Changes

1 byte removed ,  16:14, 29 January 2021
Line 133: Line 133:  
One can then use blind ROP against the TSEC secure bootrom (which is execute only, and cannot be dumped).
 
One can then use blind ROP against the TSEC secure bootrom (which is execute only, and cannot be dumped).
   −
With sufficient effort, an attacker can construct a ROP chain that leads to csigauth being executed with fully controlled arguments.
+
With sufficient effort, an attacker can construct a ROP chain that leads to csigcmp being executed with fully controlled arguments.
    
This allows for arbitrary heavy secure mode code execution with the current signature set to an arbitrary value.
 
This allows for arbitrary heavy secure mode code execution with the current signature set to an arbitrary value.