A new Python library, Windows-centric, for UEFI variables manipulation.

https://github.com/netaneld122/firmware-variables

The OpenBMC project has a new security tool!

Purpose: Provide shell scripts to expose security aspects of an operational OpenBMC system from the point of view of an agent on the BMC’s management network trying to get access. The intended use is to provide information needed to audit the BMC’s interfaces, not to perform a security test. For example, the script detects if the BMC rejects TLS 1.1 and accepts TLS 1.2. The primary value the scripts provide is a starting point for what to look at, how to get the information, and where to learn more.

See the last 2 lines of current script, they are looking for some help.

Script: https://lists.ozlabs.org/pipermail/openbmc/2020-April/021186.html

More info: https://github.com/openbmc/openbmc

This small utility when run will set the OsIndications UEFI variable for booting into firmware setup.

RTFM (it has a manpage!):
https://gitlab.com/JohnoKing/os-indications/-/blob/master/os-indications.8

https://gitlab.com/JohnoKing/os-indications

see-also:
https://blog.fpmurphy.com/2016/04/uefi-os-indication-variables.html

Intel blogged on OsIndications, but they changed their site and the post is apparently is no longer available:
https://software.intel.com/en-us/firmware/library/using-os-indications-uefi

Another UEFI dev environment.

This is my header library for C++17 trying to be UEFI 2.8 compliant. Can’t guarantee anything. You’re probably better off using any other header set. Also you need LLVM to build the example/test. This thing is just straight copying information from the UEFI specification, so you’re free to do anything you want to do with the header file. Just don’t take credit for creating it or something.

https://github.com/Mcpg/natefi

Re: https://firmwaresecurity.com/2016/12/30/owasp-iot-firmware-guidance/ and
https://firmwaresecurity.com/2019/11/06/owasp-firmware-security-testing-methodology/

Happy to announce the official release of @owasp IoTGoat; a deliberately insecure firmware created to educate software developers & security professionals with testing commonly found vulnerabilities in IoT devices. https://t.co/PVhj00JbAy.
cc: @DanielMiessler

— A-a-ron Guzman (@scriptingxss) March 30, 2020

IoTGoat has been released:

https://github.com/OWASP/IoTGoat

Hardware Debugging for Reverse Engineers Part 2: JTAG, SSDs and Firmware Extractionhttps://t.co/BfNSHBlFVX

Happy Friday! As always, ping me with any questions/comments

— wrongbaud (@wrongbaud) April 3, 2020

https://wrongbaud.github.io/jtag-hdd/

see-also:

Hardware Debugging for Reverse Engineers Part 1: SWD, OpenOCD and Xbox One Controllershttps://t.co/7kMpnZGa65

Hope you enjoy! As always ping me with any questions

— wrongbaud (@wrongbaud) January 31, 2020

https://wrongbaud.github.io/stm-xbox-jtag/

The world's most complete documentation regarding recent Android boot methods. Comparison and explanation between legacy ramdisk, legacy SAR, 2SI legacy SAR, 2SI ramdisk SAR…

Googlers might want to check this too to understand the mess they created 😜https://t.co/2fzTMDiaPc

— John Wu (@topjohnwu) April 4, 2020

If you are interested in the Android boot process, this is helpful:

https://topjohnwu.github.io/Magisk/boot.html

Canada has published security guidance, which includes a bit of firmware security.

https://cyber.gc.ca/en/guidance/cyber-centre-data-centre-virtualization-report-best-practices-data-centre-virtualization

This is a new UEFI build environment, different than GNU-EFI or EDK2’s Build or efi-clang. Based on GNU-EFI but uses Clang instead of GCC. This is about the dozenth new non-Tianocore UEFI dev environment, some of which have separate UEFI header projects: I really need to create a list. 🙂

An extremely lightweight UEFI SDK that uses a standard clang instalation to compile C directly into UEFI applications. It uses the data structures and header files from gnu-efi, but does not use any of the toolchain of gnu-efi. I’ve also included a build of edk2 to make it easy to run the UEFI applications in qemu.[…]

https://github.com/badcf00d/bare-bones-uefi

By I. D. Pankov, A. S. Konoplev & A. Yu. Chernov

The paper presents an overview of current attacks on BIOS and Intel ME embedded software of modern Intel-based computers. We describe the results of the analysis of its security for system boards of basic manufacturers. We also allocate classes of attacks that make it possible to create implants whose discovery by traditional methods of searching for undeclared features becomes impossible or extremely difficult.[…]

It costs US$40, I don’t know of a freely-available version of this paper. I wish Aaron Swartz was still alive. 😦

https://link.springer.com/article/10.3103%2FS0146411619080224

It has been a long time coming but we have now released the Secure Launch patch set to LKML.https://t.co/HyrIcMH9lh

— TrenchBoot (@TrenchBoot) March 25, 2020

The Trenchboot project focus on boot security has led to the enabling of the Linux kernel to be directly invocable by the x86 Dynamic Launch instruction(s) for establishing a Dynamic Root of Trust for Measurement (DRTM). The dynamic launch will be initiated by a boot loader with associated support added to it, for example the first targeted boot loader will be GRUB2. An integral part of establishing the DRTM involves measuring everything that is intended to be run (kernel image, initrd, etc) and everything that will configure that kernel to run (command line, boot params, etc) into specific PCRs, the DRTM PCRs (17-22), in the TPM. Another key aspect is the dynamic launch is rooted in hardware. On Intel this is done using the GETSEC instruction set provided by Intel’s TXT and the SKINIT instruction provided by AMD’s AMD-V. Information on these technologies can be readily found online.[…]

https://lkml.org/lkml/2020/3/25/982

https://github.com/trenchboot

The NSFCAC (National Science Foundation Cloud and Autonomic Computing Center) has released a Python script that gathers IPMI/Redfish BMC data:

This project collects metrics from different sources including in-band (via node OS, workload manager, drivers) and out-of-band (OOB) i.e. from baseboard management controller (BMC) via Redfish API and IPMI protocols.

https://github.com/nsfcac/DistributedMetricCollector

Wow, I didn’t expect Intel to drop SGX support this fast…

Is it the beginning of the end? pic.twitter.com/me2Wy3XjT6

— Mark Ermolov (@_markel___) March 23, 2020

Master Boot Record (MBR) means one thing, in the context of a PC system firmware. MBR is also the name of a heavy metal band. And they have a new album out, “Floppy Disk Overdrive”. The band uses many terms from BIOS and DOS. Song names include “ANSI.SYS”, “FDISK.EXE”, etc. 🙂

https://masterbootrecord.bandcamp.com/album/floppy-disk-overdrive

https://masterbootrecord.bandcamp.com/

Re: https://firmwaresecurity.com/2019/07/31/new-bios-book-programming-boot-sector-games/

there is a second book on BIOS boot loader games in Intel assembler:

What will look better on your bookshelf? Hardcover, paperback or both? My two books of Boot Sector games now available! A treasure of 8086/8088 programming. #gamedev #retro #retrogaming #programming #developers #StayAtHome #Covid_19 https://t.co/v4Au2cAbJ8 pic.twitter.com/NzmKbmjW3h

— Óscar Toledo G. (@nanochess) March 21, 2020

Paperback:
http://www.lulu.com/shop/oscar-toledo-gutierrez/more-boot-sector-games/paperback/product-24462035.html

Hardcover:
http://www.lulu.com/shop/oscar-toledo-gutierrez/more-boot-sector-games/hardcover/product-24462029.html

FirmWare Test Suite (FWTS) has added awareness tests for the Linux Kernel Lockdown patchset. Eg:

Kernel is lockdown. Aborted.
Please unlock the kernel before you test the UEFI tests.
Make sure you disable secureboot and disable the kernel lockdown,
(by kernel parameter lockdown=None).

https://lists.ubuntu.com/archives/fwts-devel/2020-March/011725.html

https://launchpad.net/fwts

[NOTE: This blog post unrelated to firmware or security.]

Please consider using any spare computing resources to help fight the COVID-19. I know of two resources, below. If you know of other resources, please leave a Comment on this blog.

https://boinc.bakerlab.org/rosetta/forum_thread.php?id=13533
https://www.worldcommunitygrid.org/forums/wcg/viewthread_thread,42191

https://foldingathome.org/start-folding/
https://foldingathome.org/2020/03/10/covid19-update/

The Forth programming language is not mainstream these days. But from firmware perspective: OpenFirmware was written in the Forth programming language. And now there’s a Forth compiler that targets UEFI applications. Jonas Hvid has written Jonasforth, a Forth interpreter that is a UEFI application, written in Flat Assembler (FASM). So it works on x64-based Intel UEFI/AMD (but not ARM or RISC-V or non-x64) systems.

Forth aside, this is a FASM-based UEFI application, most FASM-based UEFI apps are ‘hello world’ level, so this gives a more substantial application to study.

https://github.com/c2d7fa/jonasforth

See-also:
https://johv.dk/

https://en.wikipedia.org/wiki/Forth_(programming_language)