The Alder Lake BIOS source code recently leaked to 4chan and GitHub has been confirmed by Intel, and it is known that the 6GB file contains tools and code for building and optimizing BIOS/UEFI images. In a statement to Tom’s Hardware, the company said: “Our company’s proprietary UEFI code appears to have been leaked by a third party. Intel does not believe this will expose any new security vulnerabilities, as we do not rely on obfuscated information as a security measure.”
In addition, an Intel spokesperson said that vulnerability research related to this code is still covered by the “Project Circuit Breaker” bounty program. At the same time, the company is reaching out to customers and the security research community to keep everyone informed.
Tom’s Hardware points out that the computer’s Basic Input Output (BIOS)/Unified Extensible Host Interface (UEFI) is used to initialize the hardware before the operating system loads.
Among its many responsibilities is establishing connections to certain security mechanisms – such as the Trusted Platform Module (TPM).
In the wake of this code leak, both malicious actors and the security industry will clearly be actively investing in deep research to find potential backdoors or security vulnerabilities
Well-known security researcher Mark Ermolov noted in an early report that he had discovered secret MSRs (Model Specific Registers) normally reserved for privileged code and signing private keys for Intel Boot Guard.
The former means that the Alder Lake platform may encounter potential security issues, while the latter may cause the Intel Boot Guard function to fail.
There are also signs of ACM authentication code modules for BootGuard and TXT Trusted Execution Technology, indicating a possible root of trust problems in the future.
However, the impact and breadth of the exposure may be relatively limited, as most motherboards and OEMs have similar tools and information for building firmware for Intel platforms.
What’s more, Intel’s claim that it doesn’t rely on obfuscation-based security measures means the company has cleaned up the highly sensitive material before making it available to outside suppliers.
As for Intel’s Project Circuit Breaker bug bounty program, which encourages researchers to submit bugs, the company will give out rewards ranging from $5 million to $100,000 per bug, depending on the severity of the problem.
Finally, Intel has not yet found the source of the leak, and it is unclear whether the relevant code can indirectly benefit open source organizations such as Coreboot.
However, judging from the currently removed GitHub repository (which still has extensive copies remaining), it appears to have been created by an Original Design Manufacturer (ODM) employee from the LC Future Center.
