Category: Uncategorized

FWTS adds test for undocumented ASPT ACPI

~ hucktech ~ Leave a comment

[[
UPDATE: see-also: https://firmwaresecurity.com/2016/01/22/who-created-the-acpi-aspt-spec/
]]

Colin  King of Canonical has added a new ACPI test to the FirmWare Test Suit (FWTS). The new test is for ASPT (ACPI System Performance Tuning). The problem is that ASPT is an undocumented ACPI table. As Colin says:

This table is not well described anywhere, however it is a frequently used table on AMD machines and the format is relatively simple set of 4 32 bit addresses.  This table has been discussed on the ACPICA devel mailing list:

https://lists.acpica.org/pipermail/devel/2015-November/000850.html

and this description matches the various acpi dumps of this table on AMD machines that I have access too. I believe the table refers to an AMD performance monitoring feature.

Here are some scary comments from the new test code to clarify the problem:

/* ASPT Table (reverse engineered, table is common on AMD machines) */

/* Without a specification to work with there is very little we can do to validate this apart from the
implest sanity check */
 
/* ACPI ASPT: determined by reverse engineering */

For more information see the fwts-devel list or the fwts source code:
https://lists.ubuntu.com/archives/fwts-devel/2015-December/007107.html
http://www.uefi.org/acpi
IMO, the UEFI Forum, who has recently taken over ownership of ACPI, should be working with this vendor to provide a proper public spec, if the table is being used in modern hardware.

Purism adopts Qubes OS

~ hucktech ~ 3 Comments

Purism has announced a partnership with Qubes OS, users will be able to order Qubes OS preinstalled on the Librem 13.

https://twitter.com/revskills/status/674209460492115968

Excerpted quotes from press release:

“We are pleased to partner with the Purism team both in offering a certified Qubes OS laptop today, and in the future improving the functionality and security of Purism laptops to ensure that users can have the best of freedom, security and privacy in one convenient package,” said Joanna Rutkowska, well-known security researcher and founder of the Qubes OS project.

“We are ecstatic about the partnership between Purism and Qubes so we can bring together our goals of privacy, security and freedom in hardware with the best approach in software security. This union represents the ideal approach to protecting users by default, without sacrificing convenience or usability,” said Todd Weaver, CEO of Purism. “Qubes OS is a natural fit with the Purism Librem laptops in both functionality and ideology.”

Full press release:
https://puri.sm/posts/purism-partners-with-qubes-security-focused-hardware-and-software-together/
https://puri.sm/
https://www.qubes-os.org/

 

I was originally wondering why not use Qubes instead of PureOS in the first place, so I’m happy with their use of Qubes for OS solution.

I’m unclear about status of PureOS, is it mothballed or is it another OS option for Librem? Given use of Qubes, what does this say about future hardware architecture choices by Purism? AFAICT, Qubes is an Intel/AMD-centric OS, will PureOS still be used on ARM-based tablets/smartphones? Will Qubes have any ARM port?

Hardware Hacking: the problem from Hell

~ hucktech ~ 1 Comment

While using Google Search for new firmware news, I came across news web site called “Homeland Security Today”, which has an article “The Hidden Threat of Hardware and Firmware Hacks” by Steven Chen and Gordon England.

“General Michael Hayden, the retired Director of the CIA and National Security Agency, once deemed hardware hacking “the problem from hell.” And many purport he was right. With today’s global economy, manufacturers can never be sure if the hardware and firmware they are putting into systems such as planes, nuclear power plants or electrical grids have been compromised. […]”

Full article (will not work on some Linux systems due to Flash):

http://www.hstoday.us/industry-news/general/single-article/the-hidden-threat-of-hardware-and-firmware-hacks/082a42f3a3ab6fe61514050aaeaae384.html

http://www.nxtbook.com/nxtbooks/kmd/hst_20151011/#/30

SuperSU

~ hucktech ~ Leave a comment

Chainfire has released SuperSU 2.61 BETA.

In the ongoing effort of having root on 6.0 as streamlined and seamless as possible, SuperSU v2.61 BETA was just released. The last few BETAs have been providing SuperSU installs without touching /system, as we are modifying the boot images anyway. Since a few days ago (v2.60) the ZIP installer automagically does this boot image patching for you (for Android 6.0+, and Samsung 5.1+), significantly reducing the hassle for devices this is compatible with. While this works great on the 6.0.x stock Nexus firmwares and even custom ROMs such as CM13, we know it still has some issues on for example the G3 and some Samsung 5.1 devices. Keep in mind this is still a BETA, and you should only be using it if you are tech-savvy enough to fix your device if you mess it up. […]

This tool is new to me. If you do Android modding or security research, perhaps this tool may be of interest.

https://plus.google.com/+Chainfire/posts/TmWziCwq1AG

Nemesis and BOOTTRASH

~ hucktech ~ Leave a comment

Multiple news sites have articles on a form of malware which has bootkit functionality, and persists on the boot sector.

Persistent Financial Malware ‘Nemesis’ Targets Boot Record


http://arstechnica.com/security/2015/12/nemesis-malware-hijacks-pcs-boot-process-to-gain-stealth-persistence/
http://www.eweek.com/security/bootrash-uses-volume-boot-record-to-exploit-financial-services.html

MicroParser freeware UEFI tool for Windows (no source)

~ hucktech ~ Leave a comment

ADDubovik has a new Github project called MicroParser:

“Makes Intel microcodes file parsing. You can extract this file from your UEFI.”

I don’t see any sources, only a pre-compiled Windows binary. So this appears to be freeware.

I have no idea if this is a useful tool, or malware designed to infect the systems of firmware security researchers. 😦

ADDubovik: if you are reading this, please post the source code to MicroParser, or explain why you can’t. Thanks.

https://github.com/ADDubovik/MicroParcer

 

bus1’s boot-efi project

~ hucktech ~ Leave a comment

Bus1’s boot-efi, “UEFI Boot Manager”, is a new Github project, consisting of two components:


bootx64.efi: Boot Manager
 – searches EFI binaries in (ESP)/EFI/bus1/*.efi
 – executes the latest release version
 – if a key is pressed during bootup, a menu is drawn showing all found binaries
 – built-in command line editor

stubx64.efi: Boot Code Stub
 – executes the embedded PE-sections which contain the kernel, initrd,
   kernel cmdline, release string
 – shows the splash screen from the embedded PE section

I’m not sure what Bus1 is. Their motto: “Somewhere, something incredible is waiting to be known.” Besides the above boot manager, they also have a few other new projects, including another UEFI one called Build, “Build UEFI Disk”.

More information:

https://github.com/bus1/build
https://github.com/bus1/boot-efi

Intel’s Debug Extensions for WinDbg

~ hucktech ~ Leave a comment

Windbg is Microsoft’s Windows system debugger (both user-mode and kernel-mode), which has the ability to load third party extensions. I just noticed some Windbg extensions that Intel has created. One enables Windbg to work over JTAG, the other enables support for Intel PT:

 


The “Intel Debug Extensions for WinDbg” consists of two sets of debugger extensions:

1) Intel Debug Extensions for WinDbg for IA JTAG debugging (IA JTAG) enables the connection of WinDbg to a target over the JTAG. The server acts as a mediator and forwards the calls from WindDbg* to the IPC interface and back.

2) Intel Debug Extensions for WinDbg for Intel Processor Trace (Intel PT) is designed to help WinDbg users by extending their debugging tool set with execution tracing. The extension allows for easy setup of Intel PT by abstracting hardware configuration and then reconstructing and displaying execution flow from the collected trace data. It will integrate with other WinDbg* features like symbolization and high-level source display.  Intel PT is a new technology for low-overhead execution tracing. It facilitates debugging a program by exposing an accurate and detailed trace of the program’s activity, and its triggering and filtering capabilities help identifying and isolating the relevant program executions. Intel PT records information about software execution on each hardware thread using dedicated hardware facilities. After execution completes, a software can process the recorded trace data and reconstruct the exact program flow.
[…]
BIOS / UEFI firmware: With firmware that is Intel PT-aware, you can set up an Intel PT-specific memory allocation. In this case, the firmware allocates a dedicated memory area and reserves it in a memory map for further use. Operating systems will recognize this reserved memory range and will not use it. When firmware reserves a memory region for Intel PT, it also configures the Intel PT output MSRs accordingly and indicates that Intel PT output configuration is ready to be used. The extension will recognize this setup. No further configuration (from user’s side) is required.

I presume these extensions are only available as part of the commercial-only Intel System Studio product. If you use Windbg, you may want to try to get these extensions, they sound useful.

More information:

https://software.intel.com/en-us/iss-2016-windbg-pt-user-guide-windows
https://software.intel.com/en-us/articles/intel-system-studio-release-notes
https://software.intel.com/en-us/iss-2016-get-started-debug-extensions-windbg-windows
https://software.intel.com/en-us/intel-system-studio

Tianocore moving to Github

~ hucktech ~ Leave a comment

https://twitter.com/Intel_UEFI/status/672556665288327168

“This message is to notify you that near the end of January 2016 the active repository for EDK2 development will switch from using SourceForge to GitHub. The repository found at SourceForge will continue to be a read-only mirror of the master branch on GitHub. […] As part of this change a number of process changes will be adopted to support better use of git. This includes the method for sending out patches for review and other minor changes. […] “

Full article:

http://www.tianocore.org/news/2015/12/03/Git_Transition.html

Tehoetic and Qibre selling Replicant devices to consumers!

~ hucktech ~ Leave a comment

Replicant is a Free Software version of Android. For those that don’t “enjoy” building the “firmware” of their phone from scratch, the Replicant blog just posted a story about a vendor retrofiting Galaxy S, Galaxy S 2, and Galaxy Tab 2 devices with Replicant. This is roughly like how Ministry of Freedom installs Free Software (and firmware) onto old Thinkpads, but for Android-based devices. Excerpt of announcement:

Shops selling devices pre-installed with Replicant

A few months ago, we were contacted to discuss the endorsement of an online shop selling mobile devices pre-installed with Replicant: Qibre Computer Hardware. […] A few weeks ago, Tehnoetic also started selling devices pre-installed with Replicant and was featured on the FSF’s Ethical Tech Giving Guide. At this point, the following devices can be bought pre-installed with Replicant:

 * From Qibre: Galaxy S (I9000), Galaxy S 2 (I9100), Galaxy Tab 2 7.0 (P31xx)
 * From Tehnoetic: Galaxy S 2 (I9100)

Note that 2% of each Tehnoetic S2 phone sale will be donated monthly to the Replicant project and 1% of each Tehnoetic S2 phone sale will be donated monthly to the F-Droid project, so buying devices actually helps Replicant move forward! Buying from these shops rather than third-party resellers also helps them secure money to get stocks of Replicant-supported devices in large quantities, so that it remains possible to buy them for a long time!

More information:

Shops selling devices pre-installed with Replicant


http://qibre.co.uk/
https://tehnoetic.com/
https://tehnoetic.com/tehnoetic-s2-phone-replicant
https://f-droid.org/

seL4 2.0.0 released

~ hucktech ~ Leave a comment

The Trustworthy Systems Team at Data61 (formerly NICTA) is pleased to announce seL4 release 2.0.0. The new release cleans up a large backlog of improvements we have been working on for the last 18 months. It also marks the transition to more frequent and regular releases, to minimise the lag between internal and public versions. We have also switched our release process to semantic versioning, so it’s easy to tell which seL4 releases are binary-compatible, source-compatible, or will require updates to user-level code. Specific changes are performance improvements to the IPC fastpath and scheduling, making seL4 even faster overall. All changes are formally verified for ARMv6 to full seL4 standard. There are also changes to terminology to eliminate confusion introduced by some object and system call naming in the past. For details please see the Release Notes posted on the developer mailing list.

More information:
http://sel4.systems/pipermail/announce/2015/000010.html
http://sel4.systems/

FOSDEM embedded CFP ends December 7th!

~ hucktech ~ Leave a comment

FOSDEM, one of the main community-driven open source conferences, takes place in Brussels, Belgium at the end of January. They have an track for embedded systems, a good place for Open Source Hardware, Free Hardware, and related projects to participate. The Call for Participation/Papers has been open for FOSDEM, including the Embedded track. The CFP deadline is December 7th!

“Embedded software is transforming the world, and FOSS embedded software is leading the way. From automotive to the Internet of Things, launching rockets, messing with your phone or automating your toaster, small devices, embedded systems, and automatons are everywhere. Join in and tell the world about your project! The embedded devroom seeks topics related to automotive, mobile, autonomous, and generally small systems. Related areas are of course of interest as well and our definition of “embedded” is elastic.”

The FOSDEM 2016 Embedded devroom co-organizers are:
* Peter De Schrijver, Kernel engineer at Nvidia
* Philippe De Swert, HW adaptation engineer at Jolla
* Jeremiah C. Foster, GENIVI Community Manager
* Thomas Petazzoni, CTO Free Electrons
* Geert Uytterhoeven, Glider bvba

For more information:
https://lists.fosdem.org/listinfo/embedded-devroom
https://penta.fosdem.org/submission/FOSDEM16 (select “embedded devroom” Track)

coreboot update

~ hucktech ~ Leave a comment

Patrick Georgi posted an update to the coreboot blog with changes. coreboot has recently started doing more regular status updates via it’s blog. It is nice to have a regular update to coreboot, I wish UEFI and U-Boot had such a fresh news source.

A few excerpts of the changes are listed below, see full blog post for entire report:

The leading themes were the removal of support for old mainboards, and the integration of more non-AGESA AMD support code for Family 10h to 15h that spans everything from fixes to memory configuration to workarounds to problems in the SATA controller, to new feature development, enabling CC6 power-state support and everything in-between.”

Other chipset level contributions provided bug fixes to the drivers supporting Intel’s Skylake and AMD’s newer chipsets and mainboards (Kabini, Merlin Falcon, Mullins).

Also new is the Intel i8900 southbridge support that can be used with Sandy Bridge and Ivy Bridge, with an Intel reference board, the stargo2, and the SUNW Ultra40m2 board support.

Automated testing now also covers intelvbttool.

More information:

coreboot changelog

CoreOS announces new service

~ hucktech ~ Leave a comment

https://tectonic.com/blog/announcing-distributed-trusted-computing/
https://tectonic.com/trusted-computing/

Yuck, the CoreOS marketing team demands contact info before letting you read their whitepaper. But, Matthew is working there…

More info:

http://www.prnewswire.com/news-releases/tectonic-by-coreos-now-with-distributed-trusted-computing-industry-first-end-to-end-trusted-computing-environment-300186764.html

http://siliconangle.com/blog/2015/12/02/coreos-introduces-full-stack-security-for-rkt-containers/

CoreOS Steps Up Security For Its Tectonic Container Management Service

Amazon hates U-Boot

~ hucktech ~ Leave a comment

DENX, makers of Das U-Boot, one of the main boot loaders, is strangely getting hassled from Amazon for their cloud host, see below email. If you’re at Amazon and can help, Wolfgang’s contact information is listed below.

 

——– Forwarded Message ——–
Subject:     [U-Boot] ACD takedown – new shared link
Date:     Tue, 01 Dec 2015 19:08:42 +0100
From:     Wolfgang Denk <wd@denx.de>
To:     u-boot@lists.denx.de

Hello,

for some reason Amazon Customer Service decided that publishing U-Boot sources on the Amazon Cloud Drive would violate their Terms Of Use:

    Date: November 30, 2015
    Filename: “u-boot”
    …
    We have received a complaint that you have been sharing
    content on your Amazon Cloud Drive that is prohibited by our
    Terms of Use. Upon review, we have disabled the sharing link.

I have read and re-read their TOU carefully and cannot understand what made them think so.  I appealed their decision, but did not receive a reply yet.

In the mean time, I have created a new link [1] and updated the web page [2] to reflect this change.

Sorry for any inconveniences this might be causing.

[1] https://www.amazon.com/clouddrive/share/iQRojZzxJnhZwGGUcyDdQDl6E5MAlTEeVwuCDdgUDo8?ref_=cd_ph_share_link_copy
[2] http://www.denx.de/wiki/U-Boot/SourceCode

Best regards,
Wolfgang Denk

DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd@denx.de
For every complex problem, there is a solution that is simple,  neat,
and wrong.                                           — H. L. Mencken
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
http://lists.denx.de/mailman/listinfo/u-boot