Introducing the Windows Internals Series: One Windows Kernel

OpenBSD 4.6 released

Some highlights that ‘caught my eye’:

* On sparc64 ldomctl(8) now supports more modern firmware found on SPARC T2+ and T3 machines in particular such as T1000, T5120 and T5240. NVRAM variables can now be set per logical domain.
* ACPI support on OpenBSD/arm64 platforms.
* New acpisurface(4) driver providing ACPI support for Microsoft Surface Book laptops.
* New acpipci(4/arm64) driver providing support for PCI host bridges based on information provided by ACPI.
* Added a sensor for port replicatior status to acpithinkpad(4).Implemented MAP_STACK option for mmap(2). At pagefaults and syscalls the kernel will check that the stack pointer points to MAP_STACK memory, which mitigates against attacks using stack pivots.
* New RETGUARD security mechanism on amd64 and arm64: use per-function random cookies to protect access to function return instructions, making them harder to use in ROP gadgets.
* clang(1) includes a pass that identifies common instructions which may be useful in ROP gadgets and replaces them with safe alternatives on amd64 and i386.
* The Retpoline mitigation against Spectre Variant 2 has been enabled in clang(1) and in assembly files on amd64 and i386.
* Added SpectreRSB mitigation on amd64.
* Added Intel L1 Terminal Fault mitigation on amd64.
* Meltdown mitigation was added to i386.
amd64 now uses eager-FPU switching to prevent FPU state information speculatively leaking across protection boundaries.
* Because Simultaneous MultiThreading (SMT) uses core resources in a shared and unsafe manner, it is now disabled by default. It can be enabled with the new hw.smt sysctl(2) variable.


ARM announces ServerReady – a compliance program for Arm-based servers

Server partners expect to be able to deploy new systems directly from the shipping box, with straightforward integration of the operating systems and applications of their choosing. To achieve this, it is necessary for the Arm server ecosystem to define and comply to a minimal set of standards. This is of particular importance for the server and infrastructure market, as unlike the mobile sector, it is not acceptable to have to modify the operating system for every platform. Standards allow compatibility across different products, while enabling the individual partners to innovate and differentiate within these boundaries.[…]

ARM Root of Trust APIs announced

Accelerating development with PSA APIs

Microsoft: Component Firmware Update (CFU)

October 17, 2018 4:02 pm
Introducing Component Firmware Update
By Microsoft Devices Team

The Microsoft Devices Team is excited to announce the release of an open-source model for Component Firmware Update for Windows system developers – Component Firmware Update (CFU). With CFU, you can easily deliver firmware updates for through Windows Update by using CFU drivers.[…]

New Details on Google’s Titan M (2nd generation) Security Module

Much more detail than in the past, and a promise of open-source software release soon:

Titan M performs several security sensitive functions, including:

  • Storing and enforcing the locks and rollback counters used by Android Verified Boot.
  • Securely storing secrets and rate-limiting invalid attempts at retrieving them using the Weaver API.
  • Providing backing for the Android Strongbox Keymaster module, including Trusted User Presence and Protected Confirmation. Titan M has direct electrical connections to the Pixel’s side buttons, so a remote attacker can’t fake button presses. These features are available to third-party apps, such as FIDO U2F Authentication.
  • Enforcing factory-reset policies, so that lost or stolen phones can only be restored to operation by the authorized owner.
  • Ensuring that even Google can’t unlock a phone or install firmware updates without the owner’s cooperation with Insider Attack Resistance.

CERT: Vulnerabilities Associated with CPU Speculative Execution

Modern CPUs have speculative execution capabilities, which improves processor performance. Depending on the design and architecture of the CPU, speculative execution can introduce side-channel-attack vulnerabilities.

[Similar to previous post, I included this URL in an early Spectre/Meltdown posting, but was having a hard time finding it.]

NSA Cybersecurity: Hardware and Firmware Security Guidance

This repository provides content for aiding DoD administrators in verifying systems have applied and enabled mitigations for Spectre and Meltdown. The repository is a companion to a forthcoming Information Assurance Advisory Updated Guidance for Spectre and Meltdown Vulnerabilities Affecting Modern Processors. This advisory will be an update to the previously issued advisory Vulnerabilties Affecting Modern Processors.

[Last updated in the Summer. I am pretty sure I included a link to this during the early Spectre/Meltdown posts, but can’t find it, and it is a bit more useful beyond Spectre/Meltdown.]

NIST: IoT Trust Concerns, now available


This draft white paper identifies seventeen technical trust-related issues that may negatively impact the adoption of IoT products and services. The paper offers recommendations for mitigating or reducing the effects of these concerns while also suggesting additional areas of research regarding the subject of “IoT trust.” This document is intended for a general information technology audience, including managers, supervisors, technical staff, and those involved in IoT policy decisions, governance, and procurement. Feedback from reviewers is requested on the seventeen technical concerns that are presented, as well as suggestions for other potential technical concerns that may be missing from the document.


CVE-2018-3266: Oracle Solaris Verified Boot vuln

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Verified Boot). The supported version that is affected is 11.3. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Solaris accessible data as well as unauthorized read access to a subset of Solaris accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Solaris.

Current Exploit Price (≈) 3.9 $5k-$25k seeks Hardware Security Engineer

[…]AWS Security is looking for an experienced Senior Security Engineer, specializing in hardware technologies[…]
— IoT network technologies (Z-Wave, Zigbee, Bluetooth/BLE, WLAN, identity/auth security)
— Hardware security (PCB, JTAG, UART, SPI, ROM, microcode, custom ASIC/FPGA)
— x86 and/or ARM chipset and firmware security (TPM, UEFI, TrustZone, secure boot)
— Local encryption and key management (LUKS, BitLocker, self-encrypting drives, etc)
— PKI and code signing architecture (X.509, EV SSL, certificate pinning, OCSP, CRL, etc)
— hardware cryptography (certificates, attestation, TPM/HSM)
— embedded/IoT solution design and security considerations

U-Boot v2018.11-rc1 released

The RC of the November release of U-Boot is out. Usually, you basically haev to follow the U-Boot mailing list to track changes, but this announcement was more verbose than normal:

List of changes between -rc1 and -rc2:

– The SPI-NAND changes have fully been integrated now.
– ARM Versatile Express updates
– QEMU support in RiscV
– Rockchip updates
– fixes to rkimage for SPL boot via USB
– fixes to, incl. entry-point calculation and python3 compatibility
– OP-TEE support for ARMv7-based SoCs
– fixes to RGMII/GMII selection on the RK3328
– ARC updates
– CPU and board info prints
– Synopsys IoT development kit support
– Take care of global uninitialized variables.
– Add support for SD-card detection on all ARC boards
– R-Mobile, SoCFPGA updates
– Sandbox SPL/TPL support
– Various DM, Test updates.
– Various general ARM, Meson, TI K2/K3 updates
– OP-TEE AVB support

We’re looking at release on November 12th, 2018.

A Primer on Trustworthy Secure Bootloading, exemplified on a RISC-V processor system

A Primer on Trustworthy Secure Bootloading*
*exemplified on a RISC-V processor system

Hi, my name is Ilia and I work at MIT’s Computer Science and Artificial Intelligence Lab with Srini Devadas to imagine a world where users of computers worldwide can be safe from one other and from themselves. But who might you be? Here, I will assume you have some familiarity with computer system architecture for the deep dive into our case study of a secure RISC-V processor system. I will otherwise attempt to keep this article as accessible as possible. If you find this text confusing, misleading, or otherwise underwhelming, send me a note! I’d like to improve.

TL;DR: scroll down for an implementation example of a secure bootloader on a typical RISC-V system.[…]

Hmm, this WordPress blog does strange things with URLs, I’ll include two versions below, one with a SPACE in it, so you can copy the text, the second will be processed by WordPress, may not be visible on some systems (like mine): @ilia.lebedev/secure-boot-2d6e319b6978

View story at


PTSecurity: Modernizing IDA Pro: how to make processor module glitches go away

This is my latest article on a topic near and dear to my heart: making IDA Pro more modern and, well, better. Those familiar with IDA Pro probably know that feeling: there are glitches in the processor modules that you use, you don’t have the source code, and they are driving you crazy! Unfortunately, not all of the glitches discussed here qualify as bugs, meaning that the developers are unlikely to ever fix them—unless you fix them yourself.[…]

Two articles on QEMU and virtualization

Intel, Arduino and myDevices join ARM’s Pelion IoT platform

Linaro announces the Trusted Firmware open project

Linaro Community Projects Division announces the Trusted Firmware open project
San Jose – WEBWIRE – Tuesday, October 16, 2018

The Trusted Firmware project promises to provide an important software foundation to further security development for both Cortex-A and Cortex-M/R processors. Linaro Community Projects Division, the division of Linaro managing open source community projects with open governance, today announced that Trusted Firmware is available as a Linaro Community Projects Division open project. Trusted Firmware provides a reference implementation of Secure World software for Armv7, Armv8-A and Armv8-M architectures. It provides SoC developers and OEMs with a reference trusted code base complying with the relevant Arm specifications. This forms the foundations of a Trusted Execution Environment (TEE) on application processors, or the Secure Processing Environment (SPE) on microcontrollers.[…]




OpenBSD is now getting RETGUARD for ARM platforms, not just Intel/AMD64.;sid=20170819230157