Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Secure boot is an important part of ensuring that a running device is not modified. While reading a reference manual for the NNXP i.MX 6/7/8M Application Processors (AP) , they noticed a weird quote that "The DCD based SoC initialization mechanism should not be used once the boot process exits the ROM". In the UBoot Github report, this change had been added but reverted later - this is the beginning of the research.

This chip is provides High Assurance Boot (HAB) functionality to protect the integrity and authenticity of the first boot loader stage retrieved from non-volatile storage. The HAB exports several API functions that allow further boot stages for ROM-based authentication.

For information on how several commands are executed, Device Configuration Data (DCD) and Command Sequence File File (CSF). These sections perform device configuration and image authentication.

However, there is a vulnerability: the DCD and CSF sections validation occurs after some use. As a result, this allows for the reading, polling and writing to configuration register spaces prior to authenticating them.

What result does this have on the system? An attacker can use the unverified DCD section to modify further stages in the boot process. For instance, U-Boot's authenticate_image function can be patched to always succeed. It appears they can even modify the currently loaded boot step to hijack control flow entirely.

The major issue is that the DCD Execution allows for execution outside of the ROM Context. The DCD code is attempts to sandbox specific regions but it just wasn't enough. This same vulnerability existed in the CSF functionality as well but the usage of deprecated functions being called.

The author concludes with why the study of old vulnerabilities is important. This design issue, of allowing ROM-resident code to be shared between boot stages, gave us an potential access problem. Overall, this was a solid post on the secure boot process and design level vulnerability discovery.