Microsoft reveals why no Surface device has Thunderbolt and why you can’t upgrade your RAM

[leadeater]

42 minutes ago, StDragon said:

Yup, ditto. It's a giant game of Whac-A-Mole because the entire concept of speculative execution was fundamentally flawed from a computer science perspective. It didn't effect just Intel (although they deserve fair criticism), but AMD and yes, some ARM CPUs namely Apple A series.

Speculative execution is fine so long as there is protections in place for it, it's done because it actually is a big performance improvement.

 

43 minutes ago, StDragon said:

The TLDR version of mitigating against side-channel attacks is to disable HT. Just ask Theo De Raadt

Disabling HT doesn't disable speculative execution, it just removes the attack vector on caches. SMT itself can be secured but not through microcode updates.

[Curufinwe_wins]

45 minutes ago, StDragon said:

Yup, ditto. It's a giant game of Whac-A-Mole because the entire concept of speculative execution was fundamentally flawed from a computer science perspective. It didn't effect just Intel (although they deserve fair criticism), but AMD and yes, some ARM CPUs namely Apple A series.

 

All mitigation at this point are bolt-ons. It will take an entirely new architecture that's fundamentally based on security to get this right.

 

The TLDR version of mitigating against side-channel attacks is to disable HT. Just ask Theo De Raadt

To be blunt, I don't think "flawed" is the right term.

 

I would say that it was a pure win for comp sci theory everywhere that it was once again demonstrated that pseudorandom behavior is in fact deterministic with sufficient contextual information. The honest truth is that speculative execution is almost certainly worth the theoretical attack vectors for so long as the practical ones (or plausibly practical with hypothetically 100x+ current comp power) are hardened against. Particularly for high power computing, there are just so much to be gained with Intel (and AMD and Apples) incredibly accurate branch predictors.

[trag1c]

15 hours ago, Twilight said:

what the hell? if it's insecure they should fix it! DMA has been a thing since the 90's microsoft, fix your broken OS!

The OS can't even control something like that if it wanted to. Thats implemented on the hardware side. It's also highly necessary for a lot of high bandwidth or timing sensitive hardware so you can't exactly get rid of it either. DMA is here to stay and its here stay exactly how its currently implemented. 

[hishnash]

29 minutes ago, trag1c said:

The OS can't even control something like that if it wanted to. Thats implemented on the hardware side. It's also highly necessary for a lot of high bandwidth or timing sensitive hardware so you can't exactly get rid of it either. DMA is here to stay and its here stay exactly how its currently implemented. 

There are lower level systems supposed to help protect against this: VT-d (AMD have an equivalent) however you need to init these before the PCIe device starts up, that is an issue since some PCIe devices start before system RAM is created an traditionally VT-d systems depend on RAM.

[hishnash]

1 hour ago, leadeater said:

Not on ours no, HPE iLO security prevents that. Nothing boots until that does and provides platform security, bad devices get rejected.

Interesting, sounds like a server version of apples T2 chip. Does it validate the firmware on the devices as well then?

[leadeater]

4 minutes ago, hishnash said:

Interesting, sounds like a server version of apples T2 chip. Does it validate the firmware on the devices as well then?

Yes, have a read of the quotes again. Doesn't just validate them but stores a secure copy so you can revert compromised firmware. It's actually some really cool tech, greater security than T2 offers but it's expensive and if the iLO chip breaks the entire system is useless.

 

I've had the flash media for iLO 4 fail before and the server can power on etc but you cannot change anything like RAID settings, HPE use custom hook, and you cannot change boot devices so you better hope that's all set before the flash goes bad lol. Higher end systems like the DL580 Gen9 have the iLO chip and flash media on a replaceable board but for systems like the DL360 and DL380 it's on the motherboard and non-replacable so it's a motherboard swap when it goes bad. So it's not all positives.

[hishnash]

26 minutes ago, leadeater said:

Yes, have a read of the quotes again. Doesn't just validate them but stores a secure copy so you can revert compromised firmware. It's actually some really cool tech, greater security than T2 offers but it's expensive and if the iLO chip breaks the entire system is useless.

The secure boot side of it sounds simlare to the T2 right:

* powers on before anythign else on the board.
* loads the system firmware from its storage checks its signature and then flashes that onto the chipset

* handholds the boot process so the the system firmware can not be overwritten durring init

What i'm not sure about is how it validates the PCIe device firmware? Most PCIe devices don't report much firmware info on init (and they all have custom flashing methods). Does using the iLO chip limit you to `supported` PCIe devices that the iLO chip `trusts`. 

Apples approach to this it to run each `PCIe` `OROM` in a VM at ring3 rather than the default intel solution of running it in ring0. Does the iLO solve this by just validating a signature on the OROM (which should be enough) before running it or is it also restricting what the OROM can do?

[Tech Enthusiast]

14 hours ago, orbitalbuzzsaw said:

That's bullshit, they could fix it they just don't want to for some reason

So,.. a hardware port that bypasses all security options MS has... is somehow fixable by MS?

Care to elaborate?

 

If you order a new house being build, with the front door being open, without an actual door and without a lock.... how is the builder supposed to make it secure?

Remember: People can just freely walk into your living room, without ever opening a door and without needing electricity.... so security cams won't do you any good. And You won't even be able to fire lasers at random people coming trough that open door, since you can't check who is coming in.

 

If you fire lasers at all people coming in, it no longer serves the purpose of an open door to your living room.

 

So basically:

Make up your mind.

Do you want all people getting free access to your living room, or not? Do you want that security hole in your hardware, or not?

[leadeater]

17 minutes ago, hishnash said:

What i'm not sure about is how it validates the PCIe device firmware? Most PCIe devices don't report much firmware info on init (and they all have custom flashing methods). Does using the iLO chip limit you to `supported` PCIe devices that the iLO chip `trusts`. 

Optionally yes, so if it's not an official HPE part with HPE signed firmware it'll get rejected and disabled. You can also schedule firmware scans so the server is constantly checking device firmware over time, servers don't really boot often so this is nice, and will warn if the firmware has changed on a device that hasn't gone through the proper method or is no longer signed.

 

There's only so much you can do as you're limited to what's supported by Intel/AMD on their CPUs and Chipsets.

 

Main thing about iLO security wise is the wraparound features of a normal TPM with much better audit logging, control of firmware updates of every component and predefined system hardening states that are compliant with FIPS or CNSA.

 

Main usage of iLO is the hardware monitoring and alerting along with remote KVM, security related features is a more recent thing as it's grown more important. iLO was management focused and is now management and security.

 

Edit:

The biggest thing about security is really the auditing and alerting, doesn't do you much good if you don't know about it which is mainly where the consumer/desktop products are lacking.

[SpaceGhostC2C]

4 hours ago, hishnash said:

* moving the UEFI to the T2chip means that (like @LinusSebastian noted int he macPro review

I think you got the wrong Linus

 

4 hours ago, hishnash said:

* if you forget your passphrase for encryption the T2 chip is stateful and remembers how many failed attempts, after a given number it will wipe all of its internal keys and you will not be able to recover any of your data... this is good when you think of people brute forcing into your device but painful for many users.

Are you saying that one could permanently deprive other people of their data by hammering their Macs with wrong passwords?

[hishnash]

2 minutes ago, Tech Enthusiast said:

is somehow fixable by MS? Care to elaborate?

So there are low evele CPU apis that are designed to limit PCIe devices to read only the memory they are permitted to.

This was designed mainly for the VM situation were you do not want one PCIe device to read the memory of another VM running on the host (think cloud provider). 

Most important of these is VT-d (and AMD equivalent AMD-VI) however you need to set these up before any untrusted devices have access to the system memory. This is the difficult part, apple use the T2 chip to let them set up VT-d tables before the system memory starts thus before any DMA attack can happen.

 

But there are downsides of this burtal aproach:

2 minutes ago, SpaceGhostC2C said:

Are you saying that one could permanently deprive other people of their data by hammering their Macs with wrong passwords?

yes if you turn on the optional `Filevault` (and turn on another option that kills data after a given number of attempts normally only turned on by companies who issue laptops to their workers through MDM). If you dont turn on the second one of these the chip instead just forces a delay timeout on you so you might need to wait 1 week before trying again if you enter your PW wrong 20 times. 

 

[Tech Enthusiast]

So the fix to the open door feature is to shut the door and only let people look trough the window?

Doesn't that kind of defeat the purpose? 

 

Why use a port that gets huge speed in both directions without a limitation, if you don't actually want to use a port like that?

Changing how it works, just changes what the port can do.

 

Obviously you can make this secure, but it won't be the same after that. You can just as well use USB if you limit thunderbolt enough to be secure.

[leadeater]

19 minutes ago, Tech Enthusiast said:

Obviously you can make this secure, but it won't be the same after that. You can just as well use USB if you limit thunderbolt enough to be secure.

That has been one of the big arguments around TB, why it exists at all. You can pose the argument of why not have just updated the USB spec to add the extra features or bandwidth improvement etc. But I think changes to USB is quite a bit harder and also much more dire if you end up making it weaker security wise, everything has USB now so messing that up is a bad idea.

[hishnash]

2 minutes ago, leadeater said:

That has been one of the big arguments around TB, why it exists at all. You can pose the argument of why not have just updated the USB spec to add the extra features or bandwidth improvement etc. But I think changes to USB is quite a bit harder and also much more dire if you end up making it weaker security wise, everything has USB now so messing that up is a bad idea.

to make USB much faster you will soon need DMA or your kernal will be flat out 100% cpu useage validating every packet. USB4 has DMA so will need the same vm style protections as TB and firewire

[Tech Enthusiast]

Sure enough.

Yet I fail to see a reason to make TB more like USB, if USB is already there.

 

Right now TB has "something" over USB, but that is exactly the part you need to remove to make it secure.

Apples way of doing this is just as dumb as most things apple does. Or let me rephrase that: It is not dumb, it is just a shiny distraction so people that don't look into it can feel better.

 

Basically they shove their chip in between, and THEY decide which devices can pass and which can not.

If they automate this according to some form of metric,... bad actors would just copy that metric to look legit. So they have to work with white / blacklists and call it "advanced AI based super chip that deflects potential attacks. The most advanced security ever made!" - we all know their marketing,...

 

To get back to the open door example: Apple is putting a security guy next to the door. You have to pay him (resources, power, latency) and he has a big list of people that are allowed to enter your living room. People looking like pirates are just blocked. Pirates that dress up like a nice person, may pass.

 

Don't get me wrong: I am all in for securing TB, if it remains TB after that.

But there is no magic way to do this, without going (much) closer to the USB spec and working like USB. The moment TB is as secure as USB, it actually IS USB. 

Both ways of data transfer are valid in their own scenarios. You don't always need security and you don't always need speed.

 

Pick the right tool for the job and don't change a perfectly working tool, because you actually want another tool but insist on not using it.

Edit: The same thing, 180degree the other way, applies to USB(4) using the same vulnerabilities. Making USB more like TB is just as silly. Just have both for the correct job and make people understand what each is for.

[Master Disaster]

18 hours ago, SansVarnic said:

Microsoft reveals why no Surface device has Thunderbolt and why you can’t upgrade your RAM

by Surur @mspoweruserApr 25, 2020 at 10:50 GMT

 

Source: https://mspoweruser.com/microsoft-reveals-why-no-surface-device-has-thunderbolt-and-you-cant-upgrade-your-ram/

 

Simply put, because it is not secure.

Well this sucks, I was hoping that the Surface 7 and the Surface X would have type C (surface X has type C) and thunderbolt but I have to admit I did not take this into consideration.

The article is not very long but there is a snippet from the presentation that explains this.

 

 

Thoughts?

Except you can buy desktop motherboards with TB on them, why aren't these also affected and if they are, why are MS telling everyone about it?

[Arika]

3 minutes ago, Master Disaster said:

Except you can buy desktop motherboards with TB on them, why aren't these also affected and if they are, why are MS telling everyone about it?

Their reasoning for the RAM is suuuuper flimsy.

 

As for the thunderbolt part, desktops have the same vulnerability. The lack of thunderbolt and soldered ram are separate points

[Tech Enthusiast]

Desktops are usually sitting in your house, or workplaces that are usually locked.

The risk of someone putting a TB device in there to manipulate whatever is pretty slim.

 

Laptops on the other hand are carried everywhere. Hell, I see people leaving those on the desk in a restaurant, if they go to the rest rooms.

Everyone could go to the table, insert a stick and go ham with the open doors.

 

There are always tradeoffs and situations that make those tradeoffs worse or less bad. Desktops with tb certainly are at a slimmer risk, even tho it is indeed the same vulnerability.

[Sauron]

19 hours ago, SansVarnic said:

Thunderbolt uses DMA (Direct Memory Access) which means the port can read and write directly to your device’s RAM without the OS or processor being involved.

We've known about this since TB was first introduced, it's the same problem firewire and expresscard had. It's true but ultimately it's the price to pay for the features TB offers. Besides I would argue that if a malicious actor has physical access to your device it's no longer your device anyway.

 

For instance one could open the device and access a PCIE connector - for example the NVME or GPU slot - and have the same level of access.

 

Still, one could just walk up to your device and insert a malicious pendrive if you leave it unattended for more than a minute or two.

16 hours ago, Ryan_Vickers said:

With this in mind, does the same fact (implications of DMA + thunderbolt) exist in macs as well?

Yes, absolutely. Again, this is a known fact though it doesn't get much press nowadays.

16 hours ago, Morgan MLGman said:

who realistically needs Thunderbolt's bandwidth with a consumer-grade device?

It's not so much about the bandwidth but rather the flexibility of a general purpose port. Docks are useful, especially for something like a surface tablet which doesn't have a lot of ports due to size and design constraints.

Quote

It is for the same reason, according to a Microsoft presenter, that all Surface products have soldered RAM, as attackers could use liquid nitrogen to preserve the state of a RAM chip without power, move the chip to an external RAM reader, and then get full unprotected access to your RAM, including encryption keys.

Now, this? This is bullshit. If an attacker has the means to do this they also have the means to desolder the RAM. TB I can understand because it's within reach to anyone who can get access to your device for a few minutes and leaves no trace - this on the other hand is well beyond any reasonable concern.

17 hours ago, schwellmo92 said:

LPDDR is solder only, and also they use soldered RAM to reduce chassis height.

Then they could just have said that instead of providing an excuse that makes no sense. Also I would argue that upgradable RAM is worth a slightly thicker device (which in turn would allow for a slightly bigger battery to account for the slightly higher power draw).

[RedRound2]

This is just stupid.

 

Thunderbolt is quite common these days on high end laptops, but still we haven't found a single reported case of this vulnerability. Second, microsoft makes it sound like there's some direct and easy security risk but I doubt Intel would've been this carefree, especailly when they're hot on heels from CPU vulnerabilities. Third, as an extension to the first point, how does Apple and other manufacturers have no issues with this standard. They all seem to implement in quite well and it works as expected

[RedRound2]

14 hours ago, GoodBytes said:

So, security of the Surface Pro, has pushed by Microsoft since the first model. It was one of the early systems with TPM chips. It wasn't common back then to have that chip (well, still isn't on the consumer space, but is commonly found on the business models of systems today)

Sure, it's apparently a security risk for microsoft when we have no reports of this vulnerability or explot for the past 4 years TB3 has existed on the market. Both on mac and windows

14 hours ago, GoodBytes said:

 

If it where my guess, is that they evaluated TB3. Now, TB3 has a cost to implement. A high cost. I mean you need to implement everything needed for firmware update, you need to find room on the PCB to add it, hopefully it doesn't require an entire redesign, support, licensing costs to Intel (at the time), chip cost from Intel, QA, and of course time.

Surface devices are straight up overpriced. It's even more so than Apple laptops. Cost isnt an excuse, nor is enginnering to fit in TB3 on PCB when oter companies can easily do it. C'mon, stop making lousy excuses for an incomeptant company like MS. They're neither good at making software or hardware, with all of their devices and software constantly plagues with issues, thats prettty much normalied at this point.

14 hours ago, GoodBytes said:

So, what is the point of TB3? The only one really complaining are mostly YouTuber's.

TB3 offers massive flexibility and versatility. It's going to be compatible with upcoming USB4 spec and you can connect anything from docks to eGPUs, all of which ware useful for mass consumers once they're actually aware about it. MIcrosoft is supposed to be making the ideal futurisitc windows PCs, and yet they lack this signifcant feature is emabarassing. There's a reason why laptops like Dell XPS is the standar defacto windows laptop

 

[schwellmo92]

5 minutes ago, Sauron said:

Also I would argue that upgradable RAM is worth a slightly thicker device (which in turn would allow for a slightly bigger battery to account for the slightly higher power draw).

To you and me sure, but to 95% of the people that actually buy the devices no. Most people don't upgrade their laptops, and most people would look at two similar laptops and pick the sleaker/thinner one. We saw this recently in AMD and Intel marketing.

[Sauron]

3 minutes ago, schwellmo92 said:

To you and me sure, but to 95% of the people that actually buy the devices no. Most people don't upgrade their laptops, and most people would look at two similar laptops and pick the sleaker/thinner one. We saw this recently in AMD and Intel marketing.

I feel like some of that is just a self fulfilling prophecy pushed by the industry. If they only make high end devices with soldered RAM then people are going to buy them if only because they don't have much of a choice. I doubt anyone shows up with a ruler to check which device is 1mm thinner than the other.

 

Also these devices often have very little RAM so more people may be inclined to expand them rather than just buy a new one 1-2 years later.

[schwellmo92]

5 minutes ago, RedRound2 said:

TB3 offers massive flexibility and versatility. It's going to be compatible with upcoming USB4 spec and you can connect anything from docks to eGPUs, all of which ware useful for mass consumers once they're actually aware about it. MIcrosoft is supposed to be making the ideal futurisitc windows PCs, and yet they lack this signifcant feature is emabarassing. There's a reason why laptops like Dell XPS is the standar defacto windows laptop

 

TB3 is not a massive feature my man. I have had it on my last 3 laptops spanning almost 4 years, I used it once when I bought an eGPU and determined the eGPU experience was trash then promptly sold the eGPU, I have not used it since. At work we have docks and they use USB 3.0 which drive the mouse, keyboard and two 24" 1080p monitors.

[schwellmo92]

3 minutes ago, Sauron said:

I feel like some of that is just a self fulfilling prophecy pushed by the industry. If they only make high end devices with soldered RAM then people are going to buy them if only because they don't have much of a choice. I doubt anyone shows up with a ruler to check which device is 1mm thinner than the other.

 

Also these devices often have very little RAM so more people may be inclined to expand them rather than just buy a new one 1-2 years later.

The industry is moving to LPDDR anyway with Zen 2 U series CPU's and Intel Ice Lake CPU's which is solder only, so I doubt anything is going to change.