I own a thinkpad t470 on a 2017 bios which is about a year before the vulnerability was found, now the question is, knowing that we have a partition where PeiCore searches for executables and isn’t signed can we possibly build a module to get rid of that junk or coreboot the machine?
Boot Guard, if setup properly, is burned into the PCH, so you can only disable it by replacing the PCH with a clean non-burned in PCH (no key).
If you want to confirm if boot guard is properly setup, dump BIOS region with FPT and send to me (how-to below).
Check BIOS main page and see if ME FW version is shown, if not then download HWINFO64
Then on the large window on left side, expand motherboard and find ME area, inside that get the ME Firmware version.
Once you have that, go to this thread and in the section “C.2” download the matching ME System Tools Package
(ie if ME FW version = 10.x get V10 package, if 9.0-9.1 get V9.1 package, if 9.5 or above get V9.5 package etc)
Intel Management Engine: Drivers, Firmware & System Tools
Once downloaded, inside you will find Flash Programming Tool folder, and inside that a Windows or Win/Win32 folder.
Select that Win folder, hold shift and press right click, choose open command window here (Not power shell).
At the command prompt type the following command and send me the created file >> FPTw.exe -bios -d biosreg.bin
If you are stuck on Win10 and cannot easily get command prompt, and method I mentioned above does not work for you, here is some links that should help
Or, copy all contents from the Flash Programming Tool \ DOS folder to the root of a USB Bootable disk and do the dump from DOS (FPT.exe -bios -d biosreg.bin)
https://www.windowscentral.com/how-add-c…creators-update
https://www.windowscentral.com/add-open-…menu-windows-10
https://www.laptopmag.com/articles/open-…ator-privileges
Or here is simply registry edit that adds “Open command window here as Administrator” to the right click menu
Double-click to install, reboot after install may be required
http://s000.tinyupload.com/index.php?fil…134606820377175
And run following CMD from above ME System tools package >> MEINFOWIN.exe -verbose
Then show me the very bottom of the report as an image (not text/copy) We’re looking at left side/FPF for Measured or Verifieed Boot enabled
as expected there is an oem fpf key but that’s beside the point since for some unknown reason lenovo screwed up the implementation leaving 64k unsigned, and that portion of the bios happens to contain 7934156d-cfce-460e-92f5-a07909a59eca BIOSGuard which as you can tell sounds very promising, alternatively there’s the hardware approach muxing 2 bios chips and swapping them when the check is in place.
Key in BIOS means nothing, you have to do as I mentioned above so I can check (Do both things) It is common for a lot of the BIOS to not be covered by Boot Guard, only certain volumes are protected usually, sometimes 1 or 2 volumes, sometimes 2-3 etc.
BIOS means nothing in regards to this really, unless properly setup and MB or VB is burned in at PCH. It’s all about what’s burned into PCH, or not, if nothing then what’s set in BIOS or ME FW doesn’t matter at all.
If Measured or verified boot is enabled at FPF side (Burned into PCH), then you can only edit areas of the BIOS not covered by boot guard (see UEFITool NE for what’s covered or not, if you didn’t already know)
If you don’t want to send me a BIOS region dump, at least show me image of the end of the MEINFOWIN -verbose report, then I can answer you better.
What is your goal here, if boot guard is not properly enabled?
here is the report, my end goal would be coreboot running on the machine or at the very least a modded bios
Sorry, I was half-asleep and should have asked you for ME FW region dump above as well, in addition to BIOS region dump.
Please send me ME region dump and BIOS region dump too (So I can check what you can mod) >> FPTw.exe -me -d me.bin
You are right, verified boot and a key is burned into PCH, so even if disabled at ME FW side, it’s still enabled and nothing you can do to disable unless you replace the PCH (or know their private signing key)
Mod BIOS may be possible, but I don’t know anything about coreboot so can’t comment on that. BIOS mods will all depend on what you want to modify, and what’s covered by boot guard in BIOS region (I will have to check, if you are unsure)
In general, for when I check your BIOS region, what do you want to modify in a mod BIOS?
Here is a full bios dump, I wanted to at least enable the advanced menu but AFAIK that’s impossible without bypassing BootGuard
-------------
I don’t think the file uploaded, here is a copy anyway
Yes, nothing was attached to your post, you have to upload, then attach or insert (not sure, I rarely attach files here)
Anyway, I’ll use the link and check it out, thanks.
* Edit - @paranoidbashthot - BIOS is protected by Boot Guard at PCH + ME FW (Profile 4 FVE - VB, Immediate Shutdown)
And the areas which you’d edit to change menus in a mod BIOS are protected. However, if needed, you can change current settings values (hidden or visible settings) in the NVRAM area, this is not protected by boot guard (nor is microcode area if you wanted to update those)
I was able to get into MFG mode therefore bypassing bootguard, could you help me with the patches for advanced menu?
1
2
3
2
3
721C8B66-426C-4E86-8E99-3457C46AB0B9 10 P:04320b483cc2e14abb16a73fadda475f:778b1d826d24964e8e103467d56ab1ba
32442D09-1D11-4E27-8AAB-90FE6ACB0489 10 P:04320b483cc2e14abb16a73fadda475f:778b1d826d24964e8e103467d56ab1ba
8218965D-20C0-4DD6-81A0-845C52270743 10 P:04320b483cc2e14abb16a73fadda475f:778b1d826d24964e8e103467d56ab1ba
doesn't seem to be enough
Good job. 
32442D09-1D11-4E27-8AAB-90FE6ACB0489 10 P:04320B483CC2E14ABB16A73FADDA475F:778B1D826D24964E8E103467D56AB1BA
721C8B66-426C-4E86-8E99-3457C46AB0B9 10 P:04320B483CC2E14ABB16A73FADDA475F:778B1D826D24964E8E103467D56AB1BA