned. 149 00:07:56,849 --> 00:07:58,500 Modern computers can’t do that either. 150 00:07:59,120 --> 00:07:59,829 [laugh] . Okay, good. 151 00:08:00,590 --> 00:08:01,350 I don’t know. 152 00:08:01,820 --> 00:08:04,649 I was looking at monitors a couple weeks ago, and 153 00:08:04,650 --> 00:08:06,930 it had all these specs that I didn’t recognize. 154 00:08:06,940 --> 00:08:09,060 I was like, “What the hell is a nit?” I 155 00:08:09,060 --> 00:08:13,610 just want it to be able to go 1920 by 1080. 156 00:08:13,650 --> 00:08:14,530 Can I just do that? 157 00:08:15,000 --> 00:08:15,220 No. 158 00:08:15,870 --> 00:08:17,729 Now, I got to know about refresh rates and crap. 159 00:08:18,480 --> 00:08:18,510 [laugh] 160 00:08:19,200 --> 00:08:24,259 . So, I did fall down about a 30-minute rabbit hole reading about ENIAC—okay, 161 00:08:24,289 --> 00:08:28,330 a 90-minute rabbit hole reading about ENIAC—but here’s the long and 162 00:08:28,330 --> 00:08:33,200 short of it: the earliest computers were basically calculating machines. 163 00:08:33,500 --> 00:08:37,550 ENIAC, for instance, ran ballistics tables for the US during World 164 00:08:37,550 --> 00:08:43,679 War II, and the program that it ran was loaded through literally just 165 00:08:43,690 --> 00:08:48,540 moving around cables to connect components and toggling switches. 166 00:08:49,060 --> 00:08:51,540 There was no operating system outside of 167 00:08:51,540 --> 00:08:54,710 the actual people who operated the hardware. 168 00:08:54,950 --> 00:08:56,819 So, I guess they were the operating system. 169 00:08:57,309 --> 00:08:57,699 Right. 170 00:08:58,209 --> 00:09:03,120 For a long time, there was no common operating system, bootloader, 171 00:09:03,120 --> 00:09:06,630 or even a standardized boot process for mainframe computers. 172 00:09:07,390 --> 00:09:11,770 The CPU was not this discrete chip that sat on a system board, 173 00:09:12,020 --> 00:09:16,160 but an actual large processing unit filled with vacuum tubes 174 00:09:16,430 --> 00:09:19,770 that needed to be initialized and prepared by the operators. 175 00:09:20,420 --> 00:09:23,820 Yeah, and preparing them was a physical operation. 176 00:09:24,000 --> 00:09:24,630 Yes. 177 00:09:25,150 --> 00:09:28,470 Which is what the operating system does for you now. 178 00:09:28,710 --> 00:09:30,980 For instance, the operators had to go and check 179 00:09:30,980 --> 00:09:34,790 all the tubes because tubes failed constantly. 180 00:09:35,170 --> 00:09:35,889 All the time. 181 00:09:36,400 --> 00:09:36,939 Yes. 182 00:09:37,489 --> 00:09:42,440 Fortunately, silicon transistors are slightly more reliable, unless, you 183 00:09:42,440 --> 00:09:45,910 know, you’re one of the new Intel processors that asks for the wrong voltage. 184 00:09:46,559 --> 00:09:47,990 See our tech news from last week [laugh] 185 00:09:48,950 --> 00:09:49,610 . Nice. 186 00:09:50,090 --> 00:09:53,680 So, I’m going to skip ahead several decades and gloss over a 187 00:09:53,699 --> 00:09:57,449 lot of history because I did have that in here, but then I ended 188 00:09:57,450 --> 00:10:01,420 up deleting it because it was not germane to the conversation. 189 00:10:01,790 --> 00:10:05,190 But I did think it was neat, so we really do need 190 00:10:05,190 --> 00:10:07,150 to do a whole thing on mainframes at some point. 191 00:10:07,860 --> 00:10:11,050 Instead, let’s skip ahead to how a PC in 192 00:10:11,059 --> 00:10:14,250 the late-’80s, early-’90s would boot up. 193 00:10:14,760 --> 00:10:20,209 Side note, you might wonder where the term boot comes from, and it’s really a 194 00:10:20,210 --> 00:10:25,569 shortened form of a bootstrap program, or bootstrapping, which is a term that 195 00:10:25,580 --> 00:10:32,040 has its roots going to way before computers, and it referred to an impossible or 196 00:10:32,060 --> 00:10:38,030 a paradoxical task where one had to pull themselves up by their own bootstraps, 197 00:10:38,570 --> 00:10:42,210 which would be a scenario where you’re already wearing your boots, and if you 198 00:10:42,210 --> 00:10:46,499 tried to pull yourself up, you can’t because, like, you’re standing on them. 199 00:10:46,949 --> 00:10:47,870 That’s right, people. 200 00:10:47,940 --> 00:10:50,390 It’s paradoxical, not inspirational. 201 00:10:50,890 --> 00:10:54,270 Yes, but at this point we have—well, the English language 202 00:10:54,280 --> 00:10:57,210 has bastardized it to the point that it means inspirational. 203 00:10:57,520 --> 00:10:57,760 So— 204 00:10:57,770 --> 00:10:58,430 Literally. 205 00:10:58,849 --> 00:10:59,800 Not figuratively. 206 00:11:00,130 --> 00:11:03,939 Or both because that doesn’t matter anymore either. 207 00:11:04,649 --> 00:11:06,210 [sigh] . God, we’re a mess. 208 00:11:06,360 --> 00:11:06,810 Anyway. 209 00:11:07,350 --> 00:11:12,150 The paradox of computers is, how does a computer know how to 210 00:11:12,150 --> 00:11:16,669 load its first program that can load all subsequent instructions? 211 00:11:17,360 --> 00:11:21,050 And the answer to that is to bake it right onto the chip. 212 00:11:21,849 --> 00:11:28,070 On the early models of the Intel 8088 and 8086 chips, there was a 213 00:11:28,960 --> 00:11:32,080 predefined instruction that ran when power was applied to the chip. 214 00:11:32,700 --> 00:11:36,210 The chip reads a memory location from two registers. 215 00:11:36,929 --> 00:11:39,899 The first register is CS, which stands for Code Segment, 216 00:11:39,960 --> 00:11:43,750 and the second one is IP, for Instruction Pointer, and those 217 00:11:43,750 --> 00:11:48,459 combined together would form the memory location, 0xffff0. 218 00:11:51,239 --> 00:11:53,200 I don’t know what that is in binary. 219 00:11:53,559 --> 00:11:54,120 Don’t ask me. 220 00:11:54,770 --> 00:11:56,389 Actually, I do know what it is in binary because— 221 00:11:56,389 --> 00:11:56,689 Stop. 222 00:11:57,130 --> 00:11:57,430 Okay 223 00:11:59,589 --> 00:12:05,400 [laugh] . The memory location points to ROM code mapped to that location. 224 00:12:06,030 --> 00:12:09,450 The job of the ROM code stored in read-only 225 00:12:09,450 --> 00:12:12,290 memory is to load the BIOS for the system. 226 00:12:12,960 --> 00:12:19,729 And BIOS stands for Basic Input Output Software and it dates to the CP/M 227 00:12:19,880 --> 00:12:24,110 operating system that was created by Digital Research back in the mid-’70s. 228 00:12:25,000 --> 00:12:25,320 Right. 229 00:12:25,610 --> 00:12:27,070 And this is an important distinction from 230 00:12:27,070 --> 00:12:28,859 what we talked about just a minute ago. 231 00:12:28,889 --> 00:12:31,530 So, old computers in the ’50s—’40s, 232 00:12:32,400 --> 00:12:35,459 ’50s—when you turn them on, nothing happened. 233 00:12:36,200 --> 00:12:36,830 Exactly. 234 00:12:37,190 --> 00:12:39,790 It just sat there and waited for you to do something, 235 00:12:39,810 --> 00:12:42,680 to force an interaction based on electronic flow. 236 00:12:43,570 --> 00:12:48,469 The whole point of baking this stuff into the chip is this happens immediately 237 00:12:48,500 --> 00:12:53,269 when power is applied, so the program doesn’t have to be loaded, per se. 238 00:12:54,029 --> 00:12:55,589 That’s how it solves the paradox. 239 00:12:55,620 --> 00:12:57,540 The program is part of the computer. 240 00:12:58,270 --> 00:12:58,930 Exactly. 241 00:12:59,390 --> 00:13:01,110 But you need somewhere to store that initial 242 00:13:01,110 --> 00:13:03,920 program, and that’s what the read-only memory is for. 243 00:13:04,120 --> 00:13:07,759 It’s that very first thing to run which gets 244 00:13:07,759 --> 00:13:09,929 it prepared to run all the other things. 245 00:13:11,010 --> 00:13:14,640 IBM, when they were designing their personal PC in the 246 00:13:14,640 --> 00:13:18,380 early-’80s, they decided to use the same term BIOS. 247 00:13:19,190 --> 00:13:22,200 Even though they didn’t provide the code behind their 248 00:13:22,210 --> 00:13:26,340 implementation of BIOS, other vendors reverse engineered 249 00:13:26,469 --> 00:13:30,260 the PC BIOS to create their own firmware and motherboards. 250 00:13:30,550 --> 00:13:34,950 So, it was never an official, well-defined standard; it was just like, all 251 00:13:34,950 --> 00:13:37,530 right, this is what IBM is doing, and we’re all just going to copy them. 252 00:13:38,139 --> 00:13:38,389 Yeah. 253 00:13:38,450 --> 00:13:43,130 And back then, it wasn’t doing a lot because it couldn’t do a lot. 254 00:13:43,160 --> 00:13:43,319 Yeah. 255 00:13:43,320 --> 00:13:45,360 It didn’t have the power and it didn’t have the storage space. 256 00:13:45,360 --> 00:13:47,519 It had to be this barest of bare-bones 257 00:13:47,529 --> 00:13:49,900 operation to just get the thing off the ground. 258 00:13:50,590 --> 00:13:52,820 Yeah, the amount of storage space allocated 259 00:13:52,820 --> 00:13:57,730 for the BIOS code was in the kilobytes range. 260 00:13:58,200 --> 00:13:59,919 Like, 200 kilobytes, there’s 400. 261 00:14:00,000 --> 00:14:00,860 I forget which one. 262 00:14:01,160 --> 00:14:01,870 Very tiny. 263 00:14:03,219 --> 00:14:07,300 And the workaround was to then have that code look in 264 00:14:07,300 --> 00:14:11,130 another location to load additional code to do more things. 265 00:14:11,420 --> 00:14:13,700 And so, that’s how BIOS kind of ballooned out to 266 00:14:13,700 --> 00:14:17,070 be a more fully functioning pre-boot environment. 267 00:14:17,750 --> 00:14:21,769 One of the things it did was a power-on self-test during which it 268 00:14:21,770 --> 00:14:25,863 would enumerate all of the connected hardware devices, validate its 269 00:14:25,863 --> 00:14:29,750 own checksum, and also check the functioning of the CPU and memory. 270 00:14:30,210 --> 00:14:33,360 For those of us who have started up a four-socket server 271 00:14:33,360 --> 00:14:37,810 with 32 DIMM slots and an array card that can take a while. 272 00:14:38,250 --> 00:14:39,970 Press the button, go get a coffee. 273 00:14:40,549 --> 00:14:42,560 Yes, and if— [laugh] God help you, if you need 274 00:14:42,560 --> 00:14:44,329 to get into BIOS and you missed the prompt. 275 00:14:45,010 --> 00:14:45,060 [laugh] 276 00:14:45,460 --> 00:14:48,290 . That’s another 15 minutes of your life you’re not getting back. 277 00:14:48,470 --> 00:14:49,090 I thought it was F2. 278 00:14:49,750 --> 00:14:50,765 I thought it was F2. 279 00:14:51,000 --> 00:14:52,079 This one was Delete. 280 00:14:52,630 --> 00:14:56,720 The fact that we never standardized on a button to hit to get 281 00:14:56,720 --> 00:15:00,740 into BIOS is one of the most frustrating things about servers. 282 00:15:00,980 --> 00:15:03,790 “Dear Diary, not all keyboards have F11.” 283 00:15:04,610 --> 00:15:06,390 Couldn’t we just pick, like, one key? 284 00:15:06,400 --> 00:15:09,100 Like, just make it the Delete key, please. 285 00:15:09,710 --> 00:15:10,680 Goddamn it. 286 00:15:10,680 --> 00:15:13,229 It’s not even consistent within the same vendor. 287 00:15:14,110 --> 00:15:14,140 [laugh] 288 00:15:14,880 --> 00:15:17,470 . Sorry [laugh] . Back on topic. 289 00:15:18,379 --> 00:15:22,010 The last thing BIOS needs to do is try and load an operating system. 290 00:15:22,420 --> 00:15:25,880 So, it will pull a list of boot devices, along with other 291 00:15:25,890 --> 00:15:31,540 configuration information, from CMOS, also known as non-volatile 292 00:15:31,540 --> 00:15:36,229 RAM, and it will try each device in series until it finds 293 00:15:36,230 --> 00:15:39,710 one that has a valid bootloader program stored on it. 294 00:15:40,180 --> 00:15:43,420 That bootloader needs to be located at a specific area 295 00:15:43,460 --> 00:15:46,890 of the device so the BIOS can find it successfully. 296 00:15:47,370 --> 00:15:52,829 And that could be at LBA 0, LBA 17 if it’s a CD-ROM, 297 00:15:53,059 --> 00:15:55,610 or a master boot record if it’s a hard drive. 298 00:15:56,440 --> 00:15:59,500 Don’t ask me what LBA stands for because I don’t remember. 299 00:16:00,880 --> 00:16:05,359 The boot sector on the device boots the bootloader, 300 00:16:05,469 --> 00:16:07,650 which in turn loads your operating system. 301 00:16:08,120 --> 00:16:11,240 And incidentally, if you’ve ever tried to format, say, 302 00:16:11,279 --> 00:16:14,699 a USB stick to boot off of, and you don’t click the 303 00:16:14,700 --> 00:16:17,980 little checkbox that says, make this device bootable— 304 00:16:17,980 --> 00:16:18,280 Uh-huh. 305 00:16:18,710 --> 00:16:22,660 This is why you have a fully-fleshed out and complete—from a data and bits 306 00:16:22,660 --> 00:16:26,470 perspective—operating system on a USB that will do absolutely nothing. 307 00:16:26,889 --> 00:16:27,399 Right. 308 00:16:27,940 --> 00:16:31,140 Because when the system starts, it needs to find that boot 309 00:16:31,140 --> 00:16:35,110 sector and a bootloader in that boot sector to do anything. 310 00:16:35,950 --> 00:16:40,460 Now, you might imagine that a boot process that was devised back in 1982 311 00:16:40,460 --> 00:16:44,590 would have some serious shortcomings after 40 years, and you’d be right. 312 00:16:45,230 --> 00:16:49,810 As a replacement for traditional BIOS and the standard power-up process, 313 00:16:49,810 --> 00:16:55,310 we had the introduction of UEFI and management engines like Intel ME. 314 00:16:56,010 --> 00:17:02,140 UEFI was meant to remove some of the unnecessary legacy cruft of BIOS 315 00:17:02,410 --> 00:17:07,119 and establish a formal cross-architecture standard for boot ROMs. 316 00:17:07,619 --> 00:17:13,260 Where the BIOS was really just for x86 CPUs… we have more than that now. 317 00:17:13,839 --> 00:17:14,449 A lot more. 318 00:17:14,809 --> 00:17:20,530 So, the idea was, UEFI should be able to deal with 64-bit CPUs—hey, those are 319 00:17:20,530 --> 00:17:26,900 a thing—as well as ARM, and I guess RISC-V, and other architecture formats. 320 00:17:27,540 --> 00:17:31,550 It’s also a formal standard as opposed to BIOS, which was just 321 00:17:31,550 --> 00:17:35,810 reverse-engineered, and it added a thing called Secure Boot, as well as 322 00:17:35,820 --> 00:17:41,520 support for larger disk partitions, and a more robust pre-OS boot environment. 323 00:17:42,590 --> 00:17:44,850 Why I need a graphical user interface for a boot 324 00:17:44,850 --> 00:17:47,830 environment, I still don’t understand, but here we are. 325 00:17:48,310 --> 00:17:48,750 Indeed. 326 00:17:49,380 --> 00:17:54,599 Management engines like Intel ME or a BMC—Baseboard Management 327 00:17:54,599 --> 00:17:58,780 Controller—on a server are a totally separate system that 328 00:17:58,780 --> 00:18:02,760 lives outside of the primary system board and boot process. 329 00:18:03,290 --> 00:18:08,580 They can watch over the boot process, and also supply attestation or auditing. 330 00:18:09,120 --> 00:18:13,419 So, a modern system boots up something like this: 331 00:18:14,290 --> 00:18:16,380 you press the power button—that’s important— 332 00:18:16,639 --> 00:18:17,219 Great start. 333 00:18:17,699 --> 00:18:18,139 Yes. 334 00:18:18,359 --> 00:18:22,439 And then the Platform Controller Hub, which would be something 335 00:18:22,440 --> 00:18:26,229 like the Intel Management Engine, starts up before the CPU. 336 00:18:26,679 --> 00:18:29,310 CPU is still not—has no power applied to it. 337 00:18:29,830 --> 00:18:33,230 The PCH does some stuff, and then it issues 338 00:18:33,259 --> 00:18:37,160 a reset to the CPU to start its boot process. 339 00:18:38,130 --> 00:18:44,210 The CPU loads the UEFI firmware from the serial port interface flash 340 00:18:44,210 --> 00:18:49,000 storage, the firmware accesses the boot sector on the configured boot 341 00:18:49,009 --> 00:18:54,970 device, and from that sector, the bootloader is loaded into memory, and 342 00:18:54,970 --> 00:19:01,250 control is handed over from the UEFI process over to the bootloader, and 343 00:19:01,250 --> 00:19:05,089 the bootloader actually loads the operating system image from the machine. 344 00:19:05,759 --> 00:19:06,860 That’s about six steps. 345 00:19:07,480 --> 00:19:10,370 There’s a lot of stuff happening in here, which invites 346 00:19:10,370 --> 00:19:14,750 the possibility for shenanigans of the malicious type. 347 00:19:15,160 --> 00:19:19,320 That’s where Boot Guard and UEFI Secure Boot come in. 348 00:19:19,840 --> 00:19:22,469 The goal is to build a chain of trust from the 349 00:19:22,469 --> 00:19:25,140 hardware all the way up to the operating system. 350 00:19:25,849 --> 00:19:29,540 Each step in the process checks and verifies that the next 351 00:19:29,540 --> 00:19:34,390 step in the process is valid, through a system of checksums and 352 00:19:34,790 --> 00:19:38,280 cryptographically signed keys, which gets us back to where we started. 353 00:19:39,190 --> 00:19:40,830 So, let’s walk through the process again, 354 00:19:40,830 --> 00:19:43,520 but this time with an eye to signed software. 355 00:19:44,080 --> 00:19:48,860 Sticking with Intel, they have a private key housed internally 356 00:19:48,969 --> 00:19:53,320 somewhere in Intel, and they use that private key to sign their Intel 357 00:19:53,320 --> 00:19:59,930 ME software, and the public half of that key is stored on the chip die. 358 00:20:00,690 --> 00:20:02,870 They burn it onto the chip die. 359 00:20:03,089 --> 00:20:04,499 It cannot be changed. 360 00:20:05,590 --> 00:20:09,610 Intel ME loads one or more Authenticated Code 361 00:20:09,640 --> 00:20:13,740 Modules, or ACMs, from the Firmware Interface Table. 362 00:20:14,389 --> 00:20:19,100 Each of those ACMs is signed by the Original Equipment Manufacturer, 363 00:20:19,100 --> 00:20:24,659 or OEM, who is producing the system based on Intel’s chips. 364 00:20:25,470 --> 00:20:28,950 When Intel ships their chips in manufacturing mode to 365 00:20:28,950 --> 00:20:34,000 the OEM, the OEM uses special software to burn their 366 00:20:34,000 --> 00:20:38,440 public key into the CPU using field programmable fuses. 367 00:20:39,080 --> 00:20:41,840 Those fuses are permanent and unchangeable. 368 00:20:42,619 --> 00:20:45,140 Once it gets burned in, you can’t remove it. 369 00:20:46,010 --> 00:20:46,770 Which is good, right? 370 00:20:46,770 --> 00:20:47,790 Stored in hardware now. 371 00:20:48,600 --> 00:20:51,020 Bad if, you know, somehow that OEM loses their 372 00:20:51,020 --> 00:20:53,420 private key, but that’s a story for another time. 373 00:20:53,429 --> 00:20:55,030 I feel like you’re getting ahead of yourself. 374 00:20:55,240 --> 00:20:56,000 Yes, indeed. 375 00:20:56,719 --> 00:21:00,429 That means that only firmware signed by the OEM or 376 00:21:00,460 --> 00:21:04,830 Intel is able to run in this pre-UEFI environment. 377 00:21:05,890 --> 00:21:10,530 We’re now up to the point where the UEFI firmware is being loaded, and that 378 00:21:10,530 --> 00:21:16,000 firmware is also cryptographically signed and verified using the OEM keys. 379 00:21:16,789 --> 00:21:20,969 Secure Boot in UEFI also has a set of cryptographic 380 00:21:20,970 --> 00:21:24,810 keys it uses to verify aspects of the boot process. 381 00:21:25,370 --> 00:21:28,889 The platform key is the root of the chain, and it 382 00:21:28,910 --> 00:21:32,389 helps to verify all the other keys involved with UEFI. 383 00:21:33,440 --> 00:21:36,960 Key Exchange Keys are the set of keys trusted by the firmware, 384 00:21:38,140 --> 00:21:41,280 and they can come from the OEM or third-party vendors. 385 00:21:41,990 --> 00:21:46,779 There’s also two databases that form Secure Boot: Authorized and 386 00:21:46,780 --> 00:21:50,839 Forbidden, and each of those contains a list of hashes or certificates 387 00:21:51,049 --> 00:21:54,680 for allowed or forbidden images that can run on the system. 388 00:21:55,570 --> 00:22:00,770 What’s weird is UEFI is trusted—the firmware itself—is trusted 389 00:22:00,770 --> 00:22:06,090 because it’s signed, but then inside of UEFI, its Root of Trust starts 390 00:22:06,090 --> 00:22:10,619 with this platform key, and that platform key is not necessarily 391 00:22:10,629 --> 00:22:15,340 burned in anywhere; it’s just part of the UEFI firmware package. 392 00:22:15,990 --> 00:22:18,750 Now, we trust it because the firmware package was signed 393 00:22:18,760 --> 00:22:23,160 by the OEM, but the actual platform key itself, that’s 394 00:22:23,170 --> 00:22:25,710 the start of a new chain, and that’s kind of important. 395 00:22:26,580 --> 00:22:30,730 In addition to launching the bootloader, the UEFI firmware can also load 396 00:22:30,740 --> 00:22:35,930 what are called EFI drivers, and those drivers can include malicious code. 397 00:22:36,550 --> 00:22:39,850 However, they’re also signed, which should prevent such an occurrence. 398 00:22:40,510 --> 00:22:41,010 Should. 399 00:22:41,759 --> 00:22:44,610 The last thing in this chain is the bootloader, which needs to 400 00:22:44,620 --> 00:22:49,900 be signed with a Key Exchange Key that is trusted by the system. 401 00:22:50,440 --> 00:22:54,550 Windows, Ubuntu, Red Hat, they all have signed bootloaders. 402 00:22:55,260 --> 00:22:58,819 So, in theory, the combination of Boot Guard and Secure 403 00:22:58,820 --> 00:23:01,360 Boot should mean that every single step of the boot 404 00:23:01,380 --> 00:23:05,080 process is validated and verified by the previous step. 405 00:23:05,719 --> 00:23:07,580 So, what could possibly go wrong? 406 00:23:08,420 --> 00:23:11,850 Famous question with a lot of answers, is my guess. 407 00:23:11,850 --> 00:23:13,200 [laugh] . And none of them are great. 408 00:23:13,780 --> 00:23:17,880 So, if the private key used by any of the OEMs is leaked, that 409 00:23:18,080 --> 00:23:24,959 OEM is screwed because the OEM keys for their ACMs that’s loaded 410 00:23:24,960 --> 00:23:29,100 by the Intel ME engine, those are burned onto the chip with those 411 00:23:29,100 --> 00:23:34,020 chip fuses, so short of replacing the physical chip that’s shipped 412 00:23:34,030 --> 00:23:38,709 that way from the OEM, there’s no fix for losing the private key. 413 00:23:39,730 --> 00:23:40,600 That would be real bad. 414 00:23:40,699 --> 00:23:43,450 We’re talking RMAs for every single system board 415 00:23:43,450 --> 00:23:45,640 that they shipped that has that key burned into it. 416 00:23:46,600 --> 00:23:47,439 So, that’s not great. 417 00:23:47,750 --> 00:23:51,390 Intel’s keys could also be compromised with similar disasters 418 00:23:51,730 --> 00:23:55,109 because they burn their public key into the chip die. 419 00:23:56,299 --> 00:23:59,119 That is a great way to make sure that it never gets altered 420 00:23:59,129 --> 00:24:01,630 maliciously, but it’s also a great way to make sure it 421 00:24:01,630 --> 00:24:05,149 cannot be changed if the private key gets lost somehow. 422 00:24:05,750 --> 00:24:08,830 Yep, the operating system has no idea about [laugh] any of this. 423 00:24:10,080 --> 00:24:12,839 As I pointed out, the UEFI firmware has its 424 00:24:12,889 --> 00:24:15,179 own root key that’s called the platform key. 425 00:24:15,969 --> 00:24:19,140 If the private half of that platform key was 426 00:24:19,140 --> 00:24:21,650 compromised, that would be super bad, too. 427 00:24:22,160 --> 00:24:27,100 Malicious actors could add their own Key Exchange Keys into 428 00:24:27,160 --> 00:24:31,550 the UEFI firmware and sign their malware to be trusted. 429 00:24:32,059 --> 00:24:36,689 And that’s exactly what security researchers from Binarly discovered. 430 00:24:36,700 --> 00:24:39,070 So, now we’re getting into the actual exploits. 431 00:24:40,170 --> 00:24:44,310 To understand how this all happened, we first have to talk 432 00:24:44,310 --> 00:24:47,760 a little bit about the independent BIOS vendor market. 433 00:24:48,690 --> 00:24:50,800 If you’ve ever watched a computer boot up, you’ve 434 00:24:50,849 --> 00:24:54,710 probably seen the logo of one of two BIOS vendors. 435 00:24:55,290 --> 00:24:58,100 There are some other ones out there, but the two biggest ones that you 436 00:24:58,180 --> 00:25:02,920 probably have seen are American Megatrends or Phoenix Technologies. 437 00:25:03,670 --> 00:25:05,130 There are a handful of other companies, 438 00:25:05,139 --> 00:25:07,719 but these two, they really roll the roost. 439 00:25:08,290 --> 00:25:10,290 I’m sure you familiar with at least one of those 440 00:25:10,290 --> 00:25:13,669 two, Chris, from your non-Mac interactions. 441 00:25:14,130 --> 00:25:16,060 Well, I mean, I will say this for the record: 442 00:25:16,060 --> 00:25:17,660 one has a better name than the other one. 443 00:25:18,040 --> 00:25:18,750 Yes, it does. 444 00:25:19,130 --> 00:25:20,540 Megatrends is awesome. 445 00:25:21,040 --> 00:25:21,389 Right? 446 00:25:21,450 --> 00:25:26,100 That’s what you were— [laugh] . Original equipment manufacturers that develop 447 00:25:26,190 --> 00:25:30,939 motherboards are probably getting their BIOS hardware from AMI or Phoenix. 448 00:25:31,520 --> 00:25:34,550 Along with that hardware is reference code for the 449 00:25:34,550 --> 00:25:37,360 vendor to use when they’re developing their own firmware. 450 00:25:38,600 --> 00:25:41,559 The OEMs then sell their system boards to device 451 00:25:41,559 --> 00:25:47,070 manufacturers like Dell, HPE, Samsung, et cetera, et cetera. 452 00:25:47,859 --> 00:25:50,680 The reference code here seems to be the real problem. 453 00:25:51,150 --> 00:25:54,620 It appears that a non-zero number of OEMs are simply 454 00:25:54,620 --> 00:25:58,629 taking that reference code and implementing it as is. 455 00:25:58,629 --> 00:26:01,179 It’s not what it’s there for, but that seems 456 00:26:01,179 --> 00:26:03,139 to be what they’re doing, or at least close. 457 00:26:03,980 --> 00:26:08,189 And that includes the not-for-production platform key included 458 00:26:08,190 --> 00:26:12,350 in the code that is clearly labeled as ‘do not trust’ or 459 00:26:12,360 --> 00:26:17,319 ‘do not ship.’ That’s the common name in the certificate. 460 00:26:18,000 --> 00:26:20,740 I just wish that it would tell you what they wanted you to do. 461 00:26:20,740 --> 00:26:22,050 I know, right? 462 00:26:22,330 --> 00:26:23,210 Don’t be coy. 463 00:26:23,990 --> 00:26:27,050 But that’s still just the public half of the platform key. 464 00:26:27,360 --> 00:26:30,010 What about the accompanying private key? 465 00:26:30,730 --> 00:26:34,740 Well, unfortunately, that private key is included in the reference 466 00:26:34,750 --> 00:26:39,200 software, and it was leaked on a GitHub repository in 2022. 467 00:26:39,200 --> 00:26:39,220 [sigh] 468 00:26:40,620 --> 00:26:40,850 . No. 469 00:26:40,850 --> 00:26:41,250 [sigh] 470 00:26:41,650 --> 00:26:41,970 . I know. 471 00:26:42,320 --> 00:26:46,460 While we don’t know the exact details of how it was leaked, it’s probably 472 00:26:46,460 --> 00:26:51,580 that the developer in question didn’t realize the key was there, or they 473 00:26:51,580 --> 00:26:56,149 didn’t mean to set the repository to public, or they didn’t think anyone 474 00:26:56,150 --> 00:27:01,460 would leave the platform key marked ‘do not trust’ in their UEFI firmware. 475 00:27:02,410 --> 00:27:04,750 They were very, very wrong about that last one. 476 00:27:05,540 --> 00:27:07,620 Oh, you sweet summer child. 477 00:27:07,620 --> 00:27:14,020 Binarly has conducted a survey of tens of thousands of UEFI firmware images, and 478 00:27:14,020 --> 00:27:18,760 they have found that more than 10% of them contain an untrusted platform key. 479 00:27:19,390 --> 00:27:25,120 That leaves all of them vulnerable to a rootkit like BlackLotus. 480 00:27:25,760 --> 00:27:30,210 You can find the full list on their blog, and a tool to check your system. 481 00:27:31,150 --> 00:27:32,149 So, how bad is it? 482 00:27:32,450 --> 00:27:35,399 The reason this is so bad is that it has the capability to 483 00:27:35,400 --> 00:27:39,760 completely avoid typical virus and malware detection and remediation. 484 00:27:40,460 --> 00:27:44,160 Rootkits—or bootkits, depending on how you want to call them—those 485 00:27:44,160 --> 00:27:48,430 get loaded before the operating system, and so they can segment 486 00:27:48,430 --> 00:27:51,870 themselves from the operating system’s knowledge entirely. 487 00:27:52,190 --> 00:27:54,020 And they’re super persistent. 488 00:27:54,750 --> 00:27:59,410 Even if you reinstall your operating system, throw out your SSD and get a new 489 00:27:59,410 --> 00:28:05,319 one, or even update your firmware, there is the possibility it will persist. 490 00:28:06,120 --> 00:28:08,350 Your only real option is to burn it with fire, 491 00:28:08,990 --> 00:28:11,729 assuming you even know that the rootkit is there. 492 00:28:12,510 --> 00:28:12,850 Right. 493 00:28:13,020 --> 00:28:15,550 This is the problem, with two parts of this. 494 00:28:15,580 --> 00:28:18,480 One is the simplicity of the environment does not have 495 00:28:18,480 --> 00:28:22,660 a lot of checks or counter-checks, and by not a lot, 496 00:28:22,870 --> 00:28:26,690 I mean none, except for that cryptographic keychain. 497 00:28:27,900 --> 00:28:28,200 Right. 498 00:28:28,580 --> 00:28:32,330 So therefore, as we just alluded to, the 499 00:28:32,360 --> 00:28:34,640 cryptographic keychain can’t be trusted. 500 00:28:35,130 --> 00:28:37,400 Literally nothing else can be trusted, either. 501 00:28:37,970 --> 00:28:38,620 Exactly. 502 00:28:38,960 --> 00:28:42,800 And because this firmware is not open-source in any way—it’s 503 00:28:42,800 --> 00:28:47,540 all closed system—you, as the owner of your system, don’t really 504 00:28:47,549 --> 00:28:51,060 have access to inspect this kind of thing, at least not easily. 505 00:28:52,040 --> 00:28:53,280 Can this be fixed? 506 00:28:54,080 --> 00:28:54,830 Yes. 507 00:28:55,270 --> 00:29:01,129 Your vendor can update the UEFI firmware to remove the untrusted platform key. 508 00:29:01,790 --> 00:29:04,160 That’s probably the best approach if you’re impacted. 509 00:29:04,879 --> 00:29:08,300 Use the tool that Binarly published, see if you’re impacted, 510 00:29:08,690 --> 00:29:13,290 then go check the website of wherever you bought your computer 511 00:29:13,290 --> 00:29:17,379 from and find out if they have a firmware update that fixes it. 512 00:29:18,040 --> 00:29:22,230 If they don’t, you can technically change the platform key 513 00:29:22,230 --> 00:29:27,340 yourself—it is programmable, after all—but here there be dragons. 514 00:29:28,110 --> 00:29:30,070 I probably wouldn’t unless I had to. 515 00:29:31,010 --> 00:29:33,540 So, in case you didn’t have enough to worry about 516 00:29:33,540 --> 00:29:36,339 today, congratulations, I’ve given you something else. 517 00:29:36,780 --> 00:29:38,559 Man, it feels good to give, doesn’t it? 518 00:29:39,219 --> 00:29:42,070 You are a helpy helper. 519 00:29:43,600 --> 00:29:44,370 The helpiest. 520 00:29:45,080 --> 00:29:48,459 I included so many links in this, so many rabbit holes to go down. 521 00:29:48,910 --> 00:29:51,310 If you’re interested, it’s all included in 522 00:29:51,310 --> 00:29:53,020 the [show notes] . But that’s going to do it. 523 00:29:53,040 --> 00:29:54,349 Thanks for listening, or something. 524 00:29:54,420 --> 00:29:56,969 I guess you found it worthwhile enough if you made it all the way to the 525 00:29:56,969 --> 00:30:00,400 end, so congratulations to you, friend, you accomplished something today. 526 00:30:00,869 --> 00:30:02,890 You can go sit on the couch, fire up your 527 00:30:02,890 --> 00:30:04,990 computer, and install your own rootkit. 528 00:30:05,910 --> 00:30:06,480 You’ve earned it. 529 00:30:07,320 --> 00:30:07,800 BlackLotus is great. 530 00:30:08,480 --> 00:30:11,129 You can find more about this show by visiting our LinkedIn page, 531 00:30:11,130 --> 00:30:14,290 just search ‘Chaos Lever,’ or go to our website, chaoslever.com 532 00:30:14,480 --> 00:30:17,309 where you’ll find show notes, blog posts, and general tomfoolery. 533 00:30:17,510 --> 00:30:19,840 We’ll be back next week to see what fresh hell is upon us. 534 00:30:20,120 --> 00:30:20,940 Ta-ta for now.