Run CHIPSEC immediately upon receipt of any new hardware. If it fails, the unit is defective, return it to the vendor for a refund, or an improved model. Individual citizens may not be able to do this (but they should try!), but large enterprises can do this. If the unit fails, post the CHIPSEC logs and OEM model specifics online, for other consumers to find. If you don’t have a blog, send the report here and I’ll port them here. See top right of blog for email address, or click on some of the top center graphics, for email address.
Please help consumers of Intel-based computers by posting the results of the Intel CHIPSEC tool (chipsec_main.py’s output). Or work with LegbaCore and/or MITRE to get the data from their Copernicus tool, and post those similar results. Without the results of Intel CHIPSEC or LegbaCore/MITRE Copernicus, consumers have no idea if the OEMs built a system with insecure firmware or not. CHIPSEC tests for all known public vulnerabilities. Right now, your reviews are WORTHLESS for firmware security. Spending 5min to boot LUV-live, run CHIPSEC, and include the final result summary of the output would be an EXPONENTIAL improvement to the content you provide. PLEASE help consumers. Only by shaming OEMs when they ship known-bad products will we get the OEMs’ QA teams to also start running CHIPSEC, and then we’re helping ALL consumers, not just the ones that know about CHIPSEC or that read your reviews. A while ago, LegbaCore hinted that they’d start releasing information about some OEM systems, this’ll trump any hardware reviews as the primary source for pre-sales hardware information. You can make your content useful by adding firmware tests today.
You can test systems easily using Intel’s LUV-live boot image, which contains CHIPSEC. LUV-live is based on LUVos, Linux UEFI Validation, a diagnostic-centric distribution. LUV-live also includes FWTS (FirmWare TestSuite, and if you run that and find any failures, that’ll also help give potential consumers proper security information. CHIPSEC tests both BIOS- and UEFI-based systems. Right now, CHIPSEC only works on Intel x86 and 64 systems. But Linaro is looking at porting it to ARM (AArch64), and AMD is now aware of this tool, hopefully we’ll soon see new CHIPSEC ports that’ll enable even more comprehensive reviews. Watch for new CHIPSEC releases, new releases usually include new security test modules, which you need to re-run against all modern hardware. If you have user questions with CHIPSEC, use the newly-created mailing lists.
Better still, someone create a site where consumers can upload CHIPSEC results, and the site will be the aggregate of all results. That’d be a great new database of invaluable pre-sales information that’d help bring eyeballs to your review site! 🙂
OEMs: Please post CHIPSEC log results in your pre-sales techincal information. Include specific information about what kind of firmware your systems have, if coreboot what payload, if UEFI what UEFI version, if outsourced what IBV, and what features (eg, Absolute’s ComputeTrace, etc.) are included in your firmware. And, like Phoenix said at the last UEFI Forum plugfest, make sure your QA teams are running the latest CHIPSEC before they ship units. Right now, HP appears to be the best OEM when it comes to documenting the pre-OS software they install, at least for enterprise-class systems. I wish other OEMs could match or beat HP’s level of firmware documentation.
Please help forward this to any hardware reviewers — and large-quantity hardware purchasers — that you know of. I don’t have any contacts at any of them, and I doubt they are reading this blog, so your forwarding this information to the right person is probably the only way they’ll get a clue. Please help!!