Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack(ars technica)

Posted Dec 7, 2023 17:48 UTC (Thu) by simon.d (guest, #168021)
Parent article: Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack (Ars Technica)

Would this attack alter a PCR (Platform Configuration Register)? Probably vendor specific?

Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack(ars technica)

Posted Dec 7, 2023 19:33 UTC (Thu) by geofft (subscriber, #59789) [Link]

I think no, because you're not triggering loading anything that wouldn't already be loaded. The PCR scheme relies on the cooperation of each thing in the boot chain to hash in the next thing before passing control. The logo code is already called, and so the attacker gets code execution partway through this chain while the PCR is in a state it would have, at least briefly, legitimately been in. So the attacker can just extend the hashes and reach the same value.

Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack(ars technica)

Posted Dec 7, 2023 20:19 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

In theory the logo /could/ be measured (and arguably should be, probably into PCR 1), but I'm not aware of any systems that do that.

Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack(ars technica)

Posted Dec 7, 2023 20:39 UTC (Thu) by klossner (subscriber, #30046) [Link] (1 responses)

If the logo is part of the BIOS image (as it is on my system), it is part of the measurement into PCR 0.

Just about every Windows and Linux device vulnerable to new LogoFAIL firmware attack(ars technica)

Posted Dec 8, 2023 20:22 UTC (Fri) by simon.d (guest, #168021) [Link]

Thank you, good thought. Though this should protect against a changed image in the BIOS, if it is not protected by Intel Boot Guard/anything else. A changed image via the ESP would still be a successful attack, if not measured in anything else.