Gabriel Kerneis @GabrielKerneis@oc.todon.fr
- Website
- https://gabriel.kerneis.info
Security researcher @ANSSI_FR (hardware and software architectures, #firmware). Tweets & opinions are my own.
Do people even read the articles they quote?
Publication A: "In publication B, the author proposes to use the ROP chain as the most effective attack."
Publication B: "That technique is not perfect but this is still better than having to craft a ROP chain for getting code execution in SMRAM."
The whole point of publication B is not to have to craft a ROP chain!
Google Zürich layoff emails went out yesterday. So far I've heard about:
- pregnant people being fired
- people about to go on parental leave being fired
- people from Ukraine or Russia with visas depending on their job being fired, and are now at risk of having to go back to war zones or being drafted
- people who just relocated to Switzerland from other international Google offices and are being fired mere weeks after arriving
Teaching boot chain and firmware security for the first time tomorrow. Excited. Just finished my slides with a review of the vulnerabilities found in the last years. Depressed.
Everyone knows that x86 still comes up in real mode, right? Ha ha foolish humans x86 comes up executing microcode that loads a signed code module out of system flash, verifies the signature, and runs it, and that sets up cache-as-RAM and verifies the signature on the firmware boot block, and it's running in protected mode, so it actually switches *back* to real mode before passing off control to the firmware because (bong noises)
@leaverou That's the missing part in your initial screenshot: yes, that have changed ~10k lines at once, but they did so in 14 commits. And it's possible they didn't realize that something that would be a routine review in a better-designed system is intractable in Github's.
(Full disclosure: I left Froogle2 years ago, don't know the author of the PR nor their team. And again I don't understand the last part of their email. I'm just trying to offer perspective in the hope of collaboration.)
https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/ is really interesting - an in-the-wild UEFI bootkit that's based on a vulnerability in the Microsoft bootloader, not shim. Microsoft patched the vuln, but the vulnerable bootloaders haven't been revoked (presumably because that's a shitload of existing Windows install media)
How do you trust your vTPM? I can find several academic papers online about building a chain of trust with attestation of the vTPM runtime and certificates of the underlying hardware TPM, but no concrete detail about Google, Azure or AWS implementations. @mjg59 is this something you have investigated in the past?
Why is the TPM eventlog not made available to the Linux kernel when I boot with Secure Boot disabled? Measured boot should still work, but it doesn't, unless I use systemd-boot. Is this grub messing things up, or the shim, or both?
Lots of good feedback at #FOSDEM for our presentation of « Ultrablue » — attestation of your laptop boot chain from your phone over bluetooth.
We now have encrypted communication between laptop and phone, and precompiled binaries for your laptop and Android phone. If you want to help testing, head over to https://github.com/ANSSI-FR/ultrablue/releases/
Slides and recordings: https://fosdem.org/2023/schedule/event/image_linux_secureboot_ultrablue/
Résumé français de la thèse de Damien Desfontaines , "Lowering the cost of anonymization" desfontain.es/thesis.pdf #AlexandrinsForever
À Pantin, l'avenue du 8 mai commence rue Auffret et se termine rue Auray. Signez la pétition du Club Contexte pour la renommer en avenue Hugues Aufray ! https://www.openstreetmap.org/way/30285454 cc @gro_tsen_test
- Website
- https://gabriel.kerneis.info
Security researcher @ANSSI_FR (hardware and software architectures, #firmware). Tweets & opinions are my own.
