[coreboot] Possible security enhancement?

ron minnich rminnich at gmail.com
Thu Feb 21 21:55:13 CET 2008 

On Thu, Feb 21, 2008 at 12:10 PM, Paul Millar <paul at astro.gla.ac.uk> wrote:

>  Apparently, the problem here is DRAM doesn't fade fast enough.  If the reboot
>  is fast, then the memory contents are preserved, so exposing the in-memory
>  cache of the disk encryption key.  Boot off a memory stick and one can
>  analysis the memory's content.

yes, this is a problem and has been for as long as DRAM has been
around. I kept wondering if anyone would notice :-)

I used to debug DRAM-based micros by power cycling them and then
dumping DRAM. Most of it survived. I won't even mention how long ago
this was.

>
>  The (perhaps flippant ;-) remark from "bootman" about storing the keys
>  somewhere where the data will be erased by the BIOS led me to wonder if
>  coreboot could do something like this.

yes, very easily.
>
>  Perhaps coreboot could add the option of wipe the memory contents before
>  handing over to the payload, maybe a "wipe-memory" payload that fails over to
>  the next, main payload?

We could do it in initram with no trouble.

You pretty much have to do a full memory write to reset the ECC tags
anyway (note: NOT zero. Just write). I'm kind of opposed to zeroing
memory, since frequently, you want the contents of memory for
port-mortem. That said, I'm surprised their attack worked since I
assumed all those wonderful "secure" BIOSes -- such as EFI -- would
zero all of memory. There must be something else going on here. Oh,
there is -- they turned off memory wipe. I'm not that astonished, I'm
surprised that anyone is ... DRAM retention is a widely known issue.

>If erasing the whole memory would take too long,
>  could it wipe some part of the memory and (by convention) that part of the
>  memory be used for storing secrets?

HMM,  the K8 has 3.2 GB/sec memory bw at minimum. Put 128 GB on a
single CPU ->40 seconds. People might get upset. But people who care
about security should not.

It's funny. Those incredibly slow BIOSes disable a very important
security item to get faster boot :-)

>
>  Neither offers a completely solution to the problem: apparently, as the
>  temperature is lowered, the data in DRAM will survive longer---at liquid
>  Nitrogen temperatures it can last for hours---but perhaps it could help.

The problem is easily solved -- on some machines, it should not be
possible to disable (at minimum) a full zero'ing of memory.

Neat paper though. It makes a widely known but not much discussed
problem more widely known.

ron

More information about the coreboot mailing list