ChromeOS Verified Boot: DM Verity moving from SHA1 to SHA256

Chrome OS’s Verified Boot is being updated from SHA1 to SHA256.
(Hopefully Android’s Verified Boot is also being updated…)

Chromium Blog Chromium Blog: DM Verity Algorithm Change
One of the foundational security features of Chromebooks is Verified Boot, which protects our users from potentially malicious software being run on their devices. The last chain of verification in this process is to validate the integrity of the root file system (rootfs). This blog post describes a recent enhancement to this rootfs validation to increase the cryptographic strength against attackers. […]

https://blog.chromium.org/2019/10/dm-verity-algorithm-change.html

OpenPOWER boot security

I just noticed a two-part blog series from 3 authors on OpenPOWER security and Trusted Boot. Including a bit of comparision of Trusted Boot -vs- Secure Boot.

OpenPOWER secure and trusted boot,
Part 1: Using trusted boot on IBM OpenPOWER servers
By Dave Heller, Tim Block
Updated April 26, 2019 | Published February 17, 2017

https://developer.ibm.com/technologies/linux/articles/trusted-boot-openpower

OpenPower secure and trusted boot,
Part 2: Protecting system firmware with OpenPOWER secure boot
By Dave Heller, Nageswara Sastry
Updated April 29, 2019 | Published February 23, 2019

https://developer.ibm.com/technologies/linux/articles/protect-system-firmware-openpower

Amlogic HDMI Boot Dongle: “Boot from HDMI”?

https://github.com/superna9999/linux/wiki/Amlogic-HDMI-Boot-Dongle

System76 supporting coreboot

System76, one of the few Linux OEMs, is now offering coreboot as a firmware option:

I’m hoping System76 replies to this question:

Jessie Frazelle: Open Source Firmware

Jessie Frazelle has an article on Open Source Firmware in the Commucations of the ACM magazine:

https://cacm.acm.org/magazines/2019/10/239673-open-source-firmware/fulltext

macOS Catalina’sMac Firmware Password

Nikolaj mentions that the latest macOS firmwarepasswd command has a new feature:

And Xeno replied later in that Twitter thread about enterprise ability to block the use of this feature:

See-also:

https://support.apple.com/en-us/HT204455

3 new security advisories from Intel

Three new security advisories from Intel today:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00261.html
INTEL-SA-00261: Intel® Active System Console Advisory

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00286.html
INTEL-SA-00286: Intel® Smart Connect Technology for Intel® NUC Advisory

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00296.html
INTEL-SA-00296: Intel® NUC Advisor

amdfw: golang library to parse AMD Firmware Structures (and: amddump tool)

amdfw: Golang library for reading and writing AMD firmware components

Credit goes to @cwerling for his psptool

amddump: is a small tool, that dumps all informations known to this library on a specfic image.

https://github.com/Mimoja/amdfw

Insecure Until Proven Updated: Analyzing AMD SEV’s Remote Attestation protocol: source code available

Re: https://firmwaresecurity.com/2019/10/01/insecure-until-proven-updated-analyzing-amd-sevs-remote-attestation/

there’s now some code to go along with the above document:

https://github.com/RobertBuhren/Insecure-Until-Proven-Updated-Analyzing-AMD-SEV-s-Remote-Attestation

BSides PDX 2019

BSidesPDX is in Portland later this month, and the schedule has been announced. A very quick look shows a few interesting HW/FW-centric workshops and talks, such as the ones below (and I may’ve missed some, look at the full schedule). Tickets are still available.

Reversing Corruption in Seagate HDD Translators, the Naked Trill Data Recovery Project
Allison Marie Naaktgeboren & MrDe4d

Translation tables are a dynamic component of HDD firmware that translate logical addresses to physical locations on the disk. Corrupted translators can be the cause of drive failures in drives that appear undamaged and are without physical trauma. That failure can be reversed in many cases. We will present ways to identify if a drive’s translator has been corrupted for the Moose & Pharaoh drive families specifically, how to force a translator rebuild, and open source tool(s) to help you repair the translator. Data recovery is a notoriously secretive field. Very little information about firmware and its internal data structures is public. By sharing what we’ve learned we hope to open this field up to more people, encourage repair, encourage re-use rather than disposal of hard drives, and encourage further publicly shared research. After the talk, attendees should be able to fix this type of error themselves in HDDs of the appropriate families using a TTL converter and the supplied code. Familiarity with the basic components of hard drive firmware is helpful, but not required.

How Not to be Seen: Creating Non-Speculative Side-Channel Resistant Code
Matt Wood

Software side-channels have been a hot topic recently, and with good reason. Many of the techniques are used to liberate secret information from other processes or trusted execution environments (TEEs) such as Intel’s SGX, ARM’s TrustZone, and the like. Some of the techniques making headlines are related to speculative execution properties of modern processors, but there is an entire class of non-speculative techniques also receiving a lot of attention in recent research. Luckily there are a few techniques available for implementing algorithms that use secrets—like cryptography—so they present as few opportunities for leaking information as possible. In this talk you will learn the anatomy of a few classic non-speculative side-channels on mathematical algorithms used in just about every system in modern computing, followed by industry best practices for mitigating them, and finally what you can do to help minimize the risks for your applications.

Hacking USB on the Cheap with USB-Tools
Kate Temkin & Mikaela Szekely

Until recently, fully exploring the world of USB has been challenging – as tools for working with USB have historically been expensive and difficult to obtain, and knowledge regarding USB has been cloistered away in lengthy and somewhat-obtuse specifications – but recent developments in USB tooling have made working with USB significantly more accessible. This workshop provides an overview of USB security and USB-hacking techniques using inexpensive open-source software and hardware tools – including several tools developed by the presenters in order to make USB hacking more accessible. The workshop includes a variety of demonstrations, and is accompanied by a set of short exercises that allow attendees to get some USB-hacking experience.This workshop is best experienced when attendees bring a laptop with a working Python3 installation to follow along with.

Writing CHIPSEC Modules & Tools
Brent Holtsclaw; Erik Bjorge; Nick Armour; Stephano Cetola

CHIPSEC is a security research and validation tool implemented in Python that allows for low-level access to hardware. The powerful scripting capabilities can be used for tasks including verification of security mitigations and security research. This hands-on workshop will provide an overview of the existing tool architecture and how to write modules and tools. CHIPSEC modules focus on verification of firmware mitigations. CHIPSEC tools are designed to stress the system and perform tasks such as fuzzing interfaces.

ABC to XYZ of Writing System Management Mode (SMM) Drivers
Brian Delgado & Tejaswini Vibhute

System Management Mode (SMM) has gotten a lot of attention for being the most privileged processor mode, which raises concerns over how software and firmware manage hardware. This session demystifies designing and writing System Management Interrupt (SMI) handlers, and covers challenges that developers face in the process. Content covers different types of SMI handlers and various methods of invoking them. The session also describes common vulnerabilities that can result from incorrect coding practices or oversights. Debugging is critical to developing quality SMM drivers, so this session also demonstrates debugging using virtual environments (OVMF) and physical platforms.

https://bsidespdx.org/events/2019/schedule.html

Security Boulevard: 32 hardware and firmware vulnerabilities

by Dan Virgillito on October 1, 2019

Hardware and firmware vulnerabilities can put your business and your customers’ sensitive data at risk, costing you in diminished sales, reputation loss and penalties. Most of them arise from continued use of legacy systems and out-of-date software that are no longer maintained by their respective vendors. The fact that the majority of these loopholes don’t necessarily raise a red flag may allow hackers to steal information, inject malware or completely hijack your applications or corporate systems. Below, we give a breakdown of the 32 most commonly exploited hardware and firmware vulnerabilities. If any of these relate to systems or devices that are under your jurisdiction, it’s extremely important that you take steps to plug these holes before disaster strikes.[…]

Linux Kernel Lockdown Patches added to Linux 5.4

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=aefcf2f4b58155d27340ba5f9ddbe9513da8286d

https://lore.kernel.org/lkml/CAHk-=wg=7y82dJYeLzQeup70CHBT7MpCC155d85cPFctNsxUYA@mail.gmail.com/T/#u

I’m not sure of the list of all who have contributed to this patchset; thanks to all of you!! Now let’s see how downstream distros will use it…

Insecure Until Proven Updated: Analyzing AMD SEV’s Remote Attestation

[…]This paper analyzes the firmware components that implement the SEV remote attestation protocol on the current AMD Epyc Naples CPU series. We demonstrate that it is possible to extract critical CPU-specific keys that are fundamental for the security of the remote attestation protocol. Building on the extracted keys, we propose attacks that allow a malicious cloud provider a complete circumvention of the SEV protection mechanisms. Although the underlying firmware issues were already fixed by AMD, we show that the current series of AMD Epyc CPUs, i.e., the Naples series, does not prevent the installation of previous firmware versions. We show that the severity of our proposed attacks is very high as no purely software-based mitigations are possible. This effectively renders the SEV technology on current AMD Epyc CPUs useless when confronted with an untrusted cloud provider. To overcome these issues, we also propose robust changes to the SEV design that allow future generations of the SEV technology to mitigate the proposed attacks.

https://arxiv.org/pdf/1908.11680.pdf

https://www.dcl.hpi.uni-potsdam.de/meetings/ss19/Christian%20Werling%20-%20Security%20Analysis%20of%20the%20AMD%20Secure%20Processor.pdf