Flashing unsigned BIOS #2

haarp · Jul 5, 2016

Hey,

nice find!

Running of arbitrary System Management Mode code allows attacker to disable flash write protection

Could this be used to flash unsigned (i.e. modded) BIOS versions? This has been a major challenge in newer Thinkpads (**30+ Generation). Being able to flash without a hardware programmer could be an actual valid use case of this vulnerability!

c0d3z3r0 · Jul 6, 2016

Even if it was possible to write an unsigned UEFI/BIOS it won't boot since Intel BootGuard prevents it

haarp · Jul 6, 2016

BootGuard is not present/activated on all Thinkpad hardware. At least the **30 generation will boot unsigned firmware if it is flashed externally.

trilader · Jul 6, 2016

That also applies to (at least some of) the *20 Thinkpads. Source: I have an x220 running Coreboot.

Cr4sh · Jul 11, 2016

Project issues is not a proper place for such discussions

Cr4sh closed this Jul 11, 2016

Cr4sh/ThinkPwn

Flashing unsigned BIOS #2

haarp commented Jul 5, 2016

c0d3z3r0 commented Jul 6, 2016

haarp commented Jul 6, 2016 • edited

trilader commented Jul 6, 2016

Cr4sh commented Jul 11, 2016 • edited

Cr4sh closed this Jul 11, 2016

Cr4sh/ThinkPwn

Flashing unsigned BIOS #2

Comments

haarp commented Jul 5, 2016

c0d3z3r0 commented Jul 6, 2016

haarp commented Jul 6, 2016 • edited

trilader commented Jul 6, 2016

Cr4sh commented Jul 11, 2016 • edited

Cr4sh closed this Jul 11, 2016