Intel has lost around 6 GB of BIOS data for the CPU generation Core i-12000. This includes code for security mechanisms such as Boot Guard.
Intel confirms the authenticity of a Github upload that contained 6 GB of internal data on the UEFI BIOS structure of the Alder Lake processor series aka Core i-12000. The company downplays the potential security risks, but it cannot be ruled out that attackers and development teams for free BIOS firmware such as Coreboot will benefit from the leak.
Originally the account “LCFCASD” uploaded the repository to GitHub. The name points to the Chinese notebook manufacturer LC Future Center, which produces devices for Lenovo, among others. There were corresponding references to Lenovo in the code packages. The original GitHub repository and associated account have since been deleted. Archived website versions show the overview, and there are also re-uploads.
Meanwhile, Intel issued a statement to Tom’s Hardware: “Our copyrighted UEFI code appears to have been shared by a third party. We do not believe this exposes any new security vulnerabilities as we do not rely on information obfuscation as a security measure. This code falls under our Project Circuit Breaker campaign bug bounty program and we encourage all researchers who identify potential vulnerabilities to bring them to our attention through this program. We are reaching out to both customers and the security research community to let them know updated on this situation.”
Useful bits of code
Among other things, the leak contains so-called Model Specific Registers (MSRs), which can use CPU IDs to switch certain functions in processors on or off. Attackers could possibly open security gaps by reactivating functions that were actually switched off. In addition, keys and code modules for Intel’s Boot Guard and Trusted Execution Technology (TXT) are included – a fundamental construction site for the trust chain (the root of trust) of the installed hardware. Boot Guard, for example, can prevent the installation of free firmware such as Coreboot.
Intel’s Project Circuit Breaker bug bounty program covers the leak. Anyone who finds a vulnerability based on the BIOS data and reports it to Intel can receive a reward of between 500 and 100,000 US dollars.