CHIPSEC already has a Blacklist command. Now there is a UEFI whitelist command.
I've added blacklisting module in chipsec long before, whitelisting module was logical next step in the works, so not just now
— Yuriy Bulygin (@c7zero) March 12, 2017
Added module to generate a white-list of firmware execs and check it against BIOS image to @chipsec run:chipsec_main -m tools.uefi.whitelist
— Alex Bazhaniuk (@ABazhaniuk) March 9, 2017
DerStarke/Darkmatter EFI firmware implant injects/patches PEI/DXE binaries in the firmware. With tools.uefi.whitelist you can find the mods
— Yuriy Bulygin (@c7zero) March 9, 2017
this is how it would look like on the original "clean" firmware image without rootkit's mods. 276 executables instead of 279 pic.twitter.com/DWDFV7bPEM
— Yuriy Bulygin (@c7zero) March 9, 2017
Run chipsec_main -m tools.uefi.whitelist on a clean system. It extracts firmware from flash & creates baseline list of EFI executables in it
— CHIPSEC (@CHIPSEC) March 9, 2017
Below example is detecting modifications to UEFI firmware done by HackingTeam's UEFI rootkit. original.json was generated from clean image pic.twitter.com/mBJXYanvLN
— Yuriy Bulygin (@c7zero) March 9, 2017
New module added to generate & check the "whitelist" of EFI executables: chipsec_main -m tools.uefi.whitelist https://t.co/OBagBMtyL4
— CHIPSEC (@CHIPSEC) March 9, 2017
Firmware Security 