SmmPack: Obfuscation for SMM Modules with TPM Sealed Key

TL;DR

SmmPack is a security enhancement that encrypts SMM modules with TPM-stored keys to hinder attackers from analyzing firmware vulnerabilities, without impacting system performance.

Contribution

It introduces a practical encryption method for SMM modules using TPM, significantly increasing attack costs and aiding firmware security.

Findings

SmmPack effectively prevents unauthorized SMM module analysis.

It operates without degrading system performance.

The implementation process is feasible and straightforward.

Abstract

System Management Mode (SMM) is the highest-privileged operating mode of x86 and x86-64 processors. Through SMM exploitation, attackers can tamper with the Unified Extensible Firmware Interface (UEFI) firmware, disabling the security mechanisms implemented by the operating system and hypervisor. Vulnerabilities enabling SMM code execution are often reported as Common Vulnerabilities and Exposures (CVEs); however, no security mechanisms currently exist to prevent attackers from analyzing those vulnerabilities. To increase the cost of vulnerability analysis of SMM modules, we introduced SmmPack. The core concept of SmmPack involves encrypting an SMM module with the key securely stored in a Trusted Platform Module (TPM). We assessed the effectiveness of SmmPack in preventing attackers from obtaining and analyzing SMM modules using various acquisition methods. Our results show that SmmPack significantly increases the cost by narrowing down the means of module acquisition. Furthermore, we demonstrated that SmmPack operates without compromising the performance of the original SMM modules. We also clarified the management and adoption methods of SmmPack, as well as the procedure for applying BIOS updates, and demonstrated that the implementation of SmmPack is realistic.