Many Intel processors' crypto keys at risk

Like almost all SoCs and processors, the models from Intel also have a permanently burned-in cryptographic key. This serves as the basis for many security systems, including the Management Engine (ME). The execution of the UEFI BIOS is monitored, but also functions like the DRM or security functions like the Trusted Platform Module (TPM). But also the server area important software guard extensions (SGX) use it.

This cryptographic key now seems to be at risk, because during the boot process this key seems to be visible at least for a short time. This is reported by the security company Positive Technologies. It could not yet be read, but the security researchers consider it to be threatened. The impact would be enormous because Intel cannot change the key. As the root of trust, however, it is an essential component of many security systems in the processors.

All current processors from Intel are affected. In addition to the desktop and server models, apparently also the Atom processors. Intel has been aware of the gap since May 2019. As CVE-2019-0090 titled their risk is classified as “high”. Intel wants to at least complicate an attack on the cryptographic key with updates for the ME and Converged Security and Management Engine (CSME) – you cannot prevent it.

Vulnerability in CacheOut –

–

The attack is made possible by a small SRAM memory area that the ME creates. No external systems actually have access to this memory area. But the I / O Memory Management Unit (IOMMU) and the Minute IA System Agent (MISA) do. Before the IOMMU can secure the ME-SRAM, however, there is a brief moment during the system start when this is not yet the case. The ME-SRAM can be manipulated during this period. As I said, it has not yet been possible to read the key, but this should only be a matter of time.

Physical access to the system is required for the attack. This makes an attack difficult. However, if the key is known, other systems could also be affected, since the hardware key is identical for millions of processors.

The gap apparently no longer exists in the Ice Lake processors currently only intended for notebooks. Nevertheless, a devastating picture continues to emerge when it comes to the security of Intel processors. CacheOut, Plundervolt, Zombie load and many more examples, mostly side-channel attacks, do not let Intel rest in this regard.