Category: Uncategorized

Android Verified Boot enforced with 7.0

~ hucktech ~ Leave a comment

Sami Tolvanen of Google posted a blog about Android Verified Boot and how things have changed with Android 7.0:

Android uses multiple layers of protection to keep users safe. One of these layers is verified boot, which improves security by using cryptographic integrity checking to detect changes to the operating system. Android has alerted about system integrity since Marshmallow, but starting with devices first shipping with Android 7.0, we require verified boot to be strictly enforcing. This means that a device with a corrupt boot image or verified partition will not boot or will boot in a limited capacity with user consent. Such strict checking, though, means that non-malicious data corruption, which previously would be less visible, could now start affecting process functionality more. By default, Android verifies large partitions using the dm-verity kernel driver, which divides the partition into 4 KiB blocks and verifies each block when read, against a signed hash tree. A detected single byte corruption will therefore result in an entire block becoming inaccessible when dm-verity is in enforcing mode, leading to the kernel returning EIO errors to userspace on verified partition data access. This post describes our work in improving dm-verity robustness by introducing forward error correction (FEC), and explains how this allowed us to make the operating system more resistant to data corruption. These improvements are available to any device running Android 7.0 and this post reflects the default implementation in AOSP that we ship on our Nexus devices.[…]

Full post:
http://android-developers.blogspot.com/2016/07/strictly-enforced-verified-boot-with.html

Open Source Hardware Camp 2016

~ hucktech ~ Leave a comment

What: Open Source Hardware Camp
When: On the 3rd September 2016, 09:00 Saturday morning – 16:00 on the Sunday afternoon
Where: The Birchcliffe Centre, Birchcliffe Road, Hebden Bridge, West Yorkshire, HX7 8DG, UK.
Cost: £10/day

Saturday talks:
* LabRTC — progress at the Open University on instant real-time control of lab hardware that’s half a world away
* Openly Educating the Next Generation of Engineers
* Indie Manufacturing
* Keeping your project on track
* Open Source and Feature Film Production
* The Things Network, a crowd sourced data network for the Internet of Things
* Kitnic.it – A registry for open hardware electronics projects
* Computer Controlled Heating System — cool use for a hot Pi
* Scaling IoT with Open Data
* Building a Smarter Island
* Making the Laser Light Synths
* Going Beyond the von Neumann Architecture with FPGAs

Sunday workshops:
* Getting started with FPGAs and Verilog using project IceStorm
* Develop your own long range sensor using Arduino and the Thing Innovations LoRaWAN Sensor development shield.
* Axiom 4K Open Source Camera demonstration
* Assembling the OSHCamp kit

Excerpts below taken from the announcement by Andrew Back on the OSHWA mailing list.

“Open Source Hardware Camp 2016 will take place place in the Pennine town of Hebden Bridge. For the third year running it is being hosted as part of the Wuthering Bytes technology festival. Tickets are priced at £10/day and this includes lunch. […] We currently have 12 talks and 4 workshops confirmed, with the possibility of one or two more. Covering a diverse range of topics, including laser light synths, LoRaWAN and The Things Network, open source digital cinema (includes Axiom 4K open hardware cinema camera demo/workshop), and iCE40 FPGA development with Yosys and LabRTC. I’m particularly looking forward to seeing the Axiom camera and getting hands-on with the Yosys and Arachne-pnr powered open source FPGA toolchain. […] As in previous years, there will be a social event on the Saturday evening and OSHCamp is once again being hosted to coincide with the Wuthering Bytes technology festival. You’re encouraged to check out the website for details of other participating events, as there may be some of interest. E.g. the annual GCC, GDB and friends developer conference, plus the first ever LLVM Cauldron!”

http://oshug.org/event/oshcamp2016

http://wutheringbytes.com/

http://lists.oshwa.org/pipermail/discuss/2016-July/001844.html

AMI_SMI_Dump

~ hucktech ~ Leave a comment

New tool: ami_smi_dump.py:
Extract SW SMI handlers information from SMRAM dump of Skylake based AMI Aptio V firmware.

Hmm, WordPress renders Github gist pages to be unviewable. Remove the SPACE character after the TLD in the below URL to make it work. Or click on the links in the Twitter links.

https://gist.github.com  /Cr4sh/db43cc6687e737d982d3d1c56472c6b9

Softbank to buy ARM

~ hucktech ~ Leave a comment

Wow, Softbank is buying ARM. This is huge, but I don’t know what implications that may have.

http://fortune.com/2016/07/18/softbank-arm-iot/
http://www.computerworld.com/article/3096274/apple-ios/softbank-buys-apple-s-processor-arm-for-32b.html
http://asia.nikkei.com/Business/Deals/With-ARM-deal-Softbank-bets-on-internet-of-things-and-on-UK
http://www.cbronline.com/news/verticals/the-boardroom/why-did-softbank-buy-arm-4952451

Help fund Matthew’s Patreon IoT reviews

~ hucktech ~ Leave a comment

I just learned about patreon.com. Matthew Garrret is listed on Patreon, hoping for donations to help review IoT devices. Please help fund Matthew, if you have the ability. Thanks!

https://www.patreon.com/mjg59

Why Matthew is on Patreon
There’s a growing number of Internet of Things devices on the market, from smart lightbulbs through smart coffee makers to smart air fresheners. You plug them all into your network and you communicate with them via your phone. At first glance they may seem like unnecessary toys, but there are many real ways they can improve lives. Smart switches can be an important assistive technology. Internet connected cameras can help people’s sense of security. Heart monitors can aid the design of an appropriate fitness regime. But how secure are they? When you plug in that smart switch, are you actually allowing attackers to gain access to your home network? Is your baby monitor happily streaming the interior of your house to anyone who asks it to? Are your lightbulbs secretly intercepting your website login details? Are your health details accessible to the entire internet? I’m a full time security developer with an extensive experience of embedded hardware and reverse engineering, and I’ve been using that to review devices. The results so far have not been positive – most devices I’ve investigated have been horribly insecure, and in one case my review caused the seller to pull the product. I’d love to carry on making reviews and helping customers make informed choices about whether they’re taking a risk by plugging in one of these smart devices, but these aren’t cheap. This is where you come in. Making a small donation means that I can keep buying devices and reviewing them. You won’t get anything special in return other than a link to the review – security information shouldn’t be restricted to people who pay for it. But it will make it easier for people to know whether there are obvious and terrible security issues with a product, and that’s good for everyone.

Microsoft MEX Windbg extension

~ hucktech ~ Leave a comment

Microsoft recently released a new Windows Windbg debugger extension called MEX. It has a variety of features, dozens of commands for many of Microsoft’s products. It appears to have been removed from the download site for a while, but it is up now, at least for the moment.

 

There’s a copy of the MEX help usage listed here:
https://github.com/REhints/WinDbg/tree/master/MEX

 

Purism’s secure tablet

~ hucktech ~ Leave a comment

Purism started making laptops, but have now extended to tablets. Their current IndieGoGo-based funding effort only has 3 days left!

 

Purism builds a secure tablet with physical wi-fi and camera switches

 

https://www.indiegogo.com/projects/librem-2-in-1-tablet-that-does-not-track-you#/

U-Boot v2016.07 released

~ hucktech ~ Leave a comment

Tom Rini of Konsulko announced U-Boot v2016.07. Excerpting his announcement:

[…] I’ve released v2016.07 and it’s now live on git and FTP and ACD.  As a possible bonus, the tarball is now signed with my PGP key. Looking over the changes in this release, I would say it’s another good, solid, iterative improvement over the last.  MMC has moved to DM, we have more tests for DM now too.  ARM (32 and 64bit), MIPS, x86 have all seen improvements.  We’ve also switched to mirroring what the Linux Kernel does for “libgcc” type functionality now which should help with supporting the compilers that most distributions ship while still catching the types of errors we want caught.  We’ve moved a few more options over to Kconfig (caught some problems in our tools too) and are once again ready for more.  I think we have enough tests available now (thanks to tbot) that really even the complicated things can be moved over now and verified as correct, it’s just a matter of doing it.  We also have the ability for SPL to load FIT images and thus pick the right DT to pass along to the main U-Boot binary. […]

Full announcement:
http://lists.denx.de/pipermail/u-boot/2016-July/260149.html
More info:
http://www.denx.de/wiki/U-Boot

Enterprise: a UEFI boot loader for Linux

~ hucktech ~ Leave a comment

‘Enterprise’ is the name of a UEFI boot loader that is meant to boot 1 or more Linux ISOs off a USB thumbdrive. The last release was back in 2015, but there is recent Github code activity. SevenBits created ‘Enterprise’, in addition to ‘Mac Linux USB Loader’, which sets up a bootable USB with Enterprise.

Enterprise (named after the Starship Enterprise from Star Trek) is an EFI program that is designed to assist in booting Linux distributions from USB sticks on UEFI-based PCs and Macs, something that is continously regarded as being near to impossible due to quirks in vendors’ EFI implementations and really quite poor support from Linux distributions.  Using Enterprise, you can create bootable USB drives that boot on a UEFI-based computer without needing rEFIt or rEFInd to be installed.  Originally designed to compliment ‘Mac Linux USB Loader’, Enterprise can also be used on its own to boot Linux on a variety of UEFI-based PCs and Macs.  The purpose of Enterprise is as the first stage in a two-stage booting process for ‘Mac Linux USB Loader’-created USB drives. Enterprise is a custom UEFI boot manager designed to load Linux distributions, even those without UEFI booting support, directly from ISO files on UEFI-based computers.  Enterprise provides an easy-to-use and simplistic interface that automates many of the tasks necessary to boot distributions of Linux from an ISO file.  Enterprise supports booting multiple distributions, so you can have more than one distribution per USB stick and multiple configurations for each distribution. Enterprise requires a configuration file telling it about which distributions it should load. This configuration file is created automatically when you use tools like Mac Linux USB Loader, though it is possible to write your own file and configure Enterprise as one would configure other boot managers such as GRUB, gummiboot, and syslinux, albeit much more simply.  Enterprise is under the LGPL; it pulls in code from other software projects (namely, gummiboot). It is written in portable C, and can be compiled to run on both 32-bit and 64-bit EFI firmware types.

https://www.sevenbits.tk/
https://github.com/SevenBits/Enterprise
https://sevenbits.github.io/Mac-Linux-USB-Loader/

UEFITool NE A31.0 released

~ hucktech ~ Leave a comment

Nikolaj apparently never stops coding. 🙂 Changelog:

New feature release this time: added “Hex view…” action (Ctrl/Cmd + D) and dialog to preview the selected tree item without extracting it to FS. #56

Now the dialog is modal, but if anyone needs to open more than one, it can be implemented later. The feature uses QHexEdit2 library made by Simsys, big thanks.
https://github.com/LongSoft/UEFITool/releases/tag/NE.A31.0
Also see Nikolaj’s comments re: my last post, clarifying Qt usage in UEFITool, which my post was not clear on:

UEFIDump created, UEFITool and UEFIExtract rewritten

Intel Graphics Driver for Windows: EOP vulnerability

~ hucktech ~ Leave a comment

Intel has released a security advisory for Intel Graphics Drivers for Windows. Excerpted announcement:

Multiple Potential Vulnerabilities in the Intel® Graphics Driver for Microsoft Windows
Impact of vulnerability:      Elevation of Privilege
Severity rating:      Important

Multiple potential vulnerabilities exist in the Intel® Graphics Driver for Microsoft Windows impacting versions prior to 28MAR2016.  The vulnerabilities can lead to a privilege escalation or denial of service condition. Intel highly recommends that customers of the affected products obtain and apply the latest versions of the driver. Discovered by Piotr Bania of Cisco Talos

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00054&languageid=en-fr
https://downloadcenter.intel.com/product/80939/Graphics-Drivers
http://www.talosintelligence.com/reports/TALOS-2016-0087/

exploiting Lenovo firmware, part 2D

~ hucktech ~ Leave a comment

A bit more on this:

exploiting Lenovo firmware, part 2C

Lenovo has updated their support document. The initial version had no technical details. The update now has a huge list of models which are affected or not. The researcher also mentions that an update from the vendor is expected next month. I’m still waiting to see the IBV’s and other OEMs responses to this.

https://support.lenovo.com/us/en/solutions/LEN-8324

 

UEFIDump created, UEFITool and UEFIExtract rewritten

~ hucktech ~ 1 Comment

Nikolaj has been rewriting his suite of UEFI tools, so they are no longer dependent on the Qt framework, and uses his new engine “NE” tag. UEFITool (UT NE) no longer requires Qt. UEFIExtract (UE) no longer requires Qt. UEFIFind (UF) still requires Qt, and will be ported later. UEFIDump (UD) is a new tool! Described below. Extract of release notes:

UT NE A30 | UE 0.12.0 | UD 0.1.0
Almost no new features, but massive changes under the hood:
* engine (classes from /common) can now be build without Qt.
* added support for very rare Apple-specific images.
* fixed some quirks with report generation.
* UT and UE binaries rebuilt to include updated engine code.
* UEFIDump utility released, it’s a PoC analog of UEFIExtract, that generates the same report and dumps all leaf items into one .dump folder without hierarchy, “_%03d” suffix is added for duplicated items. The tool is an example of Qt-less engine usage.
* UEFIFind will be ported to non-Qt engine a bit later.

https://twitter.com/NikolajSchlej/status/751718569226952704
https://twitter.com/NikolajSchlej/status/751717273778458624

https://github.com/LongSoft/UEFITool/releases/tag/NE.A30
https://github.com/LongSoft/UEFITool/commits/new_engine
https://github.com/LongSoft/UEFITool/tree/new_engine
https://github.com/LongSoft/UEFITool

new UEFI Forum docs on HTTPS Boot and EDK2 profiling

~ hucktech ~ Leave a comment

https://twitter.com/Intel_UEFI/status/751451638716469249

Click to access EDKIIHttps_TLS_BootGettingStartedGuide_07.pdf

Click to access A_Tour_Beyond_BIOS_Implementing_Profiling_in_EDK_II.pdf

A Tour Beyond BIOS Implementing Profiling in EDK II
Jiewen Yao, Vincent Zimmer, Star Zeng, Fan Jeff
The Unified Extensible Firmware Interface (UEFI) and Platform Initialization (PI) specification defines rich execution environments such as Security (SEC), Pre-EFI Initialization (PEI), Driver Execution Environment (DXE), System Management Mode (SMM) and UEFI Runtime (RT) for firmware drivers. There are more and more features added into a firmware. At same time, the firmware still has a resource constrained environment. In addition to functionality, the size, performance, and security are three major concerns of a firmware engineer. This paper introduces several profiling features implemented in EDK II to help the UEFI firmware developer to analyze the size, performance and security of a UEFI firmware implementation.

Getting Started with UEFI HTTP over TLS (HTTPS) Boot on EDK II
Wu Jiaxin
HTTP over TLS (HTTPS) boot is a standard implementation for securely booting using the Unified Extensible Firmware Interface (UEFI) over a network device. HTTPS Boot is especially important for clients using potentially insecure networks outside of corporate infrastructure. Security for UEFI HTTPS Boot is provided by the underlying Transport Layer Security (TLS).
This document assumes that the reader is familiar with the EDK II HTTP Boot Getting Started Guide.