On Twitter, there are threads starting on the recent MSI data breach. Security researchers are probing the leaked materials and seem to be uncovering something interesting: Intel BootGuard private keys may have been leaked.
Here is the start of the thread from Alex Matrosov on Twitter (we are going to embed the tweets so you can follow these easily):
https://twitter.com/matrosov/status/1653923749723512832
Apparently, the Intel BootGuard OEM private keys are compromised.
https://twitter.com/binarly_io/status/1654287041339998208
Here is the OEM key manifest screenshot:
⛓️Confirmed, Intel OEM private key leaked, causing an impact on the entire ecosystem. It appears that Intel BootGuard may not be effective on certain devices based on the 11th Tiger Lake, 12th Adler Lake, and 13th Raptor Lake. Our investigation is ongoing, stay tuned for updates. https://t.co/rkxZIpReE8 pic.twitter.com/fLopw1qeSD
— Alex Matrosov (@matrosov) May 5, 2023
Intel BootGuard is a form of protection, like Secure Boot, but with a key difference. BootGuard requires an Authenticated Code Module which is signed cryptographically.
The impact of the OEM key leaking is enormous for the industry. It could mean that attackers can sign tampered systems and then gain access to what would be considered a secure system.
Final Words
This is one of those that if indeed the keys were leaked during the MSI breach, it would be a huge deal. One of the challenges with cryptographically signing firmware in order to ensure platform security makes sense, but it also exposes a major systemic risk. If a large vendor like Intel, Microsoft, AMD, NVIDIA, Apple, or others have their keys leaked, it can cause an enormous downstream impact.
Overall, the industry is moving more towards these types of secure boot and cryptographic signing schemes. If this leak is indeed true, then it highlights the need to protect things like these private keys.
Our hope is that it is not true, but if it is, then we are going to need Intel with its OEMs to come up with a solution soon as this is bad not just from the potential attack perspective, but it is also important to restore trust in the industry.
Now we are waiting to hear confirmation from others, and perhaps Intel itself, that the BootGuard key was leaked. Stay tuned for more.
Update 2023-05-08 from Intel: “Intel sent STH a statement: Intel is aware of these reports and actively investigating. There have been researcher claims that private signing keys are included in the data including MSI OEM Signing Keys for Intel® BootGuard. It should be noted that Intel BootGuard OEM keys are generated by the system manufacturer, and these are not Intel signing keys.”
Update 2023-05-09 from Supermicro: “Based on our current review, Supermicro products are not affected. Please go to our security portal for further updates.”