Oh by the way https://codeberg.org/mkukri/optiplex-3050-bootguard-poc...

Leah Rowe is not a Rowebot's posts Post Back to profile

Leah Rowe is not a Rowebot

Oh by the way

https://codeberg.org/mkukri/optiplex-3050-bootguard-poc

Mate Kukri's proof of concept for Dell OptiPlex 3050 Micro. Disables Intel Boot Guard, allowing coreboot.

EDIT: info from Mate himself, about this: https://mas.to/@mkukri/112507467615650165

tl;dr of what he said:

it uses CVE-2017-5705

Intel fixed it in newer MEv11 updates but you can downgrade via physical flash access.

With a vulnerable MEv11 revision you exploit ME in the BUP(bringup) module, overwriting bootguard FPFs in SRAM, overriding the fused bootguard config.

Like 25 May at 14:49 | Open on mas.to

7 comments

Evv1L :blobcatlaptop:

@libreleah

> Run './RUNME.sh' to generate an ME image that bypasses BootGuard on the OptiPlex 3050.

Very interesting!

Is this just Dell has some weird/buggy BootGuard implementation or it could be possible on other desktops/laptops?

How this bypass even work? Is it some undocumented IME feature?

26 May at 6:26 | Open on mastodon.ml

Leah Rowe is not a Rowebot

@Evv1L mate kukri is working on a technical writeup. this is going in libreboot.

26 May at 12:48 | Open on mas.to

mkukri

@Evv1L @libreleah

This uses CVE-2017-5705.

It has been fixed by Intel in newer ME v11.x.x.x firmware releases, however ME11 hardware has no protection again downgrading the ME version by overwriting the SPI flash physically, thus we can downgrade to a vulnerable version.

After downgrade, we exploit the bup module of the vulnerable firmware, overwriting the copy of boot guard FPFs stored in SRAM, resulting in the fused boot guard configuration being replaced with our desired one.

26 May at 12:48 | Open on mas.to