888
edits
Changes
Jump to navigation
Jump to search
Line 24:
Line 24: − | With a way to modify the encrypted state buffer, security engine state control -- dumping of keys from "write-only" keyslots, etc.+ + +
layout
| Weak Security Engine context validation
| Weak Security Engine context validation
| The Tegra X1 supports a "deep sleep" feature, where everything but DRAM and the PMC registers lose their content (and the SoC loses power). Upon awaking, the bootrom re-executes, restoring system state. Among these stored states is the Security Engine's saved state, which uses AES-128-CBC with a random key and all-zeroes IV. However, the bootrom doesn't perform a MAC on this data, and only validates the last block. This allows one to control most of security engine's state upon wakeup, if one has a way to modify the encrypted state buffer.
| The Tegra X1 supports a "deep sleep" feature, where everything but DRAM and the PMC registers lose their content (and the SoC loses power). Upon awaking, the bootrom re-executes, restoring system state. Among these stored states is the Security Engine's saved state, which uses AES-128-CBC with a random key and all-zeroes IV. However, the bootrom doesn't perform a MAC on this data, and only validates the last block. This allows one to control most of security engine's state upon wakeup, if one has a way to modify the encrypted state buffer.
With a way to modify the encrypted state buffer, one can thus dump keys from "write-only" keyslots, etc.
| None
| HAC-001
| HAC-001
| December 2017
| December 2017