Upload File

advanced x86: bios and system management mode internals boot process xeno kovah && corey...

  • Home
  • Documents
  • Advanced x86: BIOS and System Management Mode Internals Boot Process Xeno Kovah && Corey Kallenberg LegbaCore, LLC
8
Advanced x86: BIOS and System Management Mode Internals Boot Process Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Upload: kerry-lyons

Post on 17-Jan-2016

224 views

Category:

Documents


2 download

Report

TRANSCRIPT

Page 1: Advanced x86: BIOS and System Management Mode Internals Boot Process Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Advanced x86:BIOS and System Management Mode Internals

Boot Process

Xeno Kovah && Corey KallenbergLegbaCore, LLC

Page 2: Advanced x86: BIOS and System Management Mode Internals Boot Process Xeno Kovah && Corey Kallenberg LegbaCore, LLC

All materials are licensed under a Creative Commons “Share Alike” license.

http://creativecommons.org/licenses/by-sa/3.0/

2Attribution condition: You must indicate that derivative work"Is derived from John Butterworth & Xeno Kovah’s ’Advanced Intel x86: BIOS and SMM’ class posted at http://opensecuritytraining.info/IntroBIOS.html”

Page 3: Advanced x86: BIOS and System Management Mode Internals Boot Process Xeno Kovah && Corey Kallenberg LegbaCore, LLC

• This covers an example of a minimal BIOS boot process, just to give an idea of what the BIOS does before your operating system starts to load.

• It doesn’t include everything of course because it’s geared towards minimal-configuration to achieve 100% functionality.

3

Page 4: Advanced x86: BIOS and System Management Mode Internals Boot Process Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Boot Process at a glance*

*This list composed from Intel Minimal Architecture Boot Loader

1. Power-up1. 16-bit Real Mode accessing address FFFF_FFF0h

2. Operating mode selection1. Flat protected mode

3. Preparation for memory initialization1. CPU microcode update

2. Set up CPU Cache as RAM (CAR)

3. Chipset initialization (MCHBAR, PCIEXBAR, etc.)

4. Memory initialization1. Configure the memory controller

5. Post memory initialization1. Memory test

2. Copy firmware from flash to memory for faster execution*1. In the doc this is listed as firmware shadowing but I’m modifying it somewhat since the BIOS

can perform the copying of flash components to memory2. As a general rule, it’s better to copy things to memory before execution as soon as possible

3. Memory transaction redirection (PAM registers)

4. Setting up the stack (before memory initialization, stack will be in CPU cache)

5. Transfer to DRAM (the BIOS flash that was copied to memory is now executed)

4

Page 5: Advanced x86: BIOS and System Management Mode Internals Boot Process Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Boot Process at a glance*

*This list composed from Intel Minimal Architecture Boot Loader

6. Miscellaneous platform enabling 1. Platform dependent: Initialize clocks to operate at N Hz, configure general-

purpose I/O, etc.

7. Interrupt enabling - PIC (Programmable Interrupt Controller), LAPIC (Local Advanced PIC), I/O APIC, etc.

8. Interrupt tables 1. Interrupt Vector Table (IVT)

1. Interrupt Service Routine (ISR) – INT 10h, etc…

2. Interrupt Descriptor Table (IDT)1. Exceptions

9. Setting up timers1. In ICH: RTC (, HPET, 8254 Programmable Interrupt Timer (PIT), TCO timer (used as

watchdog)

2. In CPU: LAPIC timer

10. Memory caching control

11. Processor discovery and initialization1. CPUID

2. Startup Inter-Processor Interrupts (SIPIs) are written to a processor’s LAPIC telling it to wake up and where to start executing code at (must be a 4KB aligned boundary)

1. Intel SW Programmer’s Guide has more detail on this

3. Each processor will awaken in Real Mode5

Page 6: Advanced x86: BIOS and System Management Mode Internals Boot Process Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Boot Process at a glance*

*This list composed from Intel Minimal Architecture Boot Loader

12. I/O devices1. Super I/O can control PS/2 keyboard, serial, parallel, etc. interfaces

13. PCI device discovery1. Enumerate PCI devices

2. Assign address space (port IO, Memory Mapped IO)

3. Detect and execute Expansion ROMs (XROMs)

14. Memory map1. Region types

1. Memory

2. Reserved

3. ACPI Reclaim

4. ACPI NVS

5. ROM

6. IOAPIC

7. LAPIC

2. Region locations1. Consult your datasheet for a complete list, but we’ll cover some of the more relevant ones

15. Non-Volatile (NV) storage1. CMOS

2. NV SPI flash

16. Handoff to boot-loader6

Page 7: Advanced x86: BIOS and System Management Mode Internals Boot Process Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Only 16 steps? BIOS is simple!

*This list composed from Intel Minimal Architecture Boot Loader

• Easy to summarize, not so easy to implement• Very complex implementations• Even if it’s only a couple MB, it’s a very DENSE couple

of MB• That list taken from the Intel Minimal Architecture Boot

Loader which provides a pretty good list of functional requirements

• What is left out is:– Initializing SMM and locking down SMRAM– Locking down the BIOS Flash

7

Page 8: Advanced x86: BIOS and System Management Mode Internals Boot Process Xeno Kovah && Corey Kallenberg LegbaCore, LLC

How do you learn about all that stuff?

• You could go review open source BIOSes’ code (CoreBoot or UEFI’s TianoCore reference code)

• Or you can sign an NDA with Intel and read their very large “BIOS Writer’s Guide” and associated documentation for each CPU/chipset

• At the end of the day, the open source code is more or less just doing what they’re told to do by the Intel documentation

8


#RSAC SESSION ID: Xeno Kovah Corey Kallenberg Are you giving firmware attackers a free pass? HTA-F02 CTO & Co-Founder LegbaCore, LLC @CoreyKal CEO & Co-Founder

Advanced x86: BIOS and System Management Mode Internals SMI Suppression Xeno Kovah && Corey Kallenberg…

Intermediate x86 Part 4 Xeno Kovah – 2010 xkovah at gmail

Malware Dynamic Analysis Part 3 Veronica Kovah vkovah.ost at gmail See notes for citation1

Advanced x86: BIOS and System Management Mode Internals Unified Extensible Firmware Interface (UEFI) Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Setup&For&Failure:&Defeang& Secure&Boot - PUT.AS · 2016. 8. 1. · Setup&For&Failure:&Defeang& Secure&Boot Corey&Kallenberg& &@coreykal& Sam&Cornwell & &@ssc0rnwell& Xeno&Kovah &

Malware Dynamic Analysis Part 2 Veronica Kovah vkovah.ost at gmail See notes for citation1

Advanced x86: BIOS and System Management Mode Internals PCI {Option/Expansion} ROMs Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Xeno Kovah – 2012 xkovah at gmail 1 BINARIES Part 1 See notes for citation

St. Josef Münchingen...(1923 Münchingen / 326 Kallenberg) 2011 2262 Katholiken (1984 Münchingen / 278 Kallenberg) Katholiken in Münchingen / Kallenberg Kirchweihe mit Pfarrer Dr

Eair 2015 Kallenberg - Interacting Spheres Revisited

© 2013 The MITRE Corporation. All rights reserved. For internal MITRE use John Butterworth Corey Kallenberg Xeno Kovah BIOS Chronomancy: Fixing the Core

Advanced x86: BIOS and System Management Mode Internals System Management Mode (SMM) Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Advanced x86: BIOS and System Management Mode Internals SPI Flash Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Malware Dynamic Analysis Part 1 Veronica Kovah vkovah.ost at gmail See notes for citation1

Advanced x86: BIOS and System Management Mode Internals UEFI Reverse Engineering Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Advanced x86: BIOS and System Management Mode Internals Reset Vector Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Advanced x86: BIOS and System Management Mode Internals Flash Descriptor Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Advanced x86: BIOS and System Management Mode Internals More Fun with SMM Xeno Kovah && Corey Kallenberg LegbaCore, LLC

© 2014 The MITRE Corporation. All rights reserved. Xeno Kovah John Butterworth Corey Kallenberg Sam Cornwell Copernicus 2: SENTER the Dragon!

Training Security Nerds: Computum deos ab hominibus Xeno Kovah

Intermediate x86 Part 3 Xeno Kovah – 2010 xkovah at gmail

Malware Dynamic Analysis Part 6 Veronica Kovah vkovah.ost at gmail See notes for citation1

Advanced x86: BIOS and System Management Mode Internals PCI Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Södermorsor av Lena Kallenberg

Advanced x86: BIOS and System Management Mode Internals Tools Xeno Kovah && Corey Kallenberg LegbaCore, LLC

2013 The MITRE Corporation. All rights reserved.. Approved for public release 13-2534 John Butterworth Corey Kallenberg Xeno Kovah BIOS Chronomancy:

Advanced x86: BIOS and System Management Mode Internals Introduction Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Advanced x86: BIOS and System Management Mode Internals Input/Output Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Advanced x86: BIOS and System Management Mode Internals Chipset Architecture Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Malware Dynamic Analysis Part 4 Veronica Kovah vkovah.ost at gmail See notes for citation1

Eair 2014 harboe&kallenberg

Are you giving firmware attackers a free pass?legbacore.com/Research_files/HTA-F02_Kovah_v5.pdf · 2015. 11. 4. · #RSAC SESSION ID: Xeno Kovah Corey Kallenberg Are you giving firmware

Advanced x86: BIOS and System Management Mode Internals SMM & Caching Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Advanced x86: BIOS and System Management Mode Internals Motivation Xeno Kovah && Corey Kallenberg LegbaCore, LLC