What’s the next built-in ACPI attack?

[UPDATE: just confirmed that ACPI.info’s links page had the WPBT link since 2011. After posting below article, I wondered if the ACPI.info webmaster updated their links page in the last few days…)

While the media is currently blaming Lenovo for sloppy Windows QA, they’re also waking up to the reality that Windows has been using for the last few years. Initial Ars Technica and YCombinator posts on the topic quoted the abstract to the spec on a web page that was no longer available, so it sounds conspiratorial.  But the doc has been online since 2011. Besides microsoft.com-based links, the ACPI.info web site maintains a good set of links, including a pointer to the WPBT spec, and other ACPI-related table specs.


The ACPI specs — at least some of them? — are maintained by the UEFI Forum. The UEFI Forum’s web site does NOT have a link to the WPBT spec.


I’ll bet there’re a few other existing ‘unknown’ ACPI features hidden on the ACPI.info links page that’ll be ‘discovered’ in the next few months, due to another sloppy OEM or sharp security researcher… From above links URL, here’ s a partial list (I omitted multiple entries which’re specs for other hardware, and some of those might also include ACPI tables) of ACPI tables to attack:

Core System Resources Table, CSRT
Debug Port Table, DBGP
Debug Port Table 2, DBG2
DMA Remapping Table, DMAR
IA-PC High Precision Event Timer Table, HPET
I/O Virtualization Reporting Structure, IVRS
iSCSI Boot Firmware Table, IBFT
Management Controller Host Interface Table, MCHI
Microsoft Software Licensing Tables, MSDM, SLIC
Multiprocessor Startup for ARM Platforms
Serial Port Console Redirection Table, SPCR
Server Platform Management Interface Table, SPMI
Simple Boot Flag Table, BOOT
Smart Battery System Components and SMBus Spec
Trusted Platform Module 2 Table, TPM2
Trusted Computing Platform Alliance Capabilities Table, TCPA
Watchdog Action Table, WDAT
Watchdog Timer Resource Table, WDRT
Windows ACPI Emulated Devices Table, WAET
Windows Platform Binary Table, WPBT

Quoting Wikipedia on ACPI security risks:

“Ubuntu Linux founder Mark Shuttleworth has likened ACPI to Trojan horses. He has described proprietary firmware (ACPI-related or any other firmware) as a security risk, saying that “firmware on your device is the NSA’s best friend” and calling firmware (ACPI or non-ACPI) “a Trojan horse of monumental proportions”. He has pointed out that low quality, closed source firmware is a major threat to system security: “Your biggest mistake is to assume that the NSA is the only institution abusing this position of trust — in fact, it’s reasonable to assume that all firmware is a cesspool of insecurity, courtesy of incompetence of the highest degree from manufacturers, and competence of the highest degree from a very wide range of such agencies”. As a solution to this problem, he has called for declarative firmware (ACPI or non-ACPI). Firmware should be open-source so that the code can be checked and verified. Firmware should be declarative, meaning that it should describe “hardware linkage and dependencies” and should not include executable code.”

Vendors need to be disclosing a LOT MORE information about what they’ve included in their firmware, now that people are aware of this, thanks to Lenovo. It is easy to fix OEM’s mistakes at OS level, by reinstalling an open source OS, or installing vanilla Windows and then getting the drivers from the OEM/IHVs. But you can’t update your system’s firmware, and ACPI is the new dumping ground for OEM bloat. Well, not new, just newly-realized by some of us. I want a system with absolute minimail ACPI table bloat, and I want to KNOW what tables are shipped on the firmware. Linux OEMs: don’t ship COTS firmware that has Windows-centric ACPI blobs in them. If you look on #UEFI on G+ and Twitter, you’ll find more and more people demanding Open Hardware and fully-open source firmware, which is refreshing. 🙂

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s