Blog 8 in series: Digital Certificates – Models for Trust and Targets for Misuse

Issue #2: Validation of signed UEFI drivers and applications

https://blog.reversinglabs.com/blog/rocking-the-foundations-of-a-trust-based-digital-code-signing-system

https://blog.reversinglabs.com/blog/breaking-uefi-firmware-authenticode-security-model

System76, one of the few Linux-centric OEMs, has started to offer coreboot on some of their systems.

Apparently, the new System76 firmware includes a new ACPI table, though I can’t seem to find that table documented on the ACPI spec list (which appears to have been last updated Summer of 2019).

Add System76 ACPI driver, which adds support for Fn-Fx key combinations, keyboard backlight, and airplane mode LEDs on System76 laptops running open source firmware.

https://github.com/pop-os/system76-acpi-dkms

https://patchwork.kernel.org/patch/11180033/

http://git.infradead.org/linux-platform-drivers-x86.git/commitdiff/fd13c8622a5ad4f7317b64de4f6aa2de1962220e

https://lkml.org/lkml/2019/10/8/851

https://www.phoronix.com/scan.php?page=news_item&px=System76-ACPI-Driver-Linux-5.5

https://uefi.org/acpi_id_list

We started new OSHW IP Camera design and put our preliminary sources on GitHub because we want to hear from you! Did we forgot something? Can we do something better? It's always good more eyes to see 🙂 https://t.co/UvkH1FIfSB pic.twitter.com/sZeULCBXT5

— OLIMEX Ltd (@Olimex) October 25, 2019

https://github.com/OLIMEX/S3-OLinuXino

New IP Camera OSHW board in design RFC

The DMTF has created a new Redfish Ansibile project:

https://github.com/DMTF/Redfish-Ansible-Playbooks

I think this is the first time I’ve seen Rust code interacting with SMM:

https://github.com/system76/firmware-smmstore

Here’s some new text from the Intel Firmware Engine download page:

Intel® Firmware Engine Versions 5.00- 4.00 and corresponding Platform Installer Packages, which include Leaf Hill version 1.0 -1.1, MinnowBoard Turbot B21 Version 1.0 and Intel® Firmware Engine SDK Release 4.0, will no longer be available after August 31, 2019 and will not be supported with any additional functional, security, or other updates. All versions are provided as is. Intel recommends that users of Intel® Firmware Engine uninstall and discontinue use as soon as possible.

https://firmware.intel.com/learn/intel-firmware-engine/downloads

The #UEFIforum's next webinar premiers tomorrow, Oct. 23 from 9:00 – 10:00am PT. Join our experts from @AMI_PR, @insydesw, @PhoenixTechNews and @intel to learn how to create a Secure Development Lifecycle for #Firmware. Register today to watch live: https://t.co/NjEg1Sdigr pic.twitter.com/YzFLN3bqH0

— UEFI Forum (@UEFIForum) October 22, 2019

The slides and the video of this webinar are now available on-demand:

Click to access UEFI%20SDL%20Webinar_Final%20Slides%20-%20PDF.pdf

Apple users: be careful when doing Catalina updates, backup your data first: Ben of 9to5mac has reported some problems of Apple EFI firmware bricking some Apple systems running the latest macOS software:

Limited reports of Catalina installation bricking some Macs via EFI firmware

Added script to check basic security configuration of Android system appshttps://t.co/QC8I0l2aA0

— Nikolay Elenkov (@kapitanpetko) October 25, 2019

Major checks:
build type (userdebug, user, eng)
signing keys
SELinux availability and mode
debugging-related properties
Bluetooth configuration
USB/ADB configuration
3G/telephony availability
enabled network interfaces
listening TCP services
ADB authentication
SUID binaries
AIDL services
disk encryption (FDE/FBE) availability
dm-verity availability and mode

https://github.com/nelenkov/android-device-check

Analysis of Qualcomm Secure Boot Chains

[BLOG] Analysis of Qualcomm Secure Boot Chains https://t.co/ESuDN0GFiV Nice work by Elouan during his internship: congrats 🙂

— quarkslab (@quarkslab) October 24, 2019

https://blog.quarkslab.com/analysis-of-qualcomm-secure-boot-chains.html

From March to September 2019, I had the pleasure to do a six-month internship at Quarkslab to study the boot chains produced by Qualcomm […]

Just tagged the 1.1.0 release for FwAnalyzer https://t.co/BneRt83rGj (bug fixes and tiny new features) #security #firmware

— Collin Mulliner (@collinrm) October 15, 2019

https://www.fwanalyzer.io/

https://github.com/cruise-automation/fwanalyzer

📣ARM-X Firmware Emulation Framework launched 🚀 https://t.co/aruoBQKT1r

📣New ARM IoT Firmware Laboratory training featuring ARM-X at @44CON https://t.co/7hvsqCBgE9 and @offensive_con https://t.co/C9av4dTglC

📣Preview VM has an emulated IP Camera full of vulns!#HappyDiwali🎆 pic.twitter.com/uLDZ7hipfw

— 🐘 @therealsaumil@infosec.exchange (@therealsaumil) October 23, 2019

https://github.com/therealsaumil/armx/

https://armx.exploitlab.net/

Platform Security Summit conference has started uploading videos from their recent event. A few are up now, such as the XBox talk:

https://twitter.com/platformsec/status/1186418296276561925

Very worth a watch https://t.co/GXPhKXw9IK

— Xeno Kovah (@XenoKovah) October 23, 2019

https://www.platformsecuritysummit.com/2019/speaker/chen/

More details on the range of Dell Trusted Devices that meet the Microsoft Secured-core requirements. https://t.co/89COi1jan6 #iwork4dell

— Rick Martinez (@rickmartinez06) October 23, 2019

AMD is proud to partner with @Microsoft in the Secured-core PC initiative to improve security within software and hardware, offering a more comprehensive security solution to all customers. https://t.co/cRr8SpQwnn

— AMD (@AMD) October 22, 2019

https://www.dell.com/en-us/shop/secured-core-pc/cp/secured-core-pc

https://www.microsoft.com/security/blog/2019/10/21/microsoft-and-partners-design-new-device-security-requirements-to-protect-against-targeted-firmware-attacks/

https://community.amd.com/community/amd-business/blog/2019/10/21/amd-and-microsoft-secured-core-pc

Chrome OS’s Verified Boot is being updated from SHA1 to SHA256.
(Hopefully Android’s Verified Boot is also being updated…)

Chromium Blog Chromium Blog: DM Verity Algorithm Change
One of the foundational security features of Chromebooks is Verified Boot, which protects our users from potentially malicious software being run on their devices. The last chain of verification in this process is to validate the integrity of the root file system (rootfs). This blog post describes a recent enhancement to this rootfs validation to increase the cryptographic strength against attackers. […]

https://blog.chromium.org/2019/10/dm-verity-algorithm-change.html

I just noticed a two-part blog series from 3 authors on OpenPOWER security and Trusted Boot. Including a bit of comparision of Trusted Boot -vs- Secure Boot.

OpenPOWER secure and trusted boot,
Part 1: Using trusted boot on IBM OpenPOWER servers
By Dave Heller, Tim Block
Updated April 26, 2019 | Published February 17, 2017
https://developer.ibm.com/technologies/linux/articles/trusted-boot-openpower

OpenPower secure and trusted boot,
Part 2: Protecting system firmware with OpenPOWER secure boot
By Dave Heller, Nageswara Sastry
Updated April 29, 2019 | Published February 23, 2019
https://developer.ibm.com/technologies/linux/articles/protect-system-firmware-openpower

Currently contains 2 UEFI shell applications. Code only, no documentation yet:

1) imgwrite, a C program that writes a rom.bin in some manner.

2) pciextr, a Pascal program that appears to extract PCI expansion ROMs.

https://github.com/phamsodiep/pc_firmware

Boot from floppy, boot from HD,
Boot from network, boot from CD,
Boot from SD, even boot from USB.

Boot from HDMI… wait, come again? https://t.co/sRQSI72KLc
(courtesy of @Superna9999 )

— Kieran Bingham (@kieranbingham) October 5, 2019

It’s not really « boot from HDMI » the bootROM will fetch 8bytes from the HDMI ddc link from a non-standard i2c address and offset to force a specific boot mode (Usb, sdcard, eMMC, nand, SPI) for debug purposes

— Neil Armstrong @superna9999@social.linux.pizza (@Superna9999) October 5, 2019

https://github.com/superna9999/linux/wiki/Amlogic-HDMI-Boot-Dongle

System76, one of the few Linux OEMs, is now offering coreboot as a firmware option:

"Will you be putting Coreboot on your laptops?” We have put Coreboot on our laptops. 😍 Pre-order your Galago Pro or Darter Pro laptop today–now with System76 Open Firmware! Shipping begins the last week of October. https://t.co/27joN7d9Gx pic.twitter.com/d6DWNCCDiQ

— System76 (@system76) October 10, 2019

I’m hoping System76 replies to this question:

Will there be a firmware update for current machines?

— ♡♡ J-Kitty 🇺🇸 ♡♡ (@LadySerenaKitty) October 10, 2019

https://twitter.com/W00Tock/status/1178634868529537026

View at Medium.com