Header bannerHeader banner
September 19, 2024

Repeatable Failures: Test Keys Used to Sign Production Software…Again?

Binarly REsearch

After the PKFail discovery and disclosure, the Binarly REsearch team went on the hunt for other instances of non-production test keys being used in firmware binaries. As demonstrated in the PKfail research, this type of supply chain issue can completely undermine security mechanisms like Secure Boot. [See related Ars Technica coverage “Secure Boot-neutering PKfail debacle is more prevalent than anyone knew”] In this case, non-production test keys were originally generated by reference implementation vendors sitting at the top of the supply chain and then propagated to downstream vendors that often failed to replace them.

We then turned our attention to Baseboard Management Controller (BMC) firmware, as it has been recently at the center of various security-relevant findings. During this investigation, our team quickly noticed an interesting string in some Supermicro BMC firmware images:

String found in some Supermicro BMC firmware images

While a string is certainly an interesting clue, it does not immediately indicate that a test key is present, let alone that it is being actively used by BMC firmware for any type of verification. As a result, we decided to investigate further to find out whether this key is actually being used and what are the risks associated with it.

Diving Deeper Into Technical Details

The device for which this BMC firmware was intended is the Supermicro R12SPD-R. From the motherboard specification we noticed that the Aspeed 2600 chip is present on this device. This chip allows the implementation of root of trust measurement in order to run only the verified firmware. After examining the boot chain code, we created the following diagram to summarize the main steps implemented to verify firmware:

We see that there are three signatures within the firmware image that are verified at different stages of execution. First, the ROM code should verify the signature of the U-Boot SPL (Secondary Program Loader) bootloader (step 1). Then, the U-Boot SPL checks the signature of the next code in the boot chain, which is a U-Boot regular bootloader (step 2). Finally, the U-Boot regular performs the last check (step 3), verifying  the signature of all critical firmware components, including the Linux kernel, DTB, initramfs and the squashfs filesystems. This chain of trust ensures that only trusted code signed by the vendor runs on the BMC.

An important detail of this process is that the signatures stored in the firmware can be validated using multiple RSA public keys, where the validation succeeds if at least one of the keys works. We found that one of the keys used during validation for steps 2 and 3 is the “DO NOT TRUST” test key we identified earlier. We were able to confirm this by running the firmware in QEMU.

The following screenshot shows the state during the execution of U-Boot SPL, just before the `rsa_alg` function is called, which is used to check the signature of the U-Boot regular bootloader. Its signature is located at offset 0x810EFA00 and it is checked with an RSA public key module located at 0x0000B9C0 and public exponent 0x10001 (65537). This RSA public key modulus and exponent matches the certificate of the test key, which can be found in the Appendix section:

While without an actual device it’s not possible to verify that the code loaded from the ROM uses the test key to validate the U-Boot SPL signature, we noticed that this logic is repeated in the regular U-Boot bootloader, so we assume that the OTP (one time programmable) memory also contains the test key.

It should be noted that none of the three components of this firmware described above were signed with the test key. However, after scanning the internal dataset of Supermicro images, we found several cases where the U-Boot SPL bootloader was signed with the test key. This leads us to the conclusion that, at least for some devices, there’s a good chance that the public part of the untrusted RSA key is stored in the BMC OTP memory.

Supermicro Response

After concluding our investigation, we reported our findings to the vendor with the BRLY-2024-023 advisory. After some back and forth, Supermicro concluded that this doesn’t represent  a security issue, as they clarified with the following statement:

Supermicro products are not affected by issue BRLY-2024-023 for the following reasons:
  • Supermicro uses multiple signatures to protect the integrity of a firmware image. In the production system, only the production key is valid for the whole firmware image signature.  
  • The entire firmware image that consists of multiple data blocks needs to be verified using the production key before the test key can be used to verify a specific block; therefore, the verification using the “test key” to examine any specific data block cannot bypass the verification using the production key.
  • Also, all keys, including private keys, have strict access control within Supermicro. Despite the key being named a “Test Key”, it is still a secure key based on its strength and access control over this key.  The Test Key is also compliant with the NIST standard. Without the access mentioned above, the Test Key cannot be used to bypass any verification.

While it may be true that additional checks exist in the ROM that verify the signature of the whole image only with the production keys before checking any other parts (U-Boot SPL, U-Boot Regular, ...), we do not have any evidence of this at the moment, as it can only be confirmed by obtaining the contents of the ROM and OTP memory of the BMC chip. In general, the default implementation of the BMC ROM code only checks U-Boot SPL.

We instead agree with the second part of the statement: the test key is indeed compliant with the NIST standard (RSA4096). However we noticed some differences between the test key and the other production key used in the same image:

We see that the production key was probably generated using a HSM (Hardware Security Module), which follows best practices in cryptographic key management as it minimizes the risk of private key leakage, but this is unlikely to be the case for the test key. We also observed that the test key has a much longer lifetime – almost 50 years compared to 15 years for the production key. The PKfail example shows how significant the impact could be for the leakage of just one non-production cryptographic key, and all these best practices aren’t enough if the key does not rotate per product line and persist for many years.

While we agree that the private part of the test key has not been leaked and therefore this issue cannot be exploited at the moment, given the facts above, we believe that there is a non-zero risk that this will happen at some point in the future, as in the case of Intel Boot Guard keys or AMI test keys.

Conclusions

While it's encouraging that more devices now implement Root of Trust (RoT) chains, managing firmware keys remains complex. To address potential risks, we’ve added a feature to the Binarly Transparency Platform that scans firmware images and reports the presence of test keys:

Binarly Transparency Platform Detects Untrusted Keys

Appendix

List of affected Supermicro devices

B13DEE
B13DET
B13SEE-CPU-25G
B13SEG
B4SA1-CPU
B4SC1-CPU
G1SMH
G1SMH-G
H12SSG
H13SRH
R12SPD-R
X12DGU
X12DGQ-R
X12DPG-QR
X13DEG-QT
X13DEM
X13DSF-A
X13OEI-CPU
X13QEH+
X13SEDW-F
X13SEED-F
X13SEED-SF
X13SEFR-A
X13SEM-F
X13SEM-TF
X13SET-G
X13SET-GC
X13SET-PT

Test Key Certificate

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1a:da:e6:cf:23:66:6a:36:d9:dd:69:4c:2f:ba:30:14:90:f7:3d:5e
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: C = US, ST = CA, L = SanJose, O = Super Micro Computer Inc., CN = RD1 BMC Test Key - DO NOT TRUST
        Validity
            Not Before: Feb 14 03:14:28 2020 GMT
            Not After : Feb  1 03:14:28 2070 GMT
        Subject: C = US, ST = CA, L = SanJose, O = Super Micro Computer Inc., CN = RD1 BMC Test Key - DO NOT TRUST
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c6:b3:42:c9:36:c3:a1:24:0c:ec:e5:1a:31:96:
                    5b:1d:a6:c7:85:66:50:bf:59:78:9c:2d:8d:07:5e:
                    6f:9b:f0:a0:70:7a:42:f0:0a:68:bd:e1:aa:80:ef:
                    2c:70:bd:7a:36:59:6a:ca:2a:1d:21:f1:1c:a1:31:
                    f3:d6:3d:2c:ea:32:0f:d6:62:99:01:57:99:e1:13:
                    fd:82:1a:78:c7:29:2b:4c:2d:70:43:b0:c5:28:94:
                    78:33:d5:c2:0b:d3:84:6c:86:08:18:e5:2e:6a:40:
                    d6:f4:fe:41:02:7f:ad:7a:96:16:af:86:9d:01:d7:
                    71:74:bb:0b:7b:24:3d:26:31:23:2b:91:05:2f:f9:
                    c5:6a:bb:b8:c1:85:bc:be:e7:6b:2f:bf:f9:5b:fa:
                    e9:c8:ce:f0:b7:af:4c:c7:eb:5c:f0:32:9f:f0:a3:
                    7a:a9:b3:eb:27:cd:a5:f3:3a:24:81:5d:01:e4:ac:
                    44:9a:59:fc:ee:04:86:03:9c:89:ce:65:ec:4d:34:
                    b5:9a:d8:86:71:97:8e:a7:b6:ec:91:61:89:b3:6c:
                    b1:7c:d8:8d:6b:fa:0d:51:0e:2a:cb:89:d6:06:f1:
                    c4:6b:27:25:66:92:d2:37:0f:5b:dc:fb:22:8f:18:
                    32:a4:42:52:68:55:5f:bd:8f:f5:20:c1:1e:1a:9a:
                    e4:32:ca:a4:e0:93:1d:f4:7f:41:8f:b7:78:9a:f4:
                    b0:b4:89:3f:93:d7:96:d7:cf:61:77:96:65:6f:03:
                    cf:82:e4:3d:c1:20:2e:1d:60:10:41:7d:2d:7f:5a:
                    0f:c3:52:0b:96:0b:a1:56:3b:47:6e:67:db:54:b1:
                    76:10:61:e7:34:1e:5f:63:b3:6c:27:9d:76:6f:d3:
                    39:11:e9:34:07:66:55:1d:fc:32:53:b6:91:54:d5:
                    5c:44:73:01:98:75:cc:71:04:8d:9d:a5:ca:f8:68:
                    26:a6:52:ab:bc:53:ac:65:08:56:ba:ad:f8:e9:51:
                    59:d5:24:d4:34:1b:c1:b4:f3:43:c7:69:ee:36:2d:
                    75:26:6c:7e:20:12:83:6b:1f:6f:fc:05:f7:7c:ae:
                    c8:3f:ca:49:7c:e6:a1:91:44:b5:db:55:5a:5c:ea:
                    f1:b1:46:71:1b:2a:fe:4e:9f:db:c1:e7:10:91:fb:
                    80:c2:8f:04:74:c6:31:aa:ed:71:0f:a4:b3:03:2d:
                    57:70:0c:ff:d0:aa:ed:f5:d7:1f:02:d5:75:8a:11:
                    d9:ca:07:9c:e7:02:39:2d:8b:1a:78:62:98:e4:d9:
                    1d:f2:2a:30:a4:29:ce:03:c9:56:08:d8:79:12:2e:
                    53:0d:b0:3f:0e:be:b4:51:06:a2:77:c2:dc:04:0b:
                    4a:a8:c5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                2A:F0:A8:8C:87:67:4E:0A:D2:AD:20:B6:26:40:CA:A2:C4:01:1D:7F
            X509v3 Authority Key Identifier: 
                2A:F0:A8:8C:87:67:4E:0A:D2:AD:20:B6:26:40:CA:A2:C4:01:1D:7F
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha512WithRSAEncryption
    Signature Value:
        bc:05:cd:3b:e8:62:06:e6:ff:b0:80:5b:a8:02:2a:0c:20:9d:
        0b:eb:c6:fd:19:74:62:5c:34:aa:37:8d:46:84:2c:39:97:0d:
        08:ea:1a:8f:ae:cb:ff:dd:2e:1d:1d:85:3c:29:a5:fc:ed:99:
        d6:1b:17:2e:c6:d2:e0:28:b1:aa:62:58:06:11:fc:17:45:1b:
        a4:fd:4f:14:79:fb:42:5d:4c:35:72:73:3f:09:32:c6:c7:dc:
        b0:d2:63:4e:41:54:39:47:0e:a8:46:50:c3:43:7a:15:d9:a0:
        1e:ba:95:20:34:db:97:9f:7c:6e:c6:07:7a:76:2a:a2:b2:f2:
        06:c7:00:f3:a8:ef:5e:63:86:5e:e8:aa:de:07:f5:83:92:93:
        92:1a:86:04:85:bd:0b:c6:9a:04:3f:1e:10:8e:8f:8a:04:61:
        e7:b3:b2:af:5a:40:b2:ac:28:56:2e:b5:13:98:22:b3:71:df:
        5f:f0:8d:aa:c8:3e:20:66:bc:44:8a:cc:f5:e2:0e:aa:aa:9e:
        2b:43:46:cf:97:dc:b0:7b:b4:24:40:11:e0:bb:87:de:00:76:
        b1:2e:2d:c8:9a:e0:4b:b6:7c:33:ee:8c:0d:f8:72:15:ad:d4:
        35:9d:8f:79:ad:7f:f2:a1:da:a3:51:b0:55:5e:13:eb:72:bf:
        d8:91:7e:9f:65:83:ec:8a:70:23:4e:f2:e5:14:ef:b7:c5:67:
        67:50:76:71:1c:b1:e0:73:1c:ff:07:a7:2e:92:7d:e4:d3:4c:
        f9:2e:39:3a:e1:34:e0:35:55:19:91:62:54:5b:ac:04:13:3b:
        29:4a:cc:d2:18:59:65:60:0f:c2:c5:77:f3:a3:17:f2:68:1c:
        94:61:ef:70:48:90:c9:25:17:ad:e5:51:6e:90:12:97:45:67:
        ce:cc:16:e4:f7:67:e8:89:e4:39:40:c5:7f:84:5a:70:db:0c:
        1d:99:ea:32:58:43:39:2c:f4:6a:5a:5e:a9:a3:f1:f8:20:9e:
        42:f3:6f:35:60:6f:80:1d:ac:98:96:b3:45:51:fb:e7:6f:7e:
        3d:91:d7:96:1d:cf:5b:cd:89:56:f8:94:d0:b9:d0:92:b7:d0:
        51:01:11:54:57:7c:2a:21:91:91:42:37:35:63:52:d2:67:d3:
        47:6f:9e:27:3f:26:07:f0:d5:65:d4:a7:cf:3e:1c:88:ac:35:
        69:47:f4:1f:fd:2b:a2:c7:26:fd:b0:96:53:0e:5c:98:18:e3:
        16:c1:ae:d3:c8:61:34:92:17:3a:10:86:ea:46:1e:ad:16:98:
        0d:8c:fa:16:3a:3f:af:49:60:ee:76:a8:3a:61:a9:fe:03:c7:
        28:25:a3:be:3f:03:92:35
-----BEGIN CERTIFICATE-----
MIIF1zCCA7+gAwIBAgIUGtrmzyNmajbZ3WlML7owFJD3PV4wDQYJKoZIhvcNAQEN
BQAwejELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRAwDgYDVQQHDAdTYW5Kb3Nl
MSIwIAYDVQQKDBlTdXBlciBNaWNybyBDb21wdXRlciBJbmMuMSgwJgYDVQQDDB9S
RDEgQk1DIFRlc3QgS2V5IC0gRE8gTk9UIFRSVVNUMCAXDTIwMDIxNDAzMTQyOFoY
DzIwNzAwMjAxMDMxNDI4WjB6MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEDAO
BgNVBAcMB1Nhbkpvc2UxIjAgBgNVBAoMGVN1cGVyIE1pY3JvIENvbXB1dGVyIElu
Yy4xKDAmBgNVBAMMH1JEMSBCTUMgVGVzdCBLZXkgLSBETyBOT1QgVFJVU1QwggIi
MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDGs0LJNsOhJAzs5RoxllsdpseF
ZlC/WXicLY0HXm+b8KBwekLwCmi94aqA7yxwvXo2WWrKKh0h8RyhMfPWPSzqMg/W
YpkBV5nhE/2CGnjHKStMLXBDsMUolHgz1cIL04RshggY5S5qQNb0/kECf616lhav
hp0B13F0uwt7JD0mMSMrkQUv+cVqu7jBhby+52svv/lb+unIzvC3r0zH61zwMp/w
o3qps+snzaXzOiSBXQHkrESaWfzuBIYDnInOZexNNLWa2IZxl46ntuyRYYmzbLF8
2I1r+g1RDirLidYG8cRrJyVmktI3D1vc+yKPGDKkQlJoVV+9j/UgwR4amuQyyqTg
kx30f0GPt3ia9LC0iT+T15bXz2F3lmVvA8+C5D3BIC4dYBBBfS1/Wg/DUguWC6FW
O0duZ9tUsXYQYec0Hl9js2wnnXZv0zkR6TQHZlUd/DJTtpFU1VxEcwGYdcxxBI2d
pcr4aCamUqu8U6xlCFa6rfjpUVnVJNQ0G8G080PHae42LXUmbH4gEoNrH2/8Bfd8
rsg/ykl85qGRRLXbVVpc6vGxRnEbKv5On9vB5xCR+4DCjwR0xjGq7XEPpLMDLVdw
DP/Qqu311x8C1XWKEdnKB5znAjktixp4Ypjk2R3yKjCkKc4DyVYI2HkSLlMNsD8O
vrRRBqJ3wtwEC0qoxQIDAQABo1MwUTAdBgNVHQ4EFgQUKvCojIdnTgrSrSC2JkDK
osQBHX8wHwYDVR0jBBgwFoAUKvCojIdnTgrSrSC2JkDKosQBHX8wDwYDVR0TAQH/
BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAvAXNO+hiBub/sIBbqAIqDCCdC+vG
/Rl0Ylw0qjeNRoQsOZcNCOoaj67L/90uHR2FPCml/O2Z1hsXLsbS4CixqmJYBhH8
F0UbpP1PFHn7Ql1MNXJzPwkyxsfcsNJjTkFUOUcOqEZQw0N6FdmgHrqVIDTbl598
bsYHenYqorLyBscA86jvXmOGXuiq3gf1g5KTkhqGBIW9C8aaBD8eEI6PigRh57Oy
r1pAsqwoVi61E5gis3HfX/CNqsg+IGa8RIrM9eIOqqqeK0NGz5fcsHu0JEAR4LuH
3gB2sS4tyJrgS7Z8M+6MDfhyFa3UNZ2Pea1/8qHao1GwVV4T63K/2JF+n2WD7Ipw
I07y5RTvt8VnZ1B2cRyx4HMc/wenLpJ95NNM+S45OuE04DVVGZFiVFusBBM7KUrM
0hhZZWAPwsV386MX8mgclGHvcEiQySUXreVRbpASl0VnzswW5Pdn6InkOUDFf4Ra
cNsMHZnqMlhDOSz0alpeqaPx+CCeQvNvNWBvgB2smJazRVH7529+PZHXlh3PW82J
VviU0LnQkrfQUQERVFd8KiGRkUI3NWNS0mfTR2+eJz8mB/DVZdSnzz4ciKw1aUf0
H/0roscm/bCWUw5cmBjjFsGu08hhNJIXOhCG6kYerRaYDYz6Fjo/r0lg7naoOmGp
/gPHKCWjvj8DkjU=
-----END CERTIFICATE-----

What's lurking in your firmware?