[…]The goal is to have you own certificate in the Secure Boot db variable[…]Requirements: Under Arch Linux, install the packages efitools and sbsigntool.[…]

https://github.com/sebmillet/custom-uefi

https://github.com/sebmillet/custom-uefi/blob/master/customsb.md

[[ UPDATE: project URL: https://github.com/Bareflank/standalone_cxx ]]

Re: https://firmwaresecurity.com/2019/01/14/bareflanks-hypervisor-lightweight-hypervisor-sdk-written-in-c-with-support-for-windows-linux-and-uefi/

Last year at CppCon there was a UEFI security talk by Dr. Rian Quinn, “[…] a lead developer and co-founder of the Bareflank Hypervisor, and is an active member of several open source projects including OpenXT.[…]”

[…]In this presentation, we will examine how C++ works behind the scenes as well as how to include C++ and the Standard Library in freestanding environments. Such environments include shellcode, UEFI, embedded systems (with no OS available), and unikernels. […]Finally, this presentation will conclude with a demonstration of a UEFI application written in C++ as well as a demonstration of leveraging C++ in shellcode.

https://cppcon2019.sched.com/event/Sfcv/using-freestanding-c-to-add-c17-to-your-shellcode-uefi-embedded-systems-and-unikernels

Maybe I missed it, but I didn’t find the slides for this talk along with the other slides on: https://github.com/CppCon/CppCon2019

See-also:

http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2011/n3256.html

http://www7.open-std.org/JTC1/SC22/WG21/docs/papers/2018/p1105r0.html

https://en.cppreference.com/w/cpp/freestanding

 

Dell BiosVerification.py Live Response API Script: This set of tools uses the VMware Carbon Black Security Cloud Live Response APIs to retrieve artifacts generated by the Dell Trusted Device SafeBIOS verification service. The Dell Trusted Device agent saves BIOS image files to the filesystem when a verification failure event is detected. Incident responders can use this set of scripts to retrieve the BIOS image files for forensic analysis.[…]

https://github.com/carbonblack/cbapi-python/tree/master/examples/defense/cblr/DellBiosVerification

Re: https://firmwaresecurity.com/2019/01/31/openbmc-on-pantsdown/ and https://firmwaresecurity.com/2019/01/22/cve-2019-6260-pantsdown-gaining-control-of-bmc-from-the-host-processor/

The PantsDown tool is now available:

https://github.com/amboar/cve-2019-6260

https://www.microsoft.com/security/blog/2020/06/17/uefi-scanner-brings-microsoft-defender-atp-protection-to-a-new-level/

Great news for Windows users!
(Great news for Windows-based AMD users, who can’t use CHIPSEC.
I am guessing this new UEFI feature works on Intel and AMD, but not ARM…

Open Source Community: someone needs to add a CHIPSEC patch to ClamAV. 🙂

Baremetal environment for “System programming lab” class in Dept. of Information Science, The University of Tokyo. […]The bootloader is implemented referencing UEFI Specification Version 2.8 (PDF). To support UEFI boot in qemu emulation, OVMF is automatically installed by make command. The following tools need to be installed by users to build the bootloader, the kernel and the apps.[…]

https://github.com/sykwer/utokyo_syspro_baremetal

https://github.com/fewtarius/efiutil

A simple utility to find and mount EFI partitions.

Written in Ruby, for a Linux-like environment.

Re: https://firmwaresecurity.com/2020/06/14/acpi-exploit-poc-for-ubuntu/

there is another exploit from the original researcher.

This sequel is an improvement on American Unsigned Language, in that it works on mainline kernels and does not require any reboots.[…]

https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh

View at Medium.com

PS: It is a shame that AMD has not ported CHIPSEC to their CPU, as CHIPSEC only currently does not support AMD and only works on Intel processors.  Alternately, AMD could have bypassed contributing to an Intel-led CHIPSEC project and created their own security diagnstic tool. If this were an Intel CVE, I’d expect the Intel CHIPSEC team to add a new security test for this CVE, and to look forward to upcoming CHIPSEC release to help with detecting this. But given it is AMD, which has zero interst in CHIPSEC, will they release any tool?  AMD: you have money now with the Ryzen, spend a bit on security, ok?

A UEFI Application that hooks SetVariable to allow a user-space program to access kernel memory.

https://github.com/cppio/uefi-backdoor

Network IPMI before 2020-04-03 does not ensure the /etc/ipmi_pass file has strong file permissions. The /etc/ipmi_pass file was created with world-readable permission. Any user with SSH or SCP access to the BMC can read and decode the credentials and escalate to any IPMI user.[…]

https://github.com/openbmc/openbmc/issues/3670

https://lists.ozlabs.org/pipermail/openbmc/2020-June/022020.html

(AFAICT, there is no security page that shows the various CVEs for OpenBMC. Maybe I missed it.)

[Update: added Dmytro tweet URL.]

From the OSS-Security mailing list. I wonder what other Linux distros have this issue, besides Ubuntu?

[…]I noticed that Ubuntu 18.04’s 4.15 kernels forgot to protect efivar_ssdt with lockdown, making that a vector for disabling lockdown on an efi secure boot machine. I wrote a little PoC exploit to demonstrate these types of ACPI shenanigans:[,,,]

This exploit takes advantage of the efivar_ssdt entry point for injecting acpi tables into Ubuntu Bionic 18.04 kernels, where efivar_ssdt is not protected by kernel lockdown. The result is that one can subsequently load unsigned kernel drivers into systems with Secure Boot enabled, without needing to sign the modules.[…]

https://www.openwall.com/lists/oss-security/2020/06/14/1

https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language.sh

Q: What game has been reimpelemented on UEFI more than any other?
A: Tetris. There were 3-4 others, now there is one more:

https://github.com/eternalinsomnia/uefi_tetris

See-also:

https://www.basicinputoutput.com/2018/11/the-great-tetris-renaissance-in-bios.html
https://github.com/swmicro/Tetris
https://github.com/manusov/UEFImarkAndTetris64/
https://github.com/a1ive/uefi-tetris
https://twitter.com/NikolajSchlej/status/809498360721920001 (no longer available?)

Small UEFI application that tells you the configuration of the SPI controller on Intel chipsets.

https://github.com/kukrimate/IntelSpiInfo

https://twitter.com/hughsient/status/1270389639334055937

 

LVFS is the firmware update service for Linux.

It is great to see LVFS getting new support from vendors!

New features:
* Add a filter view for user uploaded firmware
* Add a plugin to identify old microcode versions
* Add cached public stats of useful metrics
* Add support for LVFS::UpdateMessage
* Allow clients to upload anonymous HSI attrs
* Allow re-signing binaries
* Create Jcat files in archives and for metadata
* Delete firmware in embargo with newer public versions
* Disable unused user accounts for GDPR compliance
* Export the success confidence to the mdsync vendor
* Include LVFS::UpdateProtocol in the metadata
* Rewrite the AppStream screenshot URL to use the server CDN
* Rewrite the metainfo when signing the firmware
* Save metadata about Intel microcode blobs
* Support Lenovo, Dell and Intel specific security tags
* Use celery to process async operations

https://lvfs.readthedocs.io/en/latest/news.html
https://lists.linuxfoundation.org/pipermail/lvfs-announce/2020-June/000046.html

https://fwupd.org/

INTEL-SA-00295 is worth reading…

https://blogs.intel.com/technology/2020/06/ipas-security-advisories-for-june-2020/

Click to access cve-2019-0090-whitepaper.pdf

Click to access the-intel-csme-dam-vulnerability-cve-2018-3659-and-cve-2018-3643-whitepaper.pdf

INTEL-SA-00366
Intel Innovation Engine Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00366.html

INTEL-SA-00322
2020.1 IPU – BIOS Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00322.html

INTEL-SA-00320
Special Register Buffer Data Sampling Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00320.html

INTEL-SA-00295
2020.1 IPU – Intel CSME, SPS, TXE, AMT, ISM and DAL Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00295.html

INTEL-SA-00266
2020.1 IPU – Intel SSD Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00266.html

The purpose of this project is to analyse a raw binary firmware and determine automatically some of its features. This tool is compatible with all architectures as basically, it just does simple statistics on it.

https://github.com/quarkslab/binbloom

see-also: https://hardwear.io/webinar/Reverse-engineering.php

The Intel web site has what I think is a new web page, maybe it has existed for a while and I just noticed it. It is a one-page high-level summary of all the curerent security technologies that Intel is emphasizing to government pre-sales marketing use. There are a few product acronyms that I’ve never heard of:

Hardware-Enabled Security Technologies Edge Security Network Security Data Center and Cloud Security

Defending against growing threats to government cybersecurity requires a proactive, end-to-end approach rooted in hardware. This trusted infrastructure lays the foundation to help protect every digital point, from edge to network to cloud. Intel® hardware-enabled security technologies support solutions for data security and privacy.[…]

https://www.intel.com/content/www/us/en/government/cybersecurity.html

Vincent Zimmer of Intel has a new blog post, it’s been a while since his last one. His posts usually provide insight on UEFI and related Intel security technologies (eg, FSP), so they’re worth reading.

http://vzimmer.blogspot.com/2020/05/recovery-tech-talks-23-or.html

[ Interesting, a semiconductor vendor teaming with academia to add security features to their product line. And, the list of “Secure Boot” flavors is about to get one entry larger.]

CyberSecurity Students Partner with Gowin Semiconductor to Solve Security Challenge

[…]Cybersecurity students in INCS 870 at New York Tech’s Vancouver campus recently had the unique opportunity to contribute to combatting that threat by working with China-based Gowin Semiconductor, the world’s fastest growing programmable logic company, to solve some security problems on Gowin’s SecureFPGA devices.[…]As part of their graduate capstone project, the students worked with Gowin to develop a Secure Boot for the SecureFPGA system using Gowin’s Broadkey security library. Secure Boot is an industry security standard that ensures that any device boots using only software that is digitally signed and verified by the Original Equipment Manufacturer (OEM), a process designed to protect against malicious software being executed in the boot process.[…]According to Grant Jennings, director of international marketing for Gowin Semiconductor, Secure Boot is one of the most common requests the company receives from customers wanting to add security capabilities to their embedded products. […]

https://www.gowinsemi.com/en/
https://www.nyit.edu/vancouver

https://www.nyit.edu/box/features/cybersecurity_students_partner_with_gowin_semiconductor_to_solve_security_c
https://www.gowinsemi.com/en/about/detail/latest_news/58/