Nathaniel McCallum of Red Hat has an interesting blog post about UEFI boot loaders, and security issues.
Category: Uncategorized
Linux Kernel Podcast returns
After being offine since 2009, the Linux Kernel podcast has restarted. The first new episode mentions an EFI/ACPI patch!
Bhupesh Sharma posted a patch moving in-kernel handling of ACPI BGRT (Boot(time) Graphics Resource) tables out of the x86 architecture tree and into drivers/firmware/efi (so that it can be shared with the 64-bit ARM Architecture).
http://www.kernelpodcast.org/2017/02/20/kernel-podcast-for-feb-20th-2017/
sample of queries to this blog
I host this blog on WordPress.com, so they manage the PHP-based code. 🙂 I am not good at PHP nor WordPress, as you can tell. The web UI to the blog shows me a subset of the queries that people use to query the blog. It might help give you a better idea of the readerbase of this blog to get an idea of the queries people are making. Here’s the top queries from the last month. The interesting ones are queries that have nothing to do with my posts. 🙂 BTW, it appears the Search widget of WordPress is lame, sorry about that.
intel innovation engine
intelmetool
hvci
cantoolz
download firmware copperheados
intel ptt txt
intel me security
svn udk2015
ivrs amd
open trust protocol
intel me
arm trusted firmware
intel boot guard
ru efi
efiswissknife
trusted boot boot guard intel
efipwn
exdi windbg intel
pointer authentication
uefi memory map
firmadyne
malduino
ozmtool
fwupd lenovo
radare2 dlink
uefi 5
sp 800 147
intel ptt
edk ii uefi
security dxe driver software
pci expansion rom
ios 10 security guide
acpi 6.1 spec
what is firmware security
windows smm security mitigation
coreboot bmc
smm mitigation
intel bootguard
arm v8 pointer authentication
hackbgrt
uefi datahub protocol
microsoft + semm
efi game
verified boot uboot
u-boot secure boot
hsti
intel jtag
vsphere 6.5 secure boot
luander ribeiro
lava firmware
libvirt qemu kvm smm
rootkits and bootkits
invisible labs libreboot
bootkit efi
rowhammer puf
igd opregion
nx support wsmt acpi table
snapdragon 410 firmware
edk erst table error
isca iot
uefi specification version 2.6
megarac sp-x developer guide
fsp2.0 specification
firmware security
microsoft surface enterprise management
dell 7370 boot guard verified dxe
bios ru efi
deck linux
microsoft surface semm
motorola qualcomm firmware certificate
16.09.00
linux
schumilo vusbf
chipsec fuzzer
intel sgx visual studio example
hardenedbsd uefi
lenovo hsti
“platform trust technology” linux
underwriter labs iot security
mallik bulusu
uboot fit
ja.axxs.net
booting verification
veyron_speedy
canada s6 edge software update g925a
uefi version 2.5
http boot uefi
soc/rockchip/rk3288/bootblock.c
gefinvmexpresspassthru
chipsec
intel redfish
qualcomm snapdragon firmware
firmware rootkit broadcom
stateless laptop
hsti microsoft
yardstick security
dsdt editor
opc events security
meow by satoshi tanda
co to jest klucz intela ptt
qualcomm snapdragon update software
how to use binskim binary
usb cable tester d.i.y
uefi debugger amd
“intelssg”
introspection openstack
intel ipt chip
zte w300 firmware reverse
“uefi” network stack what is
qubes install windows
nikolaj schlej
firmware gd25lq128 download
fossdem
uefi gdb
firmware tcg 200t
ikgt intel
loading an elf in uefi
defcon 24 village talk jtag serial sip
radare2 manual efi
tpm grub
hsm luna g5 forum
intel firmware key rsa
protected audio video path (pavp)
srini devadas security
sgx s/mime
intel tpm 2.0 software stack
the intel tpm2 software stack
nvme malware
uefi 2.6 specifications
archive rweverything.com
cybersecurity practice guide sp 1800-7, situational awareness for electric utilities public comments
US Customs looks at QubesOS inventors computer
Kaspersky Antivirus for UEFI
[…]Kaspersky Antivirus for UEFI is integrated into Kraftway’s proprietary chip-based Kraftway Security Shell to ensure timely detection and blocking of malware attacks against key points (Master Boot Record, Global Partition Table, OS loader and kernel, key OS files, registry, critical files and directories, etc.) before the OS itself even starts to load.[…]
https://usa.kaspersky.com/oem/partners/kraftway
http://www.kraftway.ru/products/detail.php?ID=1438&sphrase_id=21351
One week left to help Raptor with OpenBMC port!
CHIPSEC class at CanSecWest
CHIPSEC training at RECon Montreal
CHIPSEC training at RECon Montreal:
https://recon.cx/2017/montreal/training/trainingfirmware.html
TacNetSol secure IoT questions
U-Root: firmware solution written in Go
From 2015, something I missed because I didn’t know Go then. ;-(
U-root: A Go-based, Firmware Embeddable Root File System with On-demand Compilation
Ronald G. Minnich, Google; Andrey Mirtchovski, Cisco
U-root is an embeddable root file system intended to be placed in a FLASH device as part of the firmware image, along with a Linux kernel. The program source code is installed in the root file system contained in the firmware FLASH part and compiled on demand. All the u-root utilities, roughly corresponding to standard Unix utilities, are written in Go, a modern, type-safe language with garbage collection and language-level support for concurrency and inter-process communication. Unlike most embedded root file systems, which consist largely of binaries, U-root has only five: an init program and 4 Go compiler binaries. When a program is first run, it and any not-yet-built packages it uses are compiled to a RAM-based file system. The first invocation of a program takes a fraction of a second, as it is compiled. Packages are only compiled once, so the slowest build is always the first one, on boot, which takes about 3 seconds. Subsequent invocations are very fast, usually a millisecond or so. U-root blurs the line between script-based distros such as Perl Linux and binary-based distros such as BusyBox; it has the flexibility of Perl Linux and the performance of BusyBox. Scripts and builtins are written in Go, not a shell scripting language. U-root is a new way to package and distribute file systems for embedded systems, and the use of Go promises a dramatic improvement in their security.
Video and audio on first URL.
https://www.usenix.org/conference/atc15/technical-session/presentation/minnich
SUSE on UEFI -vs- BIOS
I missed this blog post from SuSE from last year:
[…]One UEFI topic that I noticeably did not address in this blog is secure boot. This was actually covered extensively in three previous blogs. To read those blogs do a search for “Secure Boot” at suse.com. I also did not address the comparison of UEFI and BIOS from the operating systems perspective in this blog. That is a separate blog that was released at the same time as this one (Comparison of UEFI and BIOS – from an operating system perspective). Please read it too. Hopefully this gives you some helpful information about the transition from BIOS to UEFI, on the hardware side. You can find more information about SUSE YES Certification at https://www.suse.com/partners/ihv/yes/ or search for YES CERTIFIED hardware at https://www.suse.com/yessearch/. You can also review previous YES Certification blogs at YES Certification blog post[…]
https://www.suse.com/communities/blog/comparison-uefi-bios-hardware-perspective/
UEFI-D: D language bindings for UEFI
D bindings for UEFI specifications, based on the headers from EDK II 2015. They allow to compile fully functional EFI executables without assembly or C bootstrapping, it boots directly to D 🙂 They can be used to build UEFI-compatible applications and drivers in the D Programming Language. Sample “Hello, world” program is provided, with source and a linux script to compile[…]
http://forum.dlang.org/thread/kjmjtauonvlxhdaqcpij@forum.dlang.org
https://github.com/kubasz/uefi-d
http://code.dlang.org/packages/uefi-d
https://github.com/kubasz/uefi-d/blob/master/sample/photo.jpg?raw=true
Intel MPX Explained
https://twitter.com/kayseesee/status/832664911578664960
Intel MPX Explained: An Empirical Study of Intel MPX and Software-based Bounds Checking Approaches
Oleksii Oleksenko, Dmitrii Kuvaiskii, Pramod Bhatotia, Pascal Felber, Christof Fetzer
(Submitted on 2 Feb 2017)
Memory-safety violations are a prevalent cause of both reliability and security vulnerabilities in systems software written in unsafe languages like C/C++. Unfortunately, all the existing software-based solutions to this problem exhibit high performance overheads preventing them from wide adoption in production runs. To address this issue, Intel recently released a new ISA extension – Memory Protection Extensions (Intel MPX), a hardware-assisted full-stack solution to protect against memory safety violations. In this work, we perform an exhaustive study of the Intel MPX architecture to understand its advantages and caveats. We base our study along three dimensions: (a) performance overheads, (b) security guarantees, and (c) usability issues. To put our results in perspective, we compare Intel MPX with three prominent software-based approaches: (1) trip-wire – AddressSanitizer, (2) object-based – SAFECode, and (3) pointer-based – SoftBound. Our main conclusion is that Intel MPX is a promising technique that is not yet practical for widespread adoption. Intel MPX’s performance overheads are still high (roughly 50% on average), and the supporting infrastructure has bugs which may cause compilation or runtime errors. Moreover, we showcase the design limitations of Intel MPX: it cannot detect temporal errors, may have false positives and false negatives in multithreaded code, and its restrictions on memory layout require substantial code changes for some programs.
https://arxiv.org/abs/1702.00719
See also:
https://intel-mpx.github.io/
https://software.intel.com/en-us/articles/introduction-to-intel-memory-protection-extensions
Hackaday on SPI on Linux
Hackaday has a good article on Linux SPI:
https://fosdem.org/2017/schedule/event/kernel_spi_subsystem/
tg165-tools: FLIR TG165 thermal camera firmware hacking tools
TG165 Tools: This repostiory contains tools for extending the functionality of the low-end FLIR TG165 thermal camera. With these tools, you can add alternate functionality to your TG165 without having to replace its original firmware.
* A simple utility (fwutil.py) and python module (tg165) that can pack and unpack FLIR Upgrade.bin firmware images.
* A simple utility (compose-fw.py) that can be used to build firmware-upgrade files that contain multiple programs.
* A simple assembly bootstrap (boot_select) that allows you to select between multiple programs on device startup.
* A DFU “alternate-bootloader” (alt_bootloader) that allows you to upload custom programs via USB without distruping the main one. This should enable rapid development!
* An (example) firmware payload that allows you to dump the TG165’s FLIR-provided bootloader.
Verified Boot
Marc Kleine-Budde of Pengutronix gives a talk at the Embedded Linux Conference Europe (ELCE), on using Verified Boot.
Protecting Linux devices with verified boot, from ROM to Userspace
Click to access Verified_Boot.pdf
https://www.linux.com/news/event/elcna/2017/2/verified-boot-rom-userspace
SysInternals updated
Bunnie Reddit March 5th
Android Things
Supported hardware: Intel® Edison, Intel® Joule, NXP Pico i.MX6UL, Raspberry Pi
https://github.com/androidthings
https://developer.android.com/things/hardware/index.html
https://developer.android.com/things/index.html
https://developer.android.com/things/preview/index.html
https://developer.android.com/things/hardware/developer-kits.html
https://android-developers.googleblog.com/2017/02/android-things-developer-preview-2.html
BIOS/UEFI Ransomeware at RSA?
https://www.heise.de/security/meldung/BIOS-UEFI-mit-Ransomware-infiziert-3630662.html
From Google Translate:
[…]”This year’s edition of the “Hacking Exposed”, presented for years at the RSA Conference, filled Cylance boss Stuart McClure and his co-workers with two hacks of a more unusual kind: In one of the live demos, they infected the Unified Extensible Firmware Interface (UEFI) A current Gigabyte motherboard (Intel Skylake) with an encryption trojan. According to McClure are also mainboards of other manufacturers attackable, one only have to adjust the payload to the UEFI variant.”[…]
No pointer to sources AFAICT, please leave a Comment on the blog if you have an URL.
Firmware Security 
You must be logged in to post a comment.