Hunting down the HVCI bug in UEFI

We discussed this vulnerability during Episode 238 on 29 January 2024

A logical issue that allows bypassing Hypervisor Code Integrity (HVCI) on certain Intel-based machines. HVCI is a Virtualization-Based Security (VBS) mitigation that protects kernel code pages from being made writable, as well as preventing new read/write/execute (RWX) mappings from being created by a compromised guest kernel. When VBS is enabled and the machine boots, the hypervisor will change permissions on certain ranges and setup Extended Page Tables (EPT) to enforce this. On certain Intel 6th - 10th gen based machines though, they found EPT entries that were RWX to the guest. Moreover, these guest physical addresses were constant across reboot, making exploitation trivial. An attacker could simply use one of these addresses, place shellcode there, and jump to it with a compromised kernel.

The reason this happens gets into the weeds of the IOMMU and the DMA Remapping (DMAR) Advanced Configuration and Power Interface (ACPI) table. Ultimately what it comes down to is the BIOS on some of these platforms would have reserved memory regions, which is where those RWX guest ranges come from. The BIOS should be reporting any physical memory described in the Reserved Memory Region Reporting (RMRR) structure as reserved memory in the UEFI map, but on certain machines it doesn’t. Since the secure kernel can’t account for it, when it’s determined that HVCI is enabled, it’s not aware of those regions and as such can’t change the permissions on them.