Apparent source code for Alder Lake BIOS has been shared online. It seems to have been leaked in its entirety at 5.9 GB uncompressed, possibly by someone working at a motherboard vendor, or accidentally by a Lenovo manufacturing partner.
Some Twitter users seem to think that the code originated from 4chan. It made its way onto GitHub yesterday and before it was taken down earlier this morning, someone peered into its source logs and found that the initial commit was dated September 30 and authored by an employee of LC Future Center, a Chinese company that possibly manufactures Lenovo laptops. The code is now available from several mirrors and is being shared and talked about all over the Internet.
It could take days before someone analyzes all 5.9 GB but some interesting sections have already been discovered. There are apparently multiple references to a “Lenovo Feature Tag Test” that further link the leak to the OEM. Other sections allegedly name AMD CPUs, suggesting the code has been altered since leaving Intel. Most alarmingly, a researcher has found explicit references to undocumented MSRs, which could pose a significant security risk.
MSRs (model specific registers) are special registers that only privileged code like the BIOS or operating system can access. Vendors use them for toggling options within the CPU, like enabling special modes for debugging or performance monitoring, or features such as certain types of instructions.
CPUs can have hundreds of MSRs, and Intel and AMD only publish the documentation for half to two-thirds of them. The undocumented MSRs are often linked to options that CPU manufacturer wants to keep secret. For example, an undocumented MSR inside the AMD K8 CPU was discovered by researchers to enable a privileged debugging mode. MSRs also play an important part in security. Intel and AMD both used MSR options to patch the Spectre vulnerabilities in their CPUs that predated hardware mitigation.
Security researchers have shown that it’s possible to create new attack vectors in modern CPUs by manipulating undocumented MSRs. The scenario in which that would be possible is very complex and not necessarily what is unfolding right now, but it remains a possibility. It’s up to Intel to clarify the situation and the risks posed to their customers.