Breaking Through Another Side - Bypassing Firmware Security Boundaries from Embedded Controller

Explore reverse engineering techniques for Embedded Controllers (EC) in recent Lenovo Thinkpad laptops in this Black Hat conference talk. Delve into attacks from EC trusted boundaries on main platform firmware (BIOS) and learn how to bypass Intel BIOS Guard technology in Lenovo's specific implementation. Understand hardware security boundaries, EC firmware update processes, and the impact of EC update authentication bypass. Examine Lenovo Thinkpad EC update headers, signature checks, and disclosure timelines. Gain insights into Intel BIOS Guard, including its structure, hardware support, and execution flow. Analyze BIOS Guard Directory, Platform Data Table, and Update Package components. Compare signed and unsigned operations with BIOS Guard scripts to enhance your knowledge of firmware security vulnerabilities and mitigation strategies.

Intro
Hardware Security Boundaries
Methodology
EC firmware update process
Impact of EC update auth bypass
Lenovo Thinkpad EC update header
Lenovo Thinkpad EC update process
Boot Guard saves the day?
Lenovo Thinkpad EC signature check
Lenovo disclosure timeline
EC take-aways
Intel BIOS Guard in a nutshell
What is Intel BIOS Guard?
Lenovo Thinkpad PFAT update process
BIOS Guard hardware support
BIOS Guard ACM execution flow
BIOS Guard Directory
BIOS Guard Platform Data Table
BIOS Guard Update Package
Signed vs unsigned operations with BIOS Guard script