The most scary thing here is that in some cirsumstances it allows an attacker to make malicious code permanent:
"This brings an amazing opportunity for an attacker with capabilities to inject program code into BIOS: to turn Intel BG technology on manually making any modifications in BIOS permanent. It only requires configuring Intel BG by programming the chipset fuses (via pure software way) after the modification is done."
...and even manually reflashing the whole BIOS image with a hardware "chip clip" can't fix it? That is really scary.
The only hope is that those "chipset fuses" actually can be reset via hardware (but not software, since that would defeat the point)... but that chance also seems slim.
I'm probably one of the few people to which anything advertised as "trusted" or being for "security and safety" has, instead of implying peace and bliss, taken on a much more sinister connotation: to lock you out of what you own... boot guard, secure boot, SGX, etc. All in theory can be used for the user, but in practice are just enabling walled gardens and DRM.
Yes, if it was truly for the security of the end users, they'd at least provide the end user a mechanism to unlock this stuff when things go wrong, such as a hardware jumper combined with software access code. A key principle of infosec is "availability" for authorized users. Therefore, I argue that such devices are not very secure for end users.
Everything used to be open and relatively well-defined on the platform, unless my memory is colored rosey: BIOS, MBR, HDD, etc. Generally, it still is beginning with BIOS (AFAIK, you can usually disable UEFI).
But 'pre-BIOS' vendors have created a mostly proprietary, closed hodge-podge of hardware and software. I've been trying to merely identify those components and subsystems on a new computer and it's taking many hours and information is sparse. There's TPM, PTT, ME, TXT, Boot Guard, AMT, etc. etc.
All seem to serve one or more of three purposes: 1) Manageability (for corporate IT), 2) end-user control via a Root of Trust (practical only for corporate IT for the most part), and 3) Vendor control (DRM and more) via a root of trust and closed, undocumented, obscure systems.
Is there any guide to all this? Any standardization? There were and are multiple BIOS vendors, but generally I knew what a BIOS did and does.
> Is there any guide to all this? Any standardization?
UEFI is standardized. The reference implementation of UEFI called EDK II is even open source. [0]
However original device manufacturers (ODMs) are lazy, and independent BIOS vendors (IBVs) have moved in to offer ODMs customization (e.g. the fancy configuration GUI) based on EDK II but which aren't open source and are sprinkled with their proprietary magic. Think AMI, Phoenix, etc. the same people who were making BIOSes.
The specific Intel features like TXT, Boot Guard, AMT, etc are not to my knowledge open specifications, so if you wanted more information, you'd probably need to sign a very long NDA with Intel. Clearly there is information available, since the IBVs integrate this functionality into their product.
In summary:
- UEFI is an open standard with an open source reference implementation [0]
- TPM is an open standard. [1]
- Intel specific features are, to my knowledge, proprietary
I dunno, BIOS was pretty opaque and all the major BIOS vendors stuff was completely proprietary (and often full of bugs). The difference is that BIOS was simpler and hence easier to understand. It was also not as well-protected and if you wanted to you could extract and reverse engineer the BIOS with easily available tools. Nowadays the firmware in your machine is better protected as well as much more complex, making it harder to access and harder to understand.
The parent comment is saying "used to be", and that was actually very true before the IBM PS/2 and the AT clones --- IBM published the schematics and BIOS source code for the PC, XT, and AT in the PC Technical Reference books.
Even in the "AT clone" era (better known as "IBM PC Compatible"), the standards were relatively more open and there wasn't much in the way of DRM at all.
"This brings an amazing opportunity for an attacker with capabilities to inject program code into BIOS: to turn Intel BG technology on manually making any modifications in BIOS permanent. It only requires configuring Intel BG by programming the chipset fuses (via pure software way) after the modification is done."