LEAKED: Intel’s BIOS Source Code — All 6GB of It
Source code for the Intel Alder Lake processor EUFI BIOS has gone walkies. 6 GB of build image is floating ’round the net like a genie freed from its bottle.
The leak includes some private keys, including a Boot Guard “Key Manifest” key. That small part of the leak could allow hackers to create malicious firmware updates.
4chan is said to be involved. In today’s SB Blogwatch, we try to sound surprised.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Apollo 14 remastered.
Hackers’ Happy Hunting Ground
What’s the craic? Paul Alcorn broke the story—“Intel Confirms Alder Lake BIOS Source Code Leak”:
“China-based ODM”
We recently broke the news that Intel’s Alder Lake BIOS source code had been leaked. … We reported the leak within hours of the initial occurrence [and] Intel has now issued a statement … confirming the incident.
…
The BIOS/UEFI of a computer initializes the hardware before the operating system has loaded. Among its many responsibilities, the BIOS establishes connections to certain security mechanisms, like the TPM (Trusted Platform Module). … Nefarious actors and security researchers alike will undoubtedly probe … the BIOS/UEFI code … to search for potential backdoors and security vulnerabilities. … Intel is … encouraging researchers to submit any vulnerabilities they find to its Project Circuit Breaker bug bounty program.
…
The GitHub repository, now taken down but already replicated widely, was created by an apparent LC Future Center employee—a China-based ODM that manufactures laptops for several OEMs, including Lenovo. … This could simply be the case of an employee inadvertently posting the source code to a public repository.
Someone’s in trouble. Lawrence Abrams adds—“Alder Lake BIOS Source Code is authentic”:
“KeyManifest private encryption key”
Intel has confirmed that a source code leak for the UEFI BIOS of Alder Lake, [its] 12th generation Intel Core processors … is authentic. … While Intel has downplayed the security risks … researchers warn that the contents could make it easier to find vulnerabilities in the code.
…
The leak contains 5.97 GB of files, source code, private keys, change logs, and compilation tools, with the latest timestamp on the files being 9/30/22. [I’m] told that all the source code was developed by Insyde Software Corp, a UEFI system firmware development company.
…
[It also] included a KeyManifest private encryption key—a private key used to secure Intel’s Boot Guard platform. … If the leaked private key is used in production … hackers could potentially use it to modify the boot policy in Intel firmware and bypass hardware security.
That sounds bad. Shawn Chang asks—“What can we learn from leaked Insyde’s BIOS?”:
“Long-term solution: Replace UEFI”
Let’s pray Lenovo didn’t use any of those keys in the production. … UEFI is highly rely on SMM (System Management Mode) that has greater privileges than the operating system. … Complexity of the firmware supply chain … is a big risk for both individuals and data centers.
…
Short-term plan: Security team and patch management team should work together to ensure critical devices are upgraded to the latest version. The security operation team should keep monitoring for privilege escalation. … Threat detection and auditing against existing firmware.
Long-term solution: Replace UEFI with … coreboot-based next-generation firmware. Integrate with security payloads—such as VaultBoot, LinuxBoot, etc.—to implement provisioning of hardware security features.
Can we still trust Intel? maia arson crimew—@_nyancrimew—thinks she knows:
The fact that the signing key leaked so easily honestly says a lot about how trustworthy it was before. If your source code getting leaked results in private keys leaking as well you ****ed up hard. … This is entirely on you, Intel.
Is there a silver lining in the cloud? This Anonymous Coward spots one:
While everybody is concerned about bad guys … it is also an opportunity for the good guys to improve UEFI support for Linux.
Such as? loyukfai suggestifies thuswise:
So is there any way to further improve power efficiency? Alder Lake mobile seems to be a regression across the board in terms of battery life.
But hold on there, boss. caseih counsels caution:
Usually leaks of proprietary code are quite poisonous for open source projects, so I wouldn’t call any of it beneficial for the open source community. It would be far more beneficial for all communities if Intel would make the firmware open source to begin with.
Them’s some long words. ELI5? Next best thing—u/Deshke explains like you’re 15:
Intel will sue the living **** out of every board maker who tries to use it and every open source project will avoid these pieces of code with a 10 foot pole.
Meanwhile, flyingfsck doesn’t give a flying … [You’re fired—Ed.]
RISC V is the open source future, not Intel.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
