Does UEFI potentially leak encryption keys?
I just built my first computer in years and for the first time I now have an UEFI mainboard. I installed Windows 7 in legacy mode and encrypted my system partition with Truecrypt.
Recently there was an article about the Lighteater proof of concept which said that Lighteater was able to extract encryption keys from memory. In order to do that UEFI would need access to the system's memory and to store data somewhere in unencrypted space. For every user of encryption this should be alarming.
From what I know UEFI is an operating system in itself which then runs Windows. My problem is that I don't know to what degree UEFI can access the running Windows system and it's memory and if portions of the memory are progressed in the UEFI flash memory which could leak my encryption keys to someone who gains access to my computer. My main concern is that someone could be able to extract those keys from the UEFI memory on the mainboard even if the computer is shut down and disconnected from power. Can anyone clear this up?
From what I know UEFI is an operating system in itself which then runs Windows
UEFI is as complex as an operating system, but it is incorrect to say that UEFI runs the operating system after it's loaded - even though there's many online texts that would create that impression.
Simplifying a bit, the right way to express how UEFI and Windows coexist is "side by side" - UEFI is not running in the background once Windows is booted, but there is UEFI code that can do things, and will do things once called. Windows initiates any calls to the UEFI firmware.
UEFI does have the same privilege level than an OS kernel, and can access all memory and devices. It is not normally taking any action without OS direction.
So UEFI is not going to leak any keys on its own - but one of the runtime services UEFI provides is reading and writing to UEFI NVRAM - and a malicious process in the OS could ask the UEFI to write keys to the UEFI NVRAM.
However (put your tin foil hat on) ...
Since around the 80486 series of Intel processes (generation before the Pentium) a feature called the System Management Interrupt was introduced. SMIs are designed to be undetectable to an underlying OS by design. Modern platforms use them for:
- fan control.
- emulating hardware - for example, through SMIs USB keyboards/mice are made to look like PS/2 keyboards/mice for DOS compatibility.
- emulating other hardware (you may find this interesting).
So it's completely possible for a malicious UEFI firmware to have something running in the background without the operating system's knowledge. (It is also possible for something running before an OS boots to modify the SMI handler before an OS boots, on at least certain platforms.)
So just like any software, the UEFI is something you are choosing to trust, and since it is closed-source and not something you compiled/installed yourself, you are also choosing to blindly trust it to some degree like most shrink-wrapped and/or preinstalled software.
If you haven't taken your tin foil hat off yet, realize that things like Intel vPro and Intel AMT have much more access to your system and expose much more remotely than UEFI.