Skip to content

TOCTOU

BootGuard’s Verified Boot mode on modern Intel CPUs is the core root of trust and measurement during the boot process, and preserves the chain of trust by only executing firmware with a valid vendor signature. These protections are supposed to be secure against physical attacks on the SPI flash, although we’ve found multiple errors in handling the firmware volumes as well as a new technique for changing the firmware after the signature check has been done.

In this talk we’ll demonstrate how to build an inexpensive open source tool for investigating these TOCTOU techniques and how to use it to test the security of your own systems.

Peter's writeup goes into detail about the SecCore MTRR issue and how we found it. Slide images, HITB talk overview and video are all available as well.

2019 Security SPI FPGA Talks


Last update: December 22, 2020