Category: Uncategorized

Libreboot and GNU: update

~ hucktech ~ Leave a comment

A few months ago a GNU/Libreboot issue occurred, and I just got around to blogging about it the other day. Well, a few days, later, there is an update from FSF. Also see comment from a reader of previous post, for good background.

Libreboot and the GNU project

Libreboot and the GNU project

http://www.phoronix.com/scan.php?page=news_item&px=GNU-Libreboot-RMS

https://news.ycombinator.com/item?id=13329287

Jim Fear joins Apple

~ hucktech ~ Leave a comment

I missed this, earlier this month. Wow, Apple has hired MANY great UEFI security researchers. Looking forward to seeing the results of their product.

https://twitter.com/snare/status/809436303980838912

I hope the open source project Voltron, and his EFI tools will be maintained. It seems some who join Apple are not permitted to work on open source projects.

https://github.com/snare/ida-efiutils
https://github.com/snare/efitools
https://github.com/snare/efiguid
http://ho.ax/tag/efi/

(In vaguely-related news, last night my MacBook just self-destructed, the non-replacable battery expanded and popped the system open, knocking the trackpad out. The sausage expired. 😦

Yuriy to speak at REcon Brussels

~ hucktech ~ Leave a comment

 

https://recon.cx/2017/brussels/

Cisco adds Redfish support

~ hucktech ~ Leave a comment

Ken Spear has a new post on the Cisco blog about Redfish support, and there’s some code on Github related to the post:

Cisco Supports Redfish Standard: API Enhances UCS Programmability

Cisco has added Redfishâ„¢ support to IMC to extend our unified and open API to manage server components and to help customers integrate solutions within their existing tool chains. […]

http://blogs.cisco.com/datacenter/cisco-supports-redfish-standard-api-enhances-ucs-programmability

https://github.com/CiscoUcs/imcsdk

https://communities.cisco.com/docs/DOC-69991

Microsoft Surface

~ hucktech ~ Leave a comment

https://twitter.com/aionescu/status/815878947200077824

This is an interesting Twitter thread to read, giving a bit of information on Intel ME use by Microsoft — in the capacity of a BIOS vendor, IBV — on it’s Surface device.

In other Surface news, ARM has a post about the device including an ARM chip:

http://www.theverge.com/2016/11/29/13775320/microsoft-surface-studio-ifixit-teardown

James on Linux and TPM (and TouSerS)

~ hucktech ~ Leave a comment

James Bottomley has a new blog post on TPM v2 and Linux:

TPM2 and Linux

See his pervious blog posts for more on TPM and Linux.

Blogging aside, James also posted a TPM2 patch to TouSerS to allow support for OpenSSL:

[TrouSerS-tech] [PATCH 0/1] TPM2 engine support for openssl

This is a completed version of the original RFC.  It’s working now both on the TPM2 simulator and on real hardware (I’ve converted my laptop to TPM2).  I’ve updated it to use the latest version of the ASN.1 for the key format (still using a TCG OID). I have it building here (it’s what I’m currently using for my laptop VPNs):

https://build.opensuse.org/package/show/home:jejb1:Tumbleweed/openssl_tpm_engine

But note that this version also has experimental patches to activate the in-kernel TPM Resource Manager because for multiple applications TPM2 really doesn’t work well without one.  Since the patch for the RM is currently not upstream (yet), it’s not going to work unless you have a patched kernel.

More info:
https://lists.sourceforge.net/lists/listinfo/trousers-tech

Libreboot and the GNU project

~ hucktech ~ 1 Comment

Over the last few months, the Libreboot project has been having some issues with the GNU project. Quoting the Libreboot home page:

FSF, GNU and RMS: Libreboot is no longer a GNU project. Please honour this immediately, and formally declare that libreboot is no longer a GNU project. Leah is *NOT* stepping down as Libreboot’s maintainer, she is simply taking Libreboot away from GNU. Libreboot will still be developed as always, under the same standards of freedom as before, just *without GNU*. She has not forked libreboot.

https://libreboot.org/gnu/
https://libreboot.org/why-not-gnu/
http://www.phoronix.com/scan.php?page=news_item&px=Libreboot-Not-GNU
http://www.phoronix.com/scan.php?page=news_item&px=FSF-RMS-Statements-Libreboot
http://www.fsf.org/news/free-software-foundation-statement

Cat herding is difficult. I could see how the FSF would have issues with not having Libreboot, GRUB and GNU/Linux as part of their “full stack”.

Trapezoid

~ hucktech ~ Leave a comment

I did a brief post on Trapezoid a few months ago, and it included a significant error.

Their product is NOT an OEM-centric product, it is a product for enterprises. Earlier I thought that they needed to be integrated at the OEM level, which is not the case.

Trapezoid

Home

If you buy their product, tell them you heard about them via the FirmwareSecurity.com blog. 🙂

Heads!

~ hucktech ~ Leave a comment

 

I’ve made one brief post on Heads. Earlier I thought it was a new Linux distribution, which is not the case, it is more of a coreboot payload.

Heads looks great! I am currently looking for a used Thinkpad  to test one out. I hope others add support for other systems.

If you have not watched the CCC video, check it out, it is very informative.

https://trmm.net/Installing_Heads

https://trmm.net/Category:Heads

33C3: If You Can’t Trust Your Computer, Who Can You Trust?

new editions of Beyond BIOS and Harnessing the UEFI Shell

~ hucktech ~ Leave a comment

Intel Press published the first and second editions of these two books a few years ago, but it appears Degruyter is publishing revised third editions!

Harnessing the UEFI Shell: Moving the Platform Beyond DOS, Third Edition
Rothman, Michael / Zimmer, Vincent / Lewis, Tim
https://www.degruyter.com/view/product/484477

Beyond BIOS: Developing with the Unified Extensible Firmware Interface, Third Edition
Zimmer, Vincent / Marisetty, Suresh / Rothman, Michael
https://www.degruyter.com/view/product/484468

 

Writing secure C code for ARM

~ hucktech ~ Leave a comment

https://www.community.arm.com/iot/embedded/b/blog/posts/a-few-intricacies-of-writing-armv8-m-secure-code

https://www.community.arm.com/processors/b/blog/posts/useful-tips-for-developing-secure-software-on-armv8-m

https://www.community.arm.com/processors/b/documents/posts/whitepaper—armv8-m-architecture-technical-overview

https://developer.arm.com/products/architecture/m-profile/docs/100720/latest/secure-software-guidelines

https://developer.arm.com/docs/100739_0100/latest/the-arm-c-language-extensions-acle-for-armv8m

FWTS 16.12.00 released

~ hucktech ~ Leave a comment

Ivan Hu of Canonical.com announced the release of FirmWare Test Suite release 16.12.00, with new features in UEFI Secure Boot, OpenPOWER Opal, and ACPI tests. See the full announcement for the list of bugfixes.

New Features:
* ACPICA: Update to version 20161117
* klog.json: Add a few more kernel errors to the database
* opal: pci_info: Add OPAL PCI Info validation
* opal: mem_info: Add OPAL MEM Info validation
* opal: cpu_info: Add OPAL CPU Info validation
* securebootcert: add variable AuditMode checking
* securebootcert: add variable DeployedMode checking

http://fwts.ubuntu.com/release/fwts-V16.12.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.12.00
https://launchpad.net/ubuntu/+source/fwts

OWASP IoT firmware guidance

~ hucktech ~ 1 Comment

I just noticed that the OWASP project, the Open source Web App Security Project, has an IoT project, and that project has a Firmware Analysis Project

“The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface ‘Device Firmware'”.

Nothing specific to UEFI, coreboot, ACPI, SMM, etc. They are using the embedded OS definition of firmware.

https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#Firmware_Analysis