PCH: Top Swap (TS)

During a normal boot, the silicon will map the two 64 KB top boot blocks of the flash chip to the address [0xE0000, 0xFFFFF). When the CPU starts from the reset vector – 0xF000:0xFFF0 – the CPU can execute the instruction directly on the flash. These same boot blocks are also mapped to [0xFFFE0000, 0xFFFFFFFF) because the typical 16-bit real mode boot block code switches to the 32-bit protected mode immediately to access the whole flash region, which may be bigger than 1 MB. See Figure 5-1.

Top Swap (TS) is a feature which swaps the top block of the Firmware Hub or SPI flash (also known as boot block) with another location (see Figure 5-2). This is designed to allow safe update of the boot block. When it is enabled, the PCH will invert the address for cycles going to the two top blocks of the flash. For example, if the block size is 64 K, accessing FFFF_0000h–FFFF_FFFFh MMIO address becomes accessing FFFE_0000h–FFFE_FFFFh flash address and vice versa.

If there is any power failure reset during step 3, the system will boot from the boot block backed up in step 1 and perform the recovery. See Figure 5-3.

The BIOS may implement different ways for Top Swap–based recovery to work because the boot block B may control the different code flows. For example, the RTD (such as an ACM or Embedded Controller) may check the boot block A before transferring control. If the RTD finds there is something wrong, the RTD may choose to set the Top Swap and reset the system. On the next boot, the RTD may check the boot block B. If the check passes this time, the boot block B owns the reset vector. It is in recovery mode now. The boot block B may launch the main block B1 from the flash image. The main block B1 may include an external storage driver and load the main block B2 from there. Finally, the main block figures out a way to flash a known good image to boot block A and main block A, clears the Top Swap, and resets the system. Now the next boot becomes the normal boot again. See Figure 5-4 for the flash image layout to support Top Swap recovery.

PCH: Boot BIOS Strap (BBS)

Boot BIOS Strap (BBS) is a feature to select where the BIOS boots from (see Figure 5-5). It could be from the LPC bus or SPI bus. The platform manufacturer may choose to connect the flash via the LPC bus or SPI bus. Previous generations even had the capability to boot the BIOS from the PCI bus. If the PCI bus is selected, the top 16 MB of the memory below 4GB (FF00_0000h to FFFF_FFFFh) is accepted by the primary side of the PCI-to-PCI bridge and forwarded to the PCI bus. This allows the system recovery from a plug-in PCI card. For example, if the platform owner finds the whole BIOS region is corrupt, they can set a jumper and plug in a PCI card with a known good BIOS on the card. The jumper may route BIOS accesses to the PCI bus. Once the system boots, the platform owner may update a new image to the BIOS connected to the LPC or SPI bus. This boot from the PCI feature is not present in more recent chipsets.

coreboot Recovery

The coreboot firmware has two partitions – read-only one (including boot block, verstage, and a recovery image) and read-write one (including romstage + ramstage + payload). The read-only partition is the RTD and RTRec. After the boot block sets up the temporary RAM, the verstage tries to verify and load read/write firmware A. If it fails, the firmware tries to verify and load firmware B. If it fails again, it tries to verify and load the recovery firmware. The recovery image is included in the read-only portion; and it has a full copy of romstage, ramstage, and payload for the recovery mode. See Figure 5-6 for the coreboot recovery flash image layout.

EDK II Signed Recovery

In the EDK II signed recovery solution, the Pre-EFI Initialization (PEI) firmware volume (FV) works as the RTRec. The PEI components check the Driver Execution Environment (DXE) main FV and decide the boot mode. The PEI FV may load a recovery version of the DXE main FV in the recovery boot mode. The recovery DXE main FV can be loaded from external storage, such as HDD, USB key, CDROM, and so on. See Figure 5-7 for EDK II signed recovery flow.

Step 0: During system boot, a platform PEI module detects the boot mode and sets BOOT_IN_RECOVERY_MODE if recovery is required. It also installs the EFI_PEI_BOOT_IN_RECOVERY_MODE_PPI so that modules with the recovery dependency are dispatched in recovery mode.

Step 1: As the final step of the PEI phase, the DxeIpl tries to load the recovery image via EFI_PEI_RECOVERY_MODULE_PPI.LoadRecoveryCapsule if the system boot mode is in BOOT_IN_RECOVERY_MODE.

Step 2: A RecoveryModule is the producer of EFI_PEI_RECOVERY_MODULE_PPI. It consumes EFI_PEI_DEVICE_RECOVERY_MODULE_PPI.

Step 3: The PEI file system driver is the producer of the EFI_PEI_DEVICE_RECOVERY_MODULE_PPI. In EDK II, these modules include CDROM/DVDROM (CdExpressPei) and FAT file system (FatPei). They consume the EFI_PEI_RECOVERY_BLOCK_IO2_PPI.

Step 4: The PEI block I/O storage driver is the producer of EFI_PEI_RECOVERY_BLOCK_IO2_PPI. In EDK II, these modules are USB (UsbBotPei), HDD (IdeBusPei), eMMC (EmmcBlockIoPei), and UFS (UfsBlockIoPei). These PEIMs are the modules to load the recovery capsule image from a storage device into memory.

Step 5: Once the RecoveryModule retrieves the recovery image, it will parse and verify the recovery image to check the integrity and extract the firmware volume for the DXE phase.

Step 6: Finally, the RecoveryModule installs the extracted firmware volume (FV) for DXE. It builds EFI_HOB_FIRMWARE_VOLUME and installs EFI_PEI_FIRMWARE_VOLUME_INFO2_PPI.

Then DxeIpl can find the DXE core and DXE main FV and transfer control to DXE. Later, the DXE phase flash update driver updates the DXE FV in the flash region to finish the recovery.

HP Sure Start

The coreboot recovery and EDK II signed recovery solution assume that the RTD/RTRec and other mutable images are in one single device. It simplifies the board design and lowers the cost. However, in some cases, there is no guarantee that the boot block is really read-only. It can still be updatable. As such, the previous solution does not work.

HP Sure Start technology includes a standalone chip as the root-of-trust for protection, detection, and recovery. This chip has the self-healing capability, which provides automatic recovery from the corruption of the whole BIOS as well as firmware protection against permanent denial of service (PDoS) attacks. After power-on, the HP Sure Start chip checks the boot block. If the boot block is corrupted, the HP Sure Start chip recovers it from a known good image. The boot block then checks the rest of the system BIOS image. See Figure 5-8 for the flow.

Project Cerberus

Cerberus Security Architecture is a server platform solution for protection, detection, and recovery defined by Open Compute Project (OCP). Its scope extends from the host firmware to the baseboard management controller (BMC) firmware. As discussed in Chapter 4, the Cerberus chip connects to the BIOS flash chip and the BMC flash chip. Each flash chip includes three areas: active image, recovery image, and staging image (see Figure 5-9). If the active firmware cannot boot, the Cerberus chip can trigger the recovery process to load the image from the recovery image to overwrite the corrupted active firmware. The recovery can be triggered via the “Recover Image” command as well. See Table 5-4. Of course, the Cerberus chip needs to protect the recovery image from tampering by the active image.

Table 5-4

Cerberus RoT Command List

Register Name	RoT	Description
Recovery firmware	Platform Active (PA) RoT/Active Component (CA) RoT	Restore Firmware Index using backup.
Prepare Recovery Firmware	Platform Active (PA) RoT/Active Component (CA) RoT	Prepare storage for recovery image.
Update Recovery Firmware	Platform Active (PA) RoT	Updates the recovery image.
Activate Recovery Firmware	Platform Active (PA) RoT	Activates the received recovery image.

Table 5-5

Recovery Configuration Selection

Mechanism	Pros	Cons
Manufacture default	There is no way to break the manufacturer default value, which should be stored in the immutable region or within the recovery image region.	If the manufacturer default value is not a secure configuration, it has to be updated together with the whole recovery image update.
Last known good configuration	The platform keeps the last configuration data automatically.	Similar to the last known good image, it is hard to define what the “good” means.
End user saved configuration	End user has freedom to decide which configuration to recover.	End user may save a non-bootable configuration by mistake.

Besides the BIOS and BMC firmware, the Cerberus root-of-trust (RoT) commands can be used to support device firmware update and recovery image update, once the Cerberus finds the device component firmware has been corrupted.

ARM Trusted Boot Firmware

The recovery implementation in ARM Trusted-Firmware-A is platform specific. A platform may choose to boot to a valid flash image saved in the other position of the flash image, if a recovery boot is required. This action may be combined with a firmware update flow to use the recovery image to overwrite the active image region.

ARM Trusted-Firmware-M uses the swap mechanism for update, as we discussed in Chapter 3. This swap mechanism is also used for recovery. If the new image boots fail, the system does a reboot, reverts to an old stable image, and sets the rollback flag. See Figure 5-10.

Recovery Image Attack

Since the recovery image is another BIOS image, all hardware attack for the working image may also be applied to the recovery image. If the recovery image is in flash, the flash region must be protected. If the recovery image is on the system partition of the non-removable disk, it is more challenging. This partition must be a protected partition or a hidden partition.

Updating the recovery image is another attack surface. All the rules applied to active image update must be applied to recovery image update too, such as authentication check, version check, non-bypassability, and so on.

Image Downgrade Attack

The recovery image must not have any known security vulnerability. It might be different from the active image and not have the same full functionality as the active image since the major function of the recovery image is to recover the system to a state that can update to a new active image.

When an active image is updated, the platform owner must decide if the vulnerability exists in the recovery image too. If the recovery image has a similar security issue, the recovery image must also be updated along with the active image. Without that, the attack may just trigger the recovery process and activate a vulnerable environment.

Hardware Configuration Attack

The hardware configuration, such as Top Swap (TS) or Boot BIOS Strap (BBS), may help the recovery process. However, the improper usage of this advanced setting may become an attack surface. If those registers are not locked, the attacker can switch the TS or BBS to let the system boot from the other source controlled by the malware. All hardware settings related to security must be locked before the system exits the platform manufacturer authentication phase.

Configuration Data Attack

Most of the attacks to the recovery configuration are similar to the attacks to the recovery image. The configuration data itself shall be protected.

Configuration Rollback Attack

If the default configuration is not secure enough and the current configuration updates that, the attacker may choose to trigger a recovery to load the default insecure configuration. For example, the default image may include a secure boot forbidden database – dbx1. If the platform appends the new secure boot forbidden database into dbx1, then the current forbidden database – dbx2 – includes more entries than the default forbidden database, dbx1. In order to allow the vulnerable signed image to run, the attacker needs to figure out a way to remove the new entry from the secure boot forbidden database. With recovery enabled, they may trigger a platform recovery to load the manufacturer’s default configuration – dbx1. Figure 5-12 shows the concept.

In order to mitigate such an attack, if a platform needs any configuration update to a secure state, the platform must update the current configuration, the saved configuration, and the default configuration.