AMI Firmware Source Code, Private Key Leaked

Trailrunner7 writes "Source code and a private signing key for firmware manufactured by a popular PC hardware maker American Megatrends Inc. (AMI) have been found on an open FTP server hosted in Taiwan. Researcher Brandan Wilson found the company's data hosted on an unnamed vendor's FTP server. Among the vendor's internal emails, system images, high-resolution PCB images and private Excel spreadsheets was the source code for different versions of AMI firmware, code that was current as of February 2012, along with the private signing key for the Ivy Bridge firmware architecture. AMI builds the AMIBIOS BIOS firmware based on the UEFI specification for PC and server motherboards built by AMI and other manufacturers. The company started out as a motherboard maker, and also built storage controllers and remote management cards found in many Dell and HP computers. 'The worst case is the creation of a persistent, Trojanized update that would allow remote access to the system at the lowest possible level,' researcher Adam Caudill said. 'Another possibility would be the creation of an update that would render the system unbootable, requiring replacement of the mainboard.'"

Keys and source...

[idunham]

Any way this could be used to circumvent Secure Boot?

Re:Keys and source...

[HarrySquatter]

No.

Re:Keys and source...

[Truekaiser]

Actually, yes it can.
"“By leaking this key and the firmware source, it is possible (and simple) for others to create malicious UEFI updates that will be validated and installed for the vendor’s products that use this Ivy Bridge firmware,” "

It will allow those with secure boot, that is on and has no user visible way of shutting it off. Because every extra option in a uefi/bios costs system builders like dell and hp money. a way of disableing it by flashing a bios,uefi image with that option or it permanently set to off.

Re:Keys and source...

[Anon,+Not+Coward+D]

Care to elaborate a little?? Please?

Re:Keys and source...

[Bacon+Bits]

It will allow those with secure boot, that is on and has no user visible way of shutting it off. Because every extra option in a uefi/bios costs system builders like dell and hp money. a way of disableing it by flashing a bios,uefi image with that option or it permanently set to off.

Did you write my stereo instructions in the 1980s?

Re:Keys and source...

[DarkOx]

It might do even better than that! You might be about to create a custom bios image; with the secure boot check deliberately broked to not actually check the boot loader is signed but still return attest that it was.

This could allow you to compromise the DRM all the way up the chain.

Re:Keys and source...

[glrotate]

Close, he wrote the instructions for your motherboard.

Re:Keys and source...

Neat! Now we won't be able to boot Windows as well as Linux! (Things might change now.)

Re:Keys and source...

[gl4ss]

yes, on systems where you can boot anything you want anyways! HAHA

Ok... this chould be bad.

[Cyberglich]

This could be very very bad..

Re:Ok... this chould be bad.

And this also could be great. Like everything, 90% of firmware sucks. Unlike most other software, replacing the firmware usually isn't even close to an option, and I loathe almost every single hardware company as a result of this.

Re:Ok... this chould be bad.

[briancox2]

Bad? Part of the UEFI barrier for other OS's has just been Open Sourced.

And there was much rejoicing.

Re:Ok... this chould be bad.

No it hasn't. You're not going to be able to use this to bypass UEFI secure boot even on AMI hardware let alone it being applicable to hardware at large.

Re:Ok... this chould be bad.

[sveinungkv]

Unlike most other software, replacing the firmware usually isn't even close to an option If you do some research before buying a new main board its a lot closer.

Re:Ok... this chould be bad.

Then why did we need secure boot in the first place?

Re:Ok... this chould be bad.

Sounds like it can be used to sign your own BIOS updates. And if you can sign your own BIOS updates, how does that not translate back to effectively bypassing UEFI? Sure, you're technically simply working within the system instead of going around it, but if it looks like a bypass, walks like a bypass, quacks like a bypass...

Re:Ok... this chould be bad.

[Junta]

Of course, considering the selection of coreboot applicable hardware is extremely limited and mostly ancient...

Re:Ok... this chould be bad.

...if it looks like a bypass, walks like a bypass, quacks like a bypass...

Then it must be a witch! Burn it [to EEPROM]

Re:Ok... this chould be bad.

Indeed, I"ve wanted to try it for years, but I've never had a motherboard that was supported by it.

Re:Ok... this chould be bad.

[Billly+Gates]

Bad? Part of the UEFI barrier for other OS's has just been Open Sourced.

And there was much rejoicing.

Or a piece of malware will now sign itself and change the keys making it impossible to remove. It would be better totally unlocked otherwise. If the keys were in ROM where they could not be rewritten then yes there will be much rejoicing but who is to say the malware wont reimage itself in the UEFI and put another set of keys maybe randomly generated on the host?

Re:Ok... this chould be bad.

[briancox2]

Or a piece of malware will now sign itself and change the keys making it impossible to remove. It would be better totally unlocked otherwise. If the keys were in ROM where they could not be rewritten then yes there will be much rejoicing but who is to say the malware wont reimage itself in the UEFI and put another set of keys maybe randomly generated on the host?

You mean like a root kit? That's only existed for forever, and UEFI has been shown to be infeffective in the real world at stopping them. So your illusion of security was shattered. Pick up your hat and move on ... designing a more workable security scheme.

Re:Ok... this chould be bad.

Latest AMD Trinity APU is not enough? Try Asus F2A85-M

Re:Ok... this chould be bad.

[Billly+Gates]

A rootkit in a non signed way is impossible on UEFI unless you disable it by default.

However if it is signed and the AV software does not have the access to it then you are fucked. It is an OS reinstall. Worse if it uses the keys to reimage the rom then it is bricked.

Re:Ok... this chould be bad.

[briancox2]

Ok. And in the real world, there is no evidence that it is possible to prevent rootkits from eventually being signed on a UEFI. Because now, they are going to be...agreed?

So that means we are right back to where we started in the first place. UEFI is useless at best, burdensome and unfair for people wanting to add/change the OS at worst.

Time to toss it.

Link?

[visualight]

I could care less about the security implications. Where's the link to the full key and source code?

Re:Link?

Something tells me the admin of AMISource.com is about to have a bad day!

Re:Link?

THEN CARE LESS.
The phrase is "I couldn't care less", you troglodyte.

Re:Link?

I couldn't care less about the security implications.

Seeg Hile or something or another for the Grammar Nazi salute!

*I use to get pissed at grammar Nazis. Until one day, someone in authority showed me a resume from someone who made a mistake much less than that one, and said "How can I hire someone who makes such stupid errors as that!?!"

Now, when a grammar Nazi corrects me, I just nod in appreciation or hold back my flames if they're a dick about it.

Things are so bad out there, they'll find any reason to dismiss you.

You may not have problems now or you're secure, but one day, it may matter.

When it was too late, I found out about some of my problems and issues - now, I'm unemployable and on wife support.

There's nothing more humiliating that being on wife support. Especially when you were making six figures.

Just telling you this because I don't want to seem like a dick or come across as someone who thinks "he's all that".

Re:Link?

++

Re:Link?

[visualight]

Roger. It's not an oversight or a mistake on my part. I prefer to say it that way.

I also sometimes say "I give a damn" too.

Because that's the way how I roll.

Re:Link?

[Anon,+Not+Coward+D]

From one of the features FA:

"I’ve contacted both the vendor involved and AMI to alert them to the issue. Obviously, I won’t be releasing the name of the vendor, the FTP address, or anything that was seen on the server."

Maybe we won't see it ever :(

Re:Link?

...except that what you corrected in the GP's post wasn't a grammar mistake. The grammar was perfectly fine.

Re:Link?

The name is out there if you know how to look, and the files are still there. Pandora's box has definitely been opened.

Re:Link?

[Anon,+Not+Coward+D]

Seig hail to our new Sintax Nazi Overlord

Re:Link?

[Bill,+Shooter+of+Bul]

Well, I couldn't care more about your off beet phrasing.

Re:Link?

Syntax ;)

Re:Link?

[Anon,+Not+Coward+D]

oh for the irony...

Re:Link?

[mjr167]

There is nothing wrong with being on "wife support", assuming she can afford to keep you. Change your title to "home maker" and think of it as an opportunity.

My husband stays home with our kids building block towers and signing about the letter A all day. There is actually a growing community of stay at home husbands, and if you think about it, it is really the next logical step towards equality. If we want women to have the option to go out and earn a 6 figure salary, then we need to be willing to let men stay home and feel proud about it.

If you have no kids to raise, then take the opportunity to reinvent yourself. Start a non-profit. Make soda can sculptures that you can sell at your local craft show. Volunteer. These are the things we expected and praised women for doing and there is no shame in men doing them to.

So pick up your head, take pride in the fact that you have a loving, supportive wife, and turn this into an opportunity. The value of a man, or woman, is not measured solely by their income, but rather how they work to better others.

Re:Link?

Not necessarily. Having several systems with AMI BIOSes dating back to the early 1990s, I could care less about the security implications too. Not much less, seeing that none of them use UEFI, but I can't honestly say that I couldn't care less. I'm more interested in reading through the code.

Re:Link?

[fustakrakich]

We shouldn't believe him then. The old 'tits, or GTFO' applies. In fact, it sounds like attempted extortion.

Re:Link?

[stafil]

Just out of curiosity I would love to have a look at their code. I am sure it will appear in piratebay soon.

Anybody knows if it is illegal to download it and have a peek at it?

Re:Link?

*ahem* http://www.mmnt.net/db/0/0/ftp.jetway.com.tw

Re:Link?

[h4rr4r]

I did not expect that level of frankness to turnip in a slashdot thread.

Re:Link?

Oh, so we should of course just trust you as well? If the files are still there, why don't you at least post the name of the vendor, if not the link?

Re:Link?

Who cares. Personally I believe it is morally right to look at code out of intellectual curiosity and that is all I need. You wont get caught illegal or not. And if you are paranoid there are way to acquire it without exposing your IP to a bitorrent tracker.

Re:Link?

I didn't read a part where he was threatening AMI with release of all the sensitive material unless they paid him a wealthy sum or offered him a prestigious job in exchange for keeping this quiet. Maybe you can help me find it?

Re:Link?

I want to enjoy this thread, but I'm finding it chard.

Re:Link?

[fustakrakich]

Yeah, that's right, he's going to post a threat online.

Gee, that's a nice BIOS you get there. It'd be a shame to see anything happen to it.

Re:Link?

No, you should not trust me. You're supposed to learn how to look. Exploits used to be published with small deliberate coding errors in them to prevent script kiddies from just compiling and running them. Handing dangerous stuff to people who haven't gained the corresponding knowledge used to be known as a bad thing. So I won't tell you.

Re:Link?

http://pastebin.com/LFGhmfS9

Re:Link?

Well, expect to catch a lot of flak for sounding like an idiot, then.

I prefer to use blortz instead of "the" and blortz word froople in blortz place of "a."

Re:Link?

Wut ? "Score:2, Troll"? - I know that it is normal nowadays to both be working, and I guess that having spent a lot of effort to get trained, it is frustrating to be denied the opportunity to use that training productively regardless of your gender..... but still in what way is this anything except true ?

Re:Link?

[bug1]

Well, I could care less about this those who couldnt care more, and couldnt care less about those who care more.

SO THERE !

Re:Link?

If OP couldn't care less, then he wouldn't have had enough care to post a comment. But he had just enough care to post, though barely. So while his level of care is quite low, it's not empty. If couldn't care less, then that would indicate his level of care is zero, but that would be false since he obviously had enough care to care to write a post declaring the level of care that he had.

Re:Link?

No

Re:Link?

Thank you, sir. Please accept my meager offer of 10 internets.

Re:Link?

[CheshireDragon]

I think it would be perfectly legal.
To me it seems the same as having Marijuana seeds or spores of a psilocybin mushroom. It's perfectly legal to be in possession of them. However, if you attempt to start growing them, it's your ass.

Bad analogy?

Re:Link?

That all sounds good and well, but if you're working to better me and I'm working to better you what the hell are we doing with our lives?

Re:Link?

it sounds like attempted extortion.

Your post sounds like attempted libel.

Re:Link?

I agree! So WHERE IS THE LINK???!!!??? I don't believe that there is one. This is just a slashdot, err... snowjob.

Re:Link?

[Have+Brain+Will+Rent]

What is so humiliating about a woman supporting a man?
Trust me you'd feel a lot worse if she thought like you and just gave you the boot because you were unemployed.

Re:Link?

[BitZtream]

Unauthorized access to a computer, computer network or network resources is illegal in the United States of America.

No matter what anyone tells you, it is never actually legal for you to steal from someone else.

Re:Link?

"just gave you the boot because you were unemployed."

Clock's running on that. That's what women are like... men will support women. Women won't support men.

Re:Link?

...sieg heil.

Re:Link?

cue the regular programming on how copyright infringement isn't theft. Were the originals deleted from the server too, i.e. did the ftp server have anonymous write access?

Re:Link?

Where did this come from and how is it relevant? I'd offer some rebuttals but I'm not on 4chan so I cannot be critical.

I'm safe from this

I runz the Linux!

Re:I'm safe from this

[sveinungkv]

I runz the Linux!

I runz the Coreboot! ftfy

Re:I'm safe from this

I gotz the runz!

North Korea to use AMI motherboards

To mint trillions of counterfeit dollars to buy nuclear warheads from the republic of bitcoinistan.

You are fucked americans, very fucked.

I hope you put a HOSTS file in your secure boot sector.

Predicted

I predicted a few years back that because of all this crazy DRM stuff eventually you'd get a virus that would require you to throw out your computer.

Re:Predicted

> because of all this crazy DRM stuff eventually you'd get a virus that would require you to throw out your computer.

Who needs a virus, when official firmware updates can accomplish the same thing?

It's called the Motorola Photon, Atrix2, and Electrify. Last Sprint, Motorola locked down the bootloader tighter than Tori Spellings 90210 chastity belt, and did such a "good" job of it, they realized a few weeks later that any phone that ever tried to reflash thereafter had a high likelihood of soft-bricking due to the half-baked poorly-tested last-minute countermeasures they implemented(*). As a direct result, they had to cancel the ICS updates promised to buyers. I'm counting the days until the class action lawsuit against Motorola over it (all 3 phones were promised upgrades to ICS with great fanfare back when they were released, and Motorola's apology to their victims consisted of offering a whopping $25 rebate towards the purchase of a new Motorola phone... like any of us would ever touch one of their phones with a dirty, tetanus-infected pole after what they did to us).

(*)More precisely, they eventually figured out what caused it to bootloop, how to figure out if a device was going to do it, and how to keep it from happening... but the moment they released the safe updater able to navigate their self-imposed minefield, someone at XDA would have decompiled it, seen the logic, and been able to follow the same logic to defeat the new bootloader. They made a policy decision that it was better to completely fuck everyone unfortunate enough to have bought a Photon, Electrify, or Atrix 2 than to risk having their bootloader lock get defeated again.

The bootloader on the above phones was always locked, but Motorola went into neurotic hyperdrive after someone at XDA figured out how to trick the bootloader on a Sprint Photon into flashing a GSM radio modem ripped from an Atrix2 (internally, the Photon, Electrify, and Atrix2 were basically the same phone, with the same CDMA+GSM Qualcomm chipset if you ignored the Wimax daughtercard only the Sprint models had). The Photon was always able to use a SIM card and use GSM internationally, but the Sprint radio modem firmware explicitly disabled use on AT&T and T-Mobile so you couldn't use it as a GSM phone in the US.

Some at XDA claimed to have inside info that US Cellular actually *wanted* the phone to be able to roam on GSM/HSPA in the US (because there was no technical reason why it couldn't, and because USC's historical roaming partner Sprint was staring to suck so badly, ), but as a smaller regional carrier, they were basically told they could take it or leave it with branding-tweaked "Sprint" firmware.

The one-two punch of being officially denied ICS, while having had the ability to do out ourselves cruelly taken away, is why their victims now hate them so badly, and have sworn to our favorite deities that we'll never, ever buy another Motorola phone with a locked bootloader again & fervently hope Google is able to someday, somehow, purge the evil rottenness from Motorola's core & fire everyone who has ever approved of bootloader locking as a company policy. At least Samsung has the decency to treat bootloader locks like a skeleton key imposed to humor Verizon, and leaves a copy under the welcome mat. For Moto, bootloader locking is a deeply-held ideology that goes straight to the company's core business as a defense contractor. When Moto locks a bootloader, they really *mean* it.

linux in bios just got even easier

Besides all the gloom and doom, I can see a use case for this. someone tell coreboot.org? it would make updating your (ami)bios with embedded linux a bit simpler, eh?

There's so much "I told you so" in this...

[Meshugga]

...it's not even funny.

Re:There's so much "I told you so" in this...

C'mon, it's a little funny.

Re:There's so much "I told you so" in this...

[Darinbob]

Untrue. I laughed briefly before I started crying.

Why is only the worst case is mentioned?

Why is only the worst case is mentioned? This can actually be good and help projects like coreboot support more hardware. Or maybe someone will make opensource fork of their firmware as there is a lot to improve in current uefi implementation.
As for the viruses I don’t think even with the signing key we will not see many bios viruses as it is really hard to write that actually does anything beside bricking the hardware. And on most systems it is impossible to update bios after the os is loaded.

Re:Why is only the worst case is mentioned?

The coreboot people will not look at this, but of course everybody will imply that they did if they successfully reverse engineer something. This makes life harder for them, not easier. The crooks on the other hand will have absolutely no qualms about using this against their victims. Of course that's the story here: The complete and utter failure of a flawed security design. The E in UEFI is what's wrong, and the lack of jumpers that turn off write capability to the firmware *in*hardware*.

So much for SecureBoot

[the+eric+conspiracy]

What a waste of time.

Re:So much for SecureBoot

There is nothing wrong with SecureBoot, and in fact is a good idea. The problem is security by obscurity. Current SecureBoot implementations are just hoping you never discover the private key. A CORRECT way to do it is to allow custom keys to be loaded by people who have physical access to the machine. If you want Windows to be booted, you load their public key into your secure boot list. If you want to also boot Fedora/Ubuntu/Debian/Redhat, you install their public key. If you want to install a custom Linux, you generate a keypair, sign the binaries, and load the public keys.

Re:So much for SecureBoot

[VortexCortex]

Everything is wrong with secureboot.

Look, all we need is a simple BIOS option to that allows users to enable OS installs on next boot. When active it could flash part of the BIOS with the OS boot loader. FUCKING DONE. The OS will then be able to boot immediately, and can kick off it's own security chains to validate the rest of the kernel / etc. Use public key crypto in the "early kernel" loader and the existing firmware OS code can verify signatures of new kernel updates without being beholden to some 3rd party Dumbasses Like AMI. The users don't have to type in a fucking hex code (that they're sure to get wrong once or twice) just to boot a different OS. It has the same level of security as secure boot. It's SIMPLE. It already exists, and I actually do this already in my OS with core boot.

Secureboot is a rotting abortion and should be considered harmful.

Re:So much for SecureBoot

SecureBoot is most emphatically not a good idea, because it is predicated on a "known-good" state of the machine, and has no mechanisms for reverse verification. The only thing SB can do is to block transferring into "non-blessed" code, but as you correctly state, current implementations do not allow code to solely be blessed by the operator. So the only good thing about SB (forward verification) is defeated by current implementations, and I'll note that the current specification does not even consider reverse verification. Probably because it is hard.

If SecureBoot was actually developed as a security tool instead of a marketing ploy, it would have included mechanisms for reverse verification anyway, e.g. a way for a secure kernel to verify the bios' claims about having booted securely, and a mechanism for remote machines to verify a client's claims about running securely, because that's the ultimate goal, isn't it? Building a walled garden for your Internet services? I will pass on the discussion on whether such a goal is even worth having from society's perspective.

As it is written, the secureboot specification is a joke, and current implementations just make the joke more painful. "Mistakes" like these are either icing on the cake, or salt in the wounds, depending on your viewpoint.

Prove it!!

This is just scare mongering!

Doh

[MugenEJ8]

'The worst case is the creation of a persistent, Trojanized update that would allow remote access to the system at the lowest possible level,' researcher Adam Caudill said. 'Another possibility would be the creation of an update that would render the system unbootable, requiring replacement of the mainboard.'

It's safe to assume the latter, as malware commanders don't want the computer offline or under scrutiny. Just give them another vector to attack and easier ways to cover up the bot.../p

you can flash in windows

you can flash in windows

Re:you can flash in windows

Not always. In most bioses you can set the lock that prevents from flashing until you boot into bios and disable it.

NOTHING IS LEAKED

[CanEHdian]

There isn't anything useful that has been leaked.

Re:NOTHING IS LEAKED

[lastman71]

Would you be so kind to elaborate? Thanks.

Re:NOTHING IS LEAKED

[dutchwhizzman]

md5sum Downloads/018s.zip

4ebc77526c2ea7c0387cc993252e682b Downloads/018s.zip

md5sum 018s/Keys/FW/.priKey

198e238540b93095f02ee763bdadba86 018s/Keys/FW/.priKey

There are no American tanks in Baghdad. The situation is completely under control.

Re:NOTHING IS LEAKED

[CanEHdian]

Ahhhh yes, no American Tanks... only burning hulls that our Superior Forces are defeating everywhere! Americans are retreating and begging for mercy! Yes... it's out now, and I only checked a few places that had nothing at the time I posted previously (obviously I didn't look in the "right" places!).

It is designed to be "secure" pain in ass.

[boorack]

This shows what a frickin fiasco is this UEFI Secure Boot crap. It was designed by Microsoft as a DRM-like lock-in tool for their Windows OS and it shows DRM-related problems again and again. TPM chips are around for years and are capable of solving all problems Microsoft promises to "fix" with this UEFI-secure-DRM-windows-only-Boot crap. In my opinion it qualifies as abuse of monopolistic power and should be prosecuted as such. I'd expect a lot of PC vendor arm twisting evidence to show up if such prosecution would ever take place. And BTW, please don't reply to me with "any OS vendor can request a key from Microsoft" or "any vendor can request hardware vendors to install its key" crapola. These are just lies spewed around by Microsoft stooges and paid trolls. They already abused dominant position in key distribution (just before last Christmas season) and they'll do it again and again anytime it fits them. The only sensible solution would be to force Microsoft and hardware vendors to abandon this flawed standard using antitrust measures or other means.

Re:It is designed to be "secure" pain in ass.

[Gadget_Guy]

The basis of your whole rant was that Microsoft invented this technology, but you were wrong. I suggest that you go read up on the UEFI before you start making these sorts of proclaimations. The standard was originally developed by Intel, not Microsoft, and they contributed the initial version to the UEFI Forum (which includes reprentatives from ten other companies other than Microsoft on their board).

I have no doubt that you will consider me to be a "Microsoft stooge" for pointing this out.

Re:It is designed to be "secure" pain in ass.

[boorack]

The basis of my rant is that this technology is a DRM, causes problems for all non-MS participants, Microsoft controls this technology (by controlling key distribution) and Microsoft has already abused its control. All conveniently omitted by you. Regarding UEFI itself: yes, Intel designed original version of it but it was Microsoft who forced additional requirements that made Secure Boot such a pain. So I still think that anyone supporting this broken standard either misguided or is a liar. Should I add "useful idiots" to my list of "Microsoft stooges" and "paid trolls" ?

Re:It is designed to be "secure" pain in ass.

[Gadget_Guy]

The basis of my rant is that this technology is a DRM, causes problems for all non-MS participants,

That is your unsupport assertion that this is just about DRM. The PDF that your linked to does actually say that there are benefits to secure boot, something that you have conveniently omitted (to coin your phrase).

Microsoft controls this technology (by controlling key distribution) and Microsoft has already abused its control.

And yet it is the OEMs who control the platform keys, or so says your document. There is no reason why you couldn't have an OEM that actively supported open source operating systems by including their required keys (just like they provide Linux drivers now). Or you just switch off secure boot.

Regarding UEFI itself: yes, Intel designed original version of it but it was Microsoft who forced additional requirements that made Secure Boot such a pain.

I'm not sure which requirements you were talking about here. Is it that motherboards have to implement secure boot, or that they also have to provide a method to turn it off?

So I still think that anyone supporting this broken standard either misguided or is a liar. Should I add "useful idiots" to my list of "Microsoft stooges" and "paid trolls" ?

I guess the alternative is "Microsoft-hating zealot". You know, the ones who make huge errors, and then "conveniently omit" any further discussion on those points during follow-ups. They are also the ones who know that their claims can be refuted, but try to preempt those arguements by saying:

please don't reply to me with "any OS vendor can request a key from Microsoft" or "any vendor can request hardware vendors to install its key" crapola. These are just lies spewed around by Microsoft stooges and paid trolls.

Great idea! Rather than tell us what is wrong with those claims, just call them lies instead. So how exactly are they lies? Or were you lying when you said that?

URL, plz? kthx

If there's no downloadable version, it's not LEAKED.

Re:Me go pee pee in your coke

[fustakrakich]

No, never trust upgradable bios. Put the damn chip into a socket, and do upgrades by snail-mail... The internet will never be safe. Which is a good thing, because I don't want anybody telling me what I can upload or download.

ftp.asus.com.tw

"I’ve contacted both the vendor involved and AMI to alert them to the issue. Obviously, I won’t be releasing the name of the vendor, the FTP address, or anything that was seen on the server."

If Adam Caudill won't disclose it then I will.

ftp.asus.com.tw (which is currently down)

Implication to secure boot...

[philipmather]

Assuming for a moment that the validity of this key is confirmed independently then any further question about the technical feasibility of using this to sub/pervert a Secure Boot arrangement is moot when you consider the deeper and more practical implication which is that you can't trust a major motherboard vendor to keep a signing key properly secured. Secure Boot is dead, long live security.

Re:Implication to secure boot...

[Sulphur]

Assuming for a moment that the validity of this key is confirmed independently then any further question about the technical feasibility of using this to sub/pervert a Secure Boot arrangement is moot when you consider the deeper and more practical implication which is that you can't trust a major motherboard vendor to keep a signing key properly secured.

Secure Boot is dead, long live security.

All hail our Moot Boot overlords.

magnet link

magnet:?xt=urn:btih:bd8b50ebfc73b4f0ea53bda4f7f6a1861b1eb19c&dn=leaked%5Fbios

Re:magnet link

You are awesome, thanks for this!

Re:magnet link

magnet:?xt=urn:btih:bd8b50ebfc73b4f0ea53bda4f7f6a1861b1eb19c&dn=leaked%5Fbios

Opened and ran it... rebooted computer... nothing seems to have changed but my router light is flashing a lot now?!?

Just sayin...

Just sayin... if I found that, would have kept it to myself

Security Through Obscurity

[Jeremiah+Cornelius]

How can you trust what you can never see, or even know is there?

Thesis: Security requires trust.

You are not trusted to know these secrets, therefore you are not secured through their application.

The whole UEFI boondoggle is false security. Worse, this proves that it is vulnerability risk, sold under masquerade, as security.

Re:Security Through Obscurity

[fustakrakich]

The whole UEFI boondoggle is false security. Worse, this proves that it is vulnerability risk, sold under masquerade, as security.

The dogs are always hungry.. This is just part of the show.

Re:Security Through Obscurity

[sexconker]

How can you trust what you can never see, or even know is there?

Thesis: Security requires trust.

You are not trusted to know these secrets, therefore you are not secured through their application.

The whole UEFI boondoggle is false security. Worse, this proves that it is vulnerability risk, sold under masquerade, as security.

UEFI is a replacement for BIOS. It has many features that let us deal with hardware that BIOS couldn't provide. UEFI is not a boondoggle, nor is it about security.

Re:Security Through Obscurity

[fustakrakich]

Either way, something that can brick your machine so easily with software shouldn't be soldered to the board.

Re:Security Through Obscurity

[sexconker]

Either way, something that can brick your machine so easily with software shouldn't be soldered to the board.

UEFI isn't causing bricking any more than any BIOS chip in the past has.
You may as well argue against memory controllers being integrated into CPUs or any northbridge/southbrdge chip being soldered onto a motherboard.

Re:Security Through Obscurity

[fustakrakich]

UEFI isn't causing bricking any more than any BIOS chip in the past has.

No?.. Okay...

You may as well argue against memory controllers being integrated into CPUs or any northbridge/southbrdge chip being soldered onto a motherboard.

Not really. I've never heard of software being able to brick anything through them..

Re:Security Through Obscurity

[BitZtream]

The whole UEFI boondoggle is false security.

That statement alone proves you actually have no idea what you're talking about and are just repeating someone elses headline.

Whats better is that slashdot has modded you up, showing how the crowd here has become just as ignorant. You might as well say

The whole Linux boondoggle is false security

That makes same amount of sense.

Let me give you a hint. UFI isn't the issue, your ignorance is. You are referring to a protocol known as secure boot. It does not require UEFI and works on other systems as well. You really need to get a clue if you want to talk about Secure Boot.

Re:Security Through Obscurity

[BitZtream]

And its not the first time a machine has failed to boot due to bios bugs. This is not something new to computers DUE to UEFI, it is in fact the same thing we've been dealing with for over half a century. Bugs exist.

Re:Security Through Obscurity

We don't trust trolls like you, that's certain http://slashdot.org/comments.pl?sid=3581857&cid=43276741

Ha Ha Ha HA!

This was no accident, and I can pretty much guarantee that in writing or your private signing key back (IMHO)!!!

Well, secure boot in no longer secure!!!!

What a croc!

CAPTCHA = 'violate' -- I kid not, it really was that!

Two years

[ThatsNotPudding]

I'm hoping we're about two years away from a real PC motherboard initiative along the lines of Raspberry PI. Wouldn't that be nice? A motherboard that isn't infected with vulnerable OEM black boxes and proprietary BS code and OS lock-in?

More specific details

Posting as AC for hopefully obvious reasons. I discovered the server while Googling for some obscure AMD datasheets and passed the information off to Mr. Wilson. Not going to provide the exact domain name of the server, but it's operated by Jetway.

In addition to this BIOS code, it contains what appear to be full design files for a few motherboards (Gerbers, schematics, test software) and a number of datasheets (with prominent CONFIDENTIAL watermarks) for chips made by Nvidia, Intel, Atheros, Realtek and others.

Re:More specific details

[X0563511]

Sounds like a Kevin Mitnick wannabe got his cache discovered...

Re:More specific details

Cool story bro.

AMI sucks

Now everyone can see, on actual source level, just how much AMI's firmware sucks.

Custom Firmware?

[CrimsonKnight13]

Would it be possible that more ambitious/less sinister programmers and/or modders could create a highly customized firmware or BIOS that allowed for more options? I guess I see a positive outcome to any leaked source code rather than the negative weaponry most people imagine.

Re:Custom Firmware?

[mrand]

Possible? Yes. Likely? That's somewhat less clear.

Did it include the build environment also, or just the raw source? Does the source match up with your chipset VERY closely (if not, do you have long road ahead)?

When compiling a Jasper Forest BIOS for example, there is:
1. Source for the Jasper Forest family of CPUs (which is different than the source for all other familes)
2. Source for any BIOS-supported ICs on the system which differ from Intel's reference design (perhaps you have a different super I/O, for example?)
3. A configurator which sets a ton of build options #define's. It has an integrated compiler as well
4. An Intel BIOS packaging tool which adds a few Intel proprietary things

The only one that I would guarantee to be universal is is #1: Different BIOS source for the different families of CPU's.

          Marc

Re:Custom Firmware?

[CrimsonKnight13]

I appreciate the insight. I wasn't sure if the source was a generic AMI base or a more specific firmware/BIOS build for a single motherboard.

Implication to secure end users.

Considering all the malware, botnet, viruses, spyware, etc, etc, I'm not sure we can claim the end user is any better when it comes to security.

that's umpossible

the creation of an update that would render the system unbootable, requiring replacement of the mainboard.

what kind of loser doesn't have a JTAG interface?
must be some sort of Apple user.

Re:Me go pee pee in your coke

[mattventura]

What some hardware does (not just motherboards) is it has a physical jumper which has to be closed in order to allow the firmware to be changed. No chance of malicious flashing of the firmware (unless someone has physical access, but then you've got bigger problems) but without having to ship firmware on chips.

Like?

[Sycraft-fu]

What did you "tell them"? Since you didn't elaborate I fail to see what you are going for or how this is insightful.

I can only guess this is something along the lines of the people crying about "Waaaaa security through obscurity!" in which case I want to hear their solution to code signing/verification on a system that doesn't involve a secret private key. You might note that public/private key signing is how Linux distros secure and verify their application distribution services.

Re:Like?

[Meshugga]

Sorry for the delay, I forgot that I commented here.

I think this is what you're looking for: http://en.wikipedia.org/wiki/Trusted_Computing#Criticism

Better Writeup

[bill_mcgonigle]

This has the link, but that'll do you no good at this point.

In related news, I'm more interested in buying an AMI motherboard now. Especially one with CoreBoot flashed over it.

Re:Better Writeup

[Billly+Gates]

So you are more interested in purchasing something malware writters who now know the keys to sign their malware as a rootkit making it impossible to remove?

Re:Better Writeup

[bill_mcgonigle]

Only one of my machines now has a BIOS that's signed (UEFI). The risk of a dangerous flashing malware is just the same as it has been since the early 90's, no?

I always seem to have to reboot into DOS to actually flash when I want to, though. If there's a general way to flash a BIOS from linux, I'm interested.

Re:Better Writeup

[BitZtream]

The risk of a dangerous flashing malware is just the same as it has been since the early 90's, no?

No. This key is still not public, so it still requires the hacker going after you to guess an incredibly long number of bits correctly in order to fool your system into thinking it is valid.

Your BIOS's from the 90s did basic checksum tests that were designed for detecting corruption, not intentional modifications. They use basic CRC32 type of checksums, trivial to fake with simple modification of any 4 bytes in the file, which you can determine with a single simple function as they weren't designed to be one way hashes.

Your computer boots, verifies the key, then starts the next part of the process by verifying that the next stage has also been signed by that key. If you are using the BIOS which was found, then you can simply change the AMI key to your own key and sign your OS with that, so you aren't even if the AMI key was public, you could change yours and be safe again.

You flash your UEFI bios using the UEFI bios, not the OS. Again, if you were using the specific AMI firmware in question, you'd probably be aware of the upgrade menu in it.

And lets be clear. Your machine does not have 'BIOS thats signed'. It use UEFI, with it support for Secure Boot. UEFI is a replacement for BIOS. You really should learn about it rather than continuing to listen to silly 'omg uefi evil' morons. The fact that you don't know the terminology means there is absolutely 0 chance you understand what UEFI is and how SecureBoot works.

Re:Better Writeup

If there's a general way to flash a BIOS from linux, I'm interested.

Flashrom is general, but whether it works for you still depends on the southbridge/prom configuration of your motherboard.

Damn!

The server's public access has been shut down. Is there any mirror available? :-(

Should have downloaded the files but I had something to do somewhere else...

The interesting directories were inside the CODE folder, each one containing one file:

/CODE/Cedar Trail/cm013-org1.zip 19.98Mb October 31 2011
/CODE/Ivy Bridge/018s.zip 22.08Mb February 13 2012
/CODE/Luna Pier/013s.zip 11.36Mb March 15 2012
/CODE/Sandy Bridge/016s.zip 25.20Mb March 15 2012

Let's hope someone got'em :-) My kingdom for a link, please.

Re:Damn!

Dude, nobody measures file sizes in megabits. Please use the usual units.

In case you're a moron, b=bit and B=byte.

... are probably none

[dutchwhizzman]

Implications to secure boot are probably none, when it comes to exposing this key. However, there may be weaknesses in the AMI code that could eventually lead to circumventing secure boot. It's rather academical at this moment, but they may have made some implementation faults that will allow an attacker to falsely keep their checks happy while still modifying boot files. The key is probably only useful for signing firmware, probably only for this vendor and possibly only for this chipset, maybe even a single main board.

Re:... are probably none

[philipmather]

...they may have made some implementation faults that will allow an attacker to falsely keep their checks happy while still modifying boot files.

Well that to.

The key is probably only useful for signing firmware, probably only for this vendor and possibly only for this chipset, maybe even a single main board.

TFA implies it was for "Ivy bridge" so yeah probably tied to chipset, maybe multiple boards but the point is they've demonstrated something arguably close to gross incompetence, misplacing source code is careless, misplacing the signing key is a different league. This is a commercial product how hard would it be to have the key in two parts, held by two individuals on the dev/release team?

This system is built purely on trust and its gone, I mean, yeah "I'm sure they'll be more careful next time" but sarcasm aside there's no real way for them to demonstrate that.

The truly paranoid might even point out that if someone with the means found the FTP server first they could already have trojaned AMI's build servers (running AMI bioses no doubt) with a root kit tainted bios that produced new tainted bioses during compilation and lo' all AMI bios forever after are hence tainted in a never ending FUBAR circle of doom!!!

With three entire exclamation marks and all assuming it's genuine.

duh

http://www.youtube.com/watch?v=nFv9ZRAqG1s

This is ungood

I knew it was a bad idea when they started talking about it. Every system I've built has the ability to turn it off, but some people aren't so lucky. It would be nice if it could be bypassed by a jumper on the motherboard, or something like that so that in the event that it does get compromised at least you can still boot.

Full leak

Full leak in this torrent http://bit.ly/10BwekI

flashrom from LinuxBIOS

Now coreboot.

http://www.coreboot.org/Flashrom

I have used this with great success.

Why that's cute in theory...

Go tell me how many women you can find who would agree to it. Every semi-professional woman I've met/dated/etc expected me to eventually take over the breadwinning duties and THEM to stay at home with the 2+ kids (And yes they all wanted 2+.) I'd think this was some sort of fluke of the area, except this is girls from the bay in Cali, central valley, other countries, and the other coast.

Seems like a broad enough demographic to infer that the majority of women do not appreciate the appeal of a stay at home dad.

Just my 2 cents :)

Re: homemakers

[Have+Brain+Will+Rent]

Very nicely put!

Download the source

Well just download the file using

curl -O ftp://ftp.jetway.com.tw/CODE/Ivy%20Bridge/018s.zip

Cedar Trail, Ivy Bridge, Luna Pier, Sandy Bridge

Leak includes source for four builds: Cedar Trail, Ivy Bridge, Luna Pier, Sandy Bridge

piratebay

[thexile]

http://thepiratebay.se/torrent/8349125

the best case

[perles]

In the best and most possible case it would allow the evil open sources projects to boot the computer without asking the permission and paying the Microsoft.

source code here

https://mega.co.nz/#!Oc8hHILZ!HgMIVBWRPyQFIpG4EqvYzEiB91gpedStB1iihGbphmY