Follow

So the guys from PT security (of Intel ME fame) will do a very interesting BH Asia ‘19 talk, if the abstract is accurate:
“We found that modern Platform Controller Hub (PCH) and CPU contain a full-fledged logic signal analyzer, which allows monitoring the state of internal lines and buses in real time”
“With VISA, we succeeded in partially reconstructing the internal architecture of PCH and, within the chip, discovered dozens of devices that are invisible to the user...”

blackhat.com/asia-19/briefings

@Kensan what amazes me continuously is that, when discussing about "computers inside computers", ten years ago people thought I was a complete loonie and now it is all "oh look at what we found here".

I distinctly recall someone in Hillsboro telling me that the PCI controller had "nothing of interest" in it :flan_evil:

The complexity of the modern PC architecture and, worse, its lack of documentation is an under appreciated threat. "Like mainframe but without telling you"™

@cynicalsecurity It’s complexity all the way down and U am not saying this because it sounds funny or cool. Quite the opposite actually...

@Kensan one has to put it all in context and the context is not a pretty one: if you open a mainframe there are a sophisticated processors everywhere, from the NIC to the I/O, but you /know/ they are there.

While it is relatively obvious that the original cheap PC model of "the 8086 does everything" could not sustain itself into the 1990s, what is unacceptable is the lack of documentation about it all.

Why is there a signal analyser in the PCH? When would this /ever/ be used in production?

@Kensan when a mainframe engineer comes out (I used to run Tandem machines) they bring along tons of diagnostic tools which are either software which they load or hardware.

The mainframe engineer takes out the disk board (s'ok, on a Tandem it is all duplicated so "nothing happens"), connects his tools, loads diagnostic software onto the processor running that disk board, diagnoses, fills in the report and swaps it with a new one.

But on a PC?

@Kensan I am truly puzzled by this "signal analyser in the PCH" story as I cannot fathom the reason to ship one in chip production runs.

What uses it?¹

The amount of really rather low-level information which could be obtained by such a subsystem totally eclipses "PC tweaking in the BIOS" like CAS/RAS intervals which, objectively, is really something you should not even bother about.

On a mainframe? Not there.
__
¹ this is /not/ meant to invoke conspiracy theories, please don't even start.

@Kensan The prima facie impression is that somehow the PCH is a chip which ships with development diagnostic tools, as if the development version was the production version (if you are developing a new PC having a signal analyser on the PCH is :flan_hacker: :flan_on_fire:).

I guess that, from a volume perspective, it would be prohibitively expensive to ship a few development PCH chips and, if you have the estate, just leave it in for production?

:flan_think:

@cynicalsecurity @Kensan My guess is it's not so much prohibitive expense as much as... removing it causes more trouble than it's worth.

Now you have to redo the chip layout, which... ignore the cost, it means you've designed a new chip, and need to redo the validation. Which means you need the logic analyzer again.

So, yeah, if you couldn't have an external one, put it in there, and maybe e-fuse it off so it can't be used after the design stage.

@bhtooefr @Kensan yes, that is pretty much what I think I said in my last toot: it is a convenience issue of not having, in effect, two chips where, on top, you need to make sure that when you remove the signal analysis stuff it still behaves as it says on the label…

As you say: why not e-fuse it out of existence for production systems?

@cynicalsecurity When I talked to someone who had access to special Intel hardware to access CPU debug features I got the impression that ironically the push is to simplify the debug process and grant access to third parties more conveniently. So you don’t have to send a bodyguard along with the device onsite to the customer.

Also, just do the debug logic once so one does not have to develop special hardware purely for in-house use.

@cynicalsecurity My guess would be that if we knew the reasoning behind it all it might very well look like a sensible tradeoff. But we just don’t know so ¯\_(ツ)_/¯

@Kensan To be perfectly honest, while I abhor the existence of all of this from a security perspective, it makes perfect sense in the cutthroat Wintel ecosystem to do so for Intel.

It allows manufacturers with less financial resources to be able to debug their designs without buying expensive equipment, in many ways it is a major design win.

Think about the development time and shelf life of modern PCs: Intel pushes out a new gen every year… “this is agile, baby”™

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!