The NSA has started assigning developers to the Coreboot project, which is an open source alternative to Windows BIOS/UEFI firmware. The NSA's Eugene Myers has begun contributing SMI Transfer Monitor (STM) implementation code for the x86 processor. Myers works for NSA’s Trusted Systems Research Group, which according to the agency’s website, is meant to “conduct and sponsor research in the technologies and techniques which will secure America's information systems of tomorrow.”
Can The NSA Be Trusted With Such Low-Level Code?
NSA has worked on security projects embraced by the public before, including Security-Enhanced Linux, a security module for Linux. More recently, the NSA released the Ghidra reverse engineering tool as open source, which has also been adopted by Coreboot developers so that they can more easily reverse-engineer hardware firmware.
Myers published a paper about STM last year on how NSA’s STM implementation could work. All Coreboot code, including all the STM contributions from the NSA, are open source, so anyone could verify that there is no backdoor in there -- in theory.
In practice, the NSA could have also written the code in a less-than-secure way with vulnerabilities that are hard to detect without more experienced security researchers. Alternatively, the NSA could also update this implementation years later, when there are less eyes on the STM implementation and the update would no longer make headlines.
This wouldn’t be completely out of the question for an agency like the NSA. After all, the NSA succeeded in pushing a backdoor through the NIST standardization process years ago. The agency was also accused by EFF co-founder John Gilmore of sabotaging the IPsec protocol by making it too complex to ever be secure (something that would benefit an espionage agency).
More recently, it also tried to push two encryption algorithms through the ISO standardization process, but the reviewers overwhelmingly rejected the algorithms based on trust concerns and NSA’s failure to answer some technical questions.
NSA Low-Level Code In Coreboot
Intel released the STM specification and documentation of the SMT firmware security feature in 2015, six years after the discovery of bypasses against the company’s Trusted Execution Technology, which can be used to ensure that an operating system starts in a trusted environment.
The STM is a hypervisor that launches inside the System Management Mode, which is a “ring -2” isolated environment that offers protected execution against tampering of low-level services, such as power management, security functions, calls to the Trusted Platform Module and so on. STM was initially supposed to work with an Intel TXT launch, but the latest specification allows the STM to work with Intel Virtualization Technology (VT) only. The TXT was not enough to protect these services against attacks, and STM is meant to do that.
