This spaghetti script checks if the trust of your computer's BIOS image is affected by the recent Intel leak.
It simply searches if the ROM image contains any of the keys leaked. Since the respective private keys are part of the leak, anyone with those keys could forge cryptographically valid BIOS images and your platform will happily accept them.
Warning: I assume you know what you're doing.
Warning 2: The script was tested mainly on MacOS, in order for the script to work on Linux, make sure to have xxd
version 2022-01-14 (coming with vim 8.2.4088) or newer, see more details why here.
- first, you need to extract the BIOS/UEFI ROM image from the SPI flash, which can be done with Chipsec or other tools
$ sudo python chipsec_util.py spi dump rom.bin
...
$ ls rom.bin
rom.bin
- next, you use the script included in this repository to search for the public keys that I pre-generated from the private ones.
$ ./checker.sh unaffected-rom.bin
No keys found: you may not be affected
$ ./checker.sh affected-rom.bin
Keys found: you're likely affected.
I created a FwHunt rule to perform the same check, so if you're a FwHunt user, you can go that way:
-
Add this rule to your FwHunt ruleset.
-
Run the
scan
command:
$ python fwhunt_scan_analyzer.py scan -r ../FwHunt/rules/Threats/IntelAlderLakeLeak.yml rom.bin
Scanner result IntelAlderLakeLeak (variant: default) FwHunt rule has been triggered and threat detected! (rom.bin)
If you're affected, you'll see the message above. Else, a reassuring, green message will appear.
Export the public key in modulus-exponent format (in hex string) and reverse it.
$ openssl rsa -modulus -noout -in privkey.pem | \
awk -F= '{print $2}' | \
python -c \
'import sys; s = sys.stdin.read().strip().lower(); a = [s[i:i+2] for i in range(0, len(s), 2)]; a.reverse(); print("".join(a));'
- Yegor Vasilenko for this