https://twitter.com/qrs/status/924704712896712704
Re: https://firmwaresecurity.com/2017/10/27/google-wants-servers-without-intel-me-and-uefi/
Video of presentation is available:
Author: hucktech
Intel patch for UEFI pre-memory DMA protection in PEI
Intel has submitted a V3 patch to the tianocore EDK2 project, with additional DMA protection for UEFI on Intel systems.
[PATCH V3 0/2] IntelSiliconPkg: Add Pre-Memory DMA protection in PEI
V3:
1) update the function comments of InitDmar()
2) update the function comments of SiliconInitializedPpiNotifyCallback()
3) remove duplicated BAR debug message.
4) fix the size field in the mPlatformVTdNoIgdSample structure.
V2:
Minor enhancement: Replace IsDmaProtectionEnabled() by GetDmaProtectionEnabledEngineMask(), for better code management.
V1:
This series patch adds Pre-Memory DMA protection in PEI. The purpose is to make sure when the system memory is initialized, the DMA protection takes effect immediately. The IntelVTdPmrPei driver is updated to remove the global variable and add VTD_INFO_PPI notification. The VTdInfoSample driver is updated to install the initial VTD_INFO_PPI before memory init, and add more content after memory init by reinstalling VTD_INFO_PPI. This patch is validated on one Intel Client kabylake platform.
For more info, see full patch:
https://lists.01.org/mailman/listinfo/edk2-devel
more on Infineon TPM issue
https://www.rsa.com/en-us/blog/2017-10/roca-blaming-infineon-is-the-easy-way-out
https://www.ncsc.gov.uk/guidance/roca-infineon-tpm-and-secure-element-rsa-vulnerability-guidance
https://lwn.net/Articles/736736/
https://lkml.org/lkml/2017/10/25/382
https://blog.rapid7.com/2017/10/25/roca-vulnerable-rsa-key-generation/
https://en.wikipedia.org/wiki/ROCA_vulnerability
http://www.cvedetails.com/cve/CVE-2017-15361/
http://www.securityfocus.com/bid/101484
https://www.cvedetails.com/bugtraq-bid/101484/Infineon-RSA-Library-CVE-2017-15361-Cryptographic-Security-B.html
PoC||GTFO 0x16 released
Google wants servers without Intel ME and UEFI
Golem has a story about the recent Google presentation at OSSEU2017:
From Google Translation of German text:
Google wants servers without Intel ME and UEFI
by Sebastian Grüner
According to the motto “Are you afraid?” a team of Google’s coreboot developers is working with colleagues to make Intel’s ME and the proprietary UEFI harmless in servers. And probably with success.[…]
Click to access Replace%20UEFI%20with%20Linux.pdf
Maybe I missed it, but I didn’t see the video of this presentation archived.
Hack.lu 2017 Intel AMT: Using & Abusing the Ghost in the Machine by Parth Shukla
AMI blog post with ‘firmware BSOD-like’ photos
AMI has a new blog post with a nice collection of firmware splash screens seen in the wild.
https://ami.com/en/tech-blog/aptio-and-amibios-in-interesting-places/
See-also: https://twitter.com/samkottler/status/757571758606147584
Matthew May’s UEFI Secure Boot Machine Owner Key generation scripts
Set of scripts I wrote to simplify UEFI Secure Boot Machine Owner Key generation, and signing of Nvidia, VMware, and VirtualBox kernel modules. These MOKs can be used to sign other kernel modules as well.
11 Myths About Platform Security
Jarvis Wenger has an interesting article in Electronic Design, listing misconceptions about hw/fw security, list below, read the article for all the details!
11 Myths About Platform Security: Greater system complexity means more areas are vulnerable to security breaches. This article examines the role hardware and software play in ensuring a secure computing platform.
1. When buying a product, such as a hypervisor, the software takes care of all additional security concerns in virtualization.
2. Security is only a concern for the OS/hypervisor/application.
3. I have taken care of my hypervisor, OS, application, and boot process, so my system is as secure as it can be.
4. A secure system is also a safe system.
5. My system isn’t connected to the outside world, so it’s secure.
6. My computer is isolated from the outside world, so I don’t need to run updates for the OS/Hypervisor/Application.
7. Only my most trusted employees have physical access, which means my system is secure.
8. My system is relatively secure and physically inaccessible, so it should be safe.
9. I’m using the latest up-to-date containers, therefore my application is safe.
10. The data on my device is encrypted, making it inaccessible.
11. Security is only a concern externally to a device.
http://www.electronicdesign.com/embedded-revolution/11-myths-about-platform-security
“Linux/Acpi.A!tr”: Linux ACPI malware?
I noticed this on an AV vendor’s site, about some Linux-centric (?) ACPI malware. Wish there was more info on it. If you have more details, please leave a Comment on this blog, thanks!
Linux/Acpi.A!tr
ID 7546097
Released Oct 26, 2017
Linux/Acpi.A!tr is classified as a trojan.
A trojan is a type of malware that performs activites without the user’s knowledge. These activities commonly include establishing remote access connections, capturing keyboard input, collecting system information, downloading/uploading files, dropping other malware into the infected system, performing denial-of-service (DoS) attacks, and running/terminating processes. The Fortinet Antivirus Analyst Team is constantly updating our descriptions. Please check the FortiGuard Encyclopedia regularly for updates.
MEAnalyzer v1.32.0 released
v1.32.0 includes:
Added support for CSME 11.8, 11.11 & 11.21 firmware
Added support for CSME 12 SPI FD Region structures
Added CSE Extension 22 for proper CSME 12 parsing
Added CSE Extension 14 Mod for proper DNX parsing
Added CSE Extension 5 Mod for proper Process parsing
Added CSE Extension data overflow error detection
Added CSE Extension data division error detection
Added CSE Extension data total size error detection
Improved CSE Extensions 1, 13 with CSME 12 support
Improved CSE Extension structure Revision detection
Fixed CSE unpacking crash at Key modules/regions
Fixed issues at unknown CSE Extension detection
Fixed wrong CSME 11 FIT PCH-H Z370 SKU detection
https://github.com/platomav/MEAnalyzer
ARM releases IoT Security Manifesto
Reptile: Linux LKM rootkit
Reptile is a LKM rootkit for evil purposes. If you are searching stuff only for study purposes, see the demonstration codes. Features:
Give root to unprivileged users
Hide files and directories
Hide files contents
Hide processes
Hide himself
Boot persistence
Heaven’s door – A ICMP/UDP port-knocking backdoor
Client to knock on heaven’s door 😀
http://www.kitploit.com/2017/10/reptile-lkm-linux-rootkit.html
https://github.com/f0rb1dd3n/Reptile
gdb-symbolic: symbolic execution for GDB
gdb-symbolic – symbolic execution extention for gdb
Commands
* symbolize argv Make symbolic
* memory [address][size]
* target address Set target address
* triton Run symbolic execution
* answer Print symbolic variables
* debug symbolic gdb Show debug message
https://github.com/SQLab/symgdb
https://bananaappletw.github.io/2016/02/23/symbolic-exection-introduction.html
Chipsec v1.3.4 released
New or Updated Functionality:
* Updated support for 7th/8th generation Intel processors
* Added ability to undefine a configuration entry
* Added HAL and utilcmd for TPM Event Log
* Added utilcmd for TPM commands
* Added support for Apollo Lake
* added utilcmd to inspect PCI command/control registers
https://github.com/chipsec/chipsec/commits/master
https://github.com/chipsec/chipsec/releases/tag/v1.3.4
ESET adds UEFI Scanner
ESET’s internet security just keeps getting better thanks to new IoT protection and UEFI Scanner
October 24, 2017
ESET, a global leader in cybersecurity celebrating 30 years of continuous IT innovation, today launched its latest consumer security product portfolio for Windows. The enhanced solutions are designed to protect people from an expanding array of cyberthreats, data theft, malware and viruses. The features released today enhance the security capabilities of ESET NOD32 Antivirus, ESET Internet Security and ESET Smart Security Premium. The Unified Extensible Firmware Interface (UEFI) Scanner, included in all three products, adds elevated levels of malware protection by detecting and removing threats that potentially launch before the operating system boots up. Threats, including rootkits and ransomware, target vulnerabilities in the UEFI and are highly persistent, even surviving after an operating system is reinstalled. ESET’s UEFI Scanner prevents these types of attacks.[…]
Embedi: UEFI BIOS holes. So much magic. Don’t come inside.
24 October, 2017
UEFI BIOS holes. So Much Magic. Don’t Come Inside.
In recent years, embedded software security has become a red-hot topic, attracting the attention of high profile security researchers from all around the globe. However, the quality of code is still far from perfect as long as its security is considered. For instance, the CVE-2017-5721 SMM Privilege Elevation vulnerability in the firmware could affect such scope of vendors like Acer, ASRock, ASUS, Dell, HP, GIGABYTE, Lenovo, MSI, Intel, and Fujitsu. This white paper is intended to describe how to detect a vulnerability in a motherboard firmware with the help of the following tools: Intel DAL, UEFITool, CHIPSEC, RWEverything, and how to bypass the patch that fixes this vulnerability.[…]
https://embedi.com/blog/uefi-bios-holes-so-much-magic-dont-come-inside
ARM Innovator Program launched
Arm is pleased to announce the launch of the Arm Innovator Program in collaboration with Hackster.io, the leading community dedicated to learning hardware. The Arm Innovator Program is a new initiative to help support the global ecosystem of Arm developers, highlight the impressive work happening around the world based on Arm technology and share key domain knowledge from top technical experts building solutions on Arm with a wider audience. Without further ado, we’re excited to announce the first group of Arm Innovators below; you’ll learn more about them later in the blog:
John Teel, President of Predictable Designs
Laura Kassovic, President and Co-founder of MbientLab
Forrest Iandola, CEO and Founder of DeepScale
Amit Moran, VP of Innovation at temi – the personal robot
Laurent Itti, Computational Neuroscientist, creator of the JeVois
Orlando Hoilett, PHD student and founder of Calvary Engineering
Renee Love, Open-source roboticist
Azeria – Independent Security Researcher, Founder of Azeria Labs
Andrew Dresner, Open-source roboticist
Honggang Li, Co-founder of Maker Collider
https://community.arm.com/company/b/blog/posts/introducing-the-arm-innovator-program-in-collaboration-with-hackster-io
https://www.arm.com/innovation/meet-innovators
MSI-GT7x-VGA-Switch: toggle Intel/Nvidia VGA from UEFI Shell
MSI-GT7x-VGA-SWITCH: Selects VGA from LINUX or EFI!
These programs or batch scripts will let you swtch the VGA from INTEL to NVIDIA (or the opposite). This is possible at the moment only from Windows (bad choice MSI!). Now it will also be possible from Linux or directly from an EFI SHELL! Intel.nsh and nvidia.nsh are two EFI Shell scripts that can be run directly from EFI shell. Just “make intel” and “make nvidia” to compile the 2 C sources. A reboot is needed afterwards because the VGA is switched by BIOS at boot time.[…]
ShellQ: load the UEFI Shell more quietly
https://github.com/rcpao-enmotus/ShellQ
“ShellQ – UDK2017 UEFI Shell with a more quiet transition to startup.nsh”
I wish this was a feature in the main shell, not a new wrapper to the shell.
Firmware Security 
You must be logged in to post a comment.