HPE iLO5 Firmware Security - Go Home Cryptoprocessor, You're Drunk!

The presentation discusses vulnerabilities found in HPE iLO 5 systems and the process of extracting encryption keys from the key manager.

• The implementation of HPE iLO 5 systems is complex and contains vulnerabilities
• The key manager is responsible for loading and decrypting the secure main image
• The key manager uses a hardware crypto processor with no documentation
• The private key is reconstructed using a derivation seed and key scheduling function
• Deterministic keys are generated using OpenSSL primitives

The presentation describes the process of extracting encryption keys from the key manager of HPE iLO 5 systems. The key manager uses a hardware crypto processor with no documentation, making it a challenge to reverse engineer. The private key is reconstructed using a derivation seed and key scheduling function, with deterministic keys generated using OpenSSL primitives. This information is important for cybersecurity experts to understand the vulnerabilities present in HPE iLO 5 systems and the process of extracting encryption keys from the key manager.

At the core of HPE Gen10 servers lies the Integrated Lights Out 5 (iLO 5) out-of-band management technology. Coming with new hardware and software, it introduced a cornerstone feature described as a "silicon root of trust". When you are not designing your own hardware and security (as Google with its Titan security module for example) you have to rely on the manufacturer of your equipment to provide you with best-in-class security. In such a situation, the iLO5 chipset is both your first and last line of defense.At the start of 2020, we observed that the new HPE iLO5 firmware (versions greater or equal to 2.x) would come as an encrypted binary blob; now deterring any efforts of public scrutiny by the cyber-security community. That is why we decided to perform a complete review of the encryption mechanism and to analyze the security implications of the new firmware packaging.This research led us to completely reverse-engineer the new encryption mechanism, the new boot chain, as well as the cryptographic co-processor this feature relies upon. To extract the encryption keys from the system-on-chip (SOC) we exploited software vulnerabilities, both old ones and a new one we discovered and reported during this study; we also discovered and investigated the presence of an unknown debug port (presumably JTAG) on the motherboards of one of our servers (MicroServer family).Finally, we will demonstrate the impact of these new findings in operational environments. Based on new knowledge, we developed an exploitation script to recover the clear text credentials of all the accounts on the iLO5 system, directly from the host operation system. Placed in the context of a motivated attacker this would allow a very fast and efficient lateralization, possibly crossing production and administration networks segmentation.What are the lessons learned of this new feature and analysis and how much trust can we put in the HPE iLO 5 secure element technology? Is it still possible for a motivated attacker to intercept the delivery of a server and implant a backdoored firmware in it?