WinZent releases wION BIOS for Minnow

June 23, 2015 ~ hucktech ~ Leave a comment

Today, WinZent, a Swedish-based BIOS vendor, released wION BIOS and wIOS operating system for the MinnowBoard MAX. The release is registration-required freeware.

Some excerpts from their press release:

“WinZent Technologies AB today announced the general availability of its wION BIOS and wIOS operating system for the MinnowBoard Max open hardware board. WinZent’s software allows the embedded systems developer to use any operating system, from legacy operating systems such as MS-DOS, to most Linux distributions and the latest Microsoft Windows versions. The software also boosts the board with lightening-fast performance. WinZent’s wION BIOS cold boots the MinnowBoard Max in 0.56 seconds, and completes a warm reboot in 0.21 seconds. wION is bundled with WinZent’s real-time POSIX compliant operating system wIOS, which can provide multiples to magnitudes improved performance for applications and programs.”

“WinZent Technologies AB develops and markets the world’s fastest and most compact firmware and kernel software. wION, our BIOS, is characterized by sub-second boot time and full support for both legacy and the latest operating systems. wIOS, our POSIX-compliant operating system, is characterized by its deterministic real-time capabilities and its lightening-fast speed. WinZent Technologies AB is headquartered in Stockholm in Sweden.”

More Information:

http://winzenttech.com/
http://lists.elinux.org/pipermail/elinux-minnowboard/Week-of-Mon-20150622/001660.html

Rasberry Pi firmware revised to use Linux 4.0

June 22, 2015 ~ hucktech ~ Leave a comment

As reported by Michael Larabel in Phoronix, the Raspberry Pi firmware has been changed, it now uses the Linux 4.0 kernel.

As Michael says, “For this low-cost ARM single board computers, the newer kernel is beneficial for new features, file-system improvements, and new device support like when it comes to USB peripherals and adapters.”

More information:
http://www.phoronix.com/scan.php?page=news_item&px=Raspberry-Pi-Linux-4.0
https://www.raspberrypi.org/forums/viewtopic.php?t=113753&p=778141

Dell Firmware blog and Intel UEFI training

June 19, 2015 ~ hucktech ~ Leave a comment

I just became aware of another firmware blog, by William Leara of Dell:

http://www.basicinputoutput.com/

If you’ve not seen it, it’s worth reading, if you care about UEFI.

In this article, he mentions some of Intel’s UEFI web-based training:

http://www.basicinputoutput.com/2015/05/the-best-movies-youve-probably-never.html

In addition to this Flash-based training, Intel SSG also has a 3-day class for Intel employees, which they upload the labs and presentation materials to the public. They maintain this courseware, new versions of the presentations/labs are occasionally updated. If you are a Windows/Visual Studio user, you’ll be right at home with the labs. If you are a Linux user, there is a small amount of content focused on Linux, otherwise you’ll have to ignore all the screenshots of Visual Studio users clicking and right clicking. In the future, I wish Intel SSG would add audio/video layers, in addition to presentation and labs. Download Lab-Material-FW.zip and the most recent Presentations<YYMMDD>.zip from:

http://sourceforge.net/projects/edk2/files/Training/TrainingMaterial/

New LAVA tool from Collabora

June 17, 2015 ~ hucktech ~ Leave a comment

Today, Collabora released ‘lqa’, a new command line tool — and new Python API — for working with LAVA. LAVA is Linaro’s test tool that enables ‘continuous integration’-style testing with embedded devices (including QEMU), to update the firmware and OS, and run tests on the device. The main LAVA interface is a web UI. The tool is mainly intended for embedded development/QA, but is also useful for security researchers. Quoting their announcement on the linaro-validation mailing list:

Collabora has been working on `lqa’, a tool to submit and manage LAVA jobs, which helps to get many of the LAVA job administration and monitoring tasks conveniently done from the command line. `lqa’ brings a new API, lqa_api python module, a complete set of classes to easily interact with LAVA and offering at the same time a clean API on top of which further applications can be built upon (like `lqa’ itself). It has a templating system (using jinja2 package) that allows to use variables in json job files (in future could be expanded to support yaml), specifying their values either from a profile file or directly from the command line making possible the dynamic assignments of template variables during the `lqa’ command execution. The templating mechanism allows to handle groups of jobs, therefore it makes it easier to submit jobs in bulk. `lqa’ also features a flexible profile system (in YAML) which allows to specify a ‘main-profile’ from which further sub-profiles can inherit values, avoiding information duplication between similar profiles. Other of the current features include: Test report generation with the ‘analyse’ subcommand, Polling to check for job completion, All the operations offer logging capabilities, and Independent profile and configuration files.

More Information:

http://lists.linaro.org/pipermail/linaro-validation/
https://git.collabora.com/cgit/singularity/tools/lqa.git/

Intel AMT SDK 10.0 released

June 17, 2015 ~ hucktech ~ Leave a comment

[Sorry for another short blog post, not much time this week..]

Intel released version 10 of their AMT SDK a few days ago.

Intel(R) Active Management Technology (Intel(R) AMT) is a capability embedded in Intel-based platforms that operates independently of the platform processor and operating system, which enables remote software to access Intel AMT, even when the platform is turned off, as long as the platform is connected to line power and to a network. ISVs can build applications that take advantage of the features of Intel AMT using the API provided in the Intel AMT SDK.

More Information:

http://blogs.intel.com/evangelists/2015/06/09/intel-amt-sdk-release-10-notes/
https://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk/

AMI AMI DuOS: runs Android and Windows, no rebooting

June 16, 2015 ~ hucktech ~ 1 Comment

Today, AMI announced DuOS, aka AMIDuOS, a new OS that runs Windows (v7 or v8) along with Android v5, users are able to use both OSes without rebooting. AMIDuOS is now in Beta for download; it is a commercial product, not open source or freeware: it cost $10 for a lifetime license – with a 30–day free trial. A few excerpts from their press release are below.

“AMIDuOS is a revolutionary new concept that brings the functionality, depth and fun of the Android experience to Microsoft Windows devices. It runs on nearly any Windows 7 or 8 PC or tablet device for fast, easy switching between Windows and Android environments – without the need to dual boot! Usage of AMIDuOS is quite similar to Android device. You just have to download and install, You got your Android device on Windows PC.”

“AMIDuOS runs on any modern Windows Desktops, Laptops, Tablets and 2-in-1 Devices. System requirements: x86 Processor. 32/64-bit of Windows 7/8/8.1. OpenGL 3.0 and above. Hardware Virtualization Technology should be enabled in BIOS. Minimum 3GB of System RAM. Minimum 2GB of Hard disk free space.”

“Now, users have access to the full library of Android apps on their Windows device – running either full-screen or in a window, while retaining the ability to switch over to their traditional Windows apps at any time – with no need to reboot. AMIDuOS is truly the best of both worlds. AMI has utilized its decades of expertise to build hardware acceleration support into the app, and support direct hardware access whenever possible. Emulation is only used when needed – otherwise code runs natively. This, plus 3D acceleration support, means incredible performance so games and video-intensive apps run smoothly and quickly. Since AMIDuOS can access native PC hardware and drivers, apps can take advantage of the touchscreen, sensors, peripherals, GPS, camera and more to deliver a fully immersive Android experience. AMI has tested AMIDuOS with over 4,000 apps and is continually releasing updates to improve compatibility.

“In order to enjoy the full performance of DuOS, Virtualization Technology (VT-x) should be enabled in BIOS. Please ensure that your System supports Virtualization Technology.”

More Information:

http://amiduos.com/support/knowledge-base/article/what-is-duos
http://amiduos.com/support/knowledge-base/article/enabling-virtualization-in-bios
http://www.intel.com/content/www/us/en/virtualization/virtualization-technology/intel-virtualization-technology.html
http://www.ami.com/news/press-releases/?PressReleaseID=315&/American%20Megatrends%20Unwraps%20Lollipop%20-%20Run%20Android%205.0.1%20Apps%20on%20Windows%20Devices%20without%20Compromise/

Tracking Intel BIOS and UEFI updates

June 16, 2015 ~ hucktech ~ Leave a comment

Here’re two resources that you should be tracking, if you care about firmware security. In addition to OEM-specific sites, these are very useful to track updates in UEFI- and Intel-based systems:

1) TianoCore Security site, advisories, and list:
http://www.tianocore.org/security/
http://tianocore.sourceforge.net/wiki/Security
http://sourceforge.net/projects/edk2/files/Security_Advisory/

The Tianocore Security site has UEFI security vulnerability information impacting most UEFI-based vendors, including non-Intel vendors like ARM. The data is released as PDFs, and announced on their list. Tianocore doesn’t use NIST SCAP CVEs, look for these PDFs instead.

2) Intel Security Center site, and list:
https://security-center.intel.com/default.aspx
https://security-center.intel.com/advisories.aspx

The Intel Security Center site has BIOS/UEFI security vulnerability information impacting Intel-based systems. The data is released as web pages, and announced on their list.

Someone from your IT department should probably be subscribed to these mailing lists, and watch these lists and content for updates that may impact their systems.

Google Auron support added to Coreboot

June 14, 2015 ~ hucktech ~ Leave a comment

As reported yesterday by Michael Larabel at Phoronix, coreboot recently got support for the Intel-based Google Broadwell ‘Auron’ board. To quote Phoronix:

“Support for Auron has been added in Coreboot Git. Auron is the Google Broadwell Reference Motherboard, which in turn is based on Google’s Peppy. More Broadwell designs are emerging and soon this latest-generation Intel processor will finally be out for desktops. The Google Auron is their reference board for this latest micro-architecture.”

More Information:

http://www.phoronix.com/scan.php?page=news_item&px=Auron-Coreboot-Broadwell

UEFI 2.5 ESRT in Linux 4.2

June 14, 2015 ~ hucktech ~ Leave a comment

One new feature in UEFI 2.5 is the ESRT (EFI System Resource Table). As reported in Phoronix, ESRT supports has been added to the Linux kernel, and it appears that it’ll be in Linux 4.2. Quoting Peter Jones’ ESRT patch to sysfs on the linux-efi list, describing ESRT:

“The EFI System Resource Table (ESRT) provides a read-only catalog of system components for which the system accepts firmware upgrades via UEFI’s “Capsule Update” feature. This module allows userland utilities to evaluate what firmware updates can be applied to this system, and potentially arrange for those updates to occur. The ESRT is described as part of the UEFI specification, in version 2.5 which should be available from http://uefi.org/specifications in early 2015. If you’re a member of the UEFI Forum, information about its addition to the standard is available as UEFI Mantis 1090. For some hardware platforms, additional restrictions may be found at http://msdn.microsoft.com/en-us/library/windows/hardware/jj128256.aspx , and additional documentation may be found at http://download.microsoft.com/download/5/F/5/5F5D16CD-2530-4289-8019-94C6A20BED3C/windows-uefi-firmware-update-platform.docx .”

Peter’s patch adds sysfs files for the EFI System Resource Table (ESRT) under /sys/firmware/efi/esrt and for each EFI System Resource Entry under entries/ as a subdir. See the UEFI 2.5 specification for more details on ESRT.

More Information:

http://www.uefi.org/specifications
http://www.phoronix.com/scan.php?page=news_item&px=Linux-4.2-Features-Coming
http://www.phoronix.com/scan.php?page=news_item&px=Linux-4.2-EFI-System-ESRT-Table
http://permalink.gmane.org/gmane.comp.bios.tianocore.scm/3554
http://comments.gmane.org/gmane.linux.kernel.efi/5359

Learning OpenPOWER firmware

June 12, 2015 ~ hucktech ~ Leave a comment

A few days ago, I blogged about AMI joining OpenPOWER. Recently, there’s been some other activity in OpenPOWER.

IBM just announced SuperVessel, an OpenPOWER-based cloud for developers:
http://www-03.ibm.com/press/us/en/pressrelease/47082.wss
https://ptopenlab.com/cloudlabconsole/index.html
http://openpowerfoundation.org/press-releases/openpower-accelerates-open-innovation-with-new-member-products-and-free-development-cloud/

It appears the source code to the OpenPOWER firmware was released about a year ago. Luckily, some others have been blogging on OpenPOWER firmware already:
http://openpowerfoundation.org/press-releases/occ-firmware-code-is-now-open-source/
http://jk.ozlabs.org/blog/post/159/customising-openpower-firmware/

OpenPower firmware up on github!

More OpenPower Firmware code released: OCC

I’m just learning about the OpenPOWER community, it’s been years since I’ve written PowerPC assembly, and that was OS-level stuff, I am not aware of current OpenPOWER firmware technology. I probably won’t have a lot of time to post blog entries next week, but but I’ll have some more on OpenPOWER firmware in future blog posts.

LegaCore releases new research

June 12, 2015 ~ hucktech ~ Leave a comment

Yesterday LegbaCore updated their website to include some more research:

“Added the How Many Million BIOSes Would you Like to Infect whitepaper to our Research page. This document contains more discussion than was provided in the conference talks of what could be done by live OSes like Tails or LPS to be more secure against firmware threats.”

More information:
http://www.legbacore.com/Research.html
http://www.legbacore.com/News.html

Joe Grand: Tools of the Hardware Hacking Trade

June 10, 2015June 11, 2015 ~ hucktech ~ Leave a comment

Joe Grand of Grand Idea Studio gave a presentation on “Tools of the Hardware Hacking Trade” a few weeks ago at RSA Conference:

“Embedded systems are pervasive in our society and many contain design flaws that can lead to exploitable vulnerabilities. In this session, Joe Grand examines common hardware tools used during the hacking and reverse engineering of electronic products, including those that monitor/decode digital communications, extract firmware, inject/spoof data, and identify/connect to debug interfaces.”

Joe Grand, a former member of the hacker collective L0pht Heavy Industries, is the founder of Grand Idea Studio, Inc, a company that specializes in the invention and licensing of consumer devices and modules for electronics hobbyists. The presentation is a nice look at current tools available for firmware/hardware hacking, from the security researcher perspective, for those of you who haven’t already created your ‘hardware hacking lab’. 🙂

I don’t know of any better resource lists of this kind, with a security focus. For books, there’s a chapter in Wiley’s “Android Hacker’s Handbook” that is similar. Alas, I didn’t find any audio/video archives, only the presentation. Most other hardware tools documentation I’ve found is mostly Maker-focused, not security focused.

More Information:

http://www.grandideastudio.com

Click to access hta-w04-tools-of-the-hardware-hacking-trade_final.pdf

https://www.rsaconference.com/events/us15/agenda/sessions/1619/tools-of-the-hardware-hacking-trade

More Info on UEFI 2.5 HTTP Boot Implementations

June 10, 2015June 11, 2015 ~ hucktech ~ 1 Comment

Earlier, I made this blog post on UEFI 2.5’s new HTTP Boot feature. At that time, I was unaware of some details, like if this feature will be implemented in TianoCore, or only in commercial products. HP gave a talk at the Spring UEFI Forum on UEFI 2.5 HTTP Boot (to replace PXE) and DMTF Redfish (to replace IPMI), so I presume some new HP products will have these new features soon, if not already. On the EFI development list, I asked a question about Tianocore and vendor support of UEFI HTTP boot, as well as DMTF Redfish, and got 2 replies, one from Intel and one from HP.

Ye Ting of Intel replied and said:

“Intel is working on implementation of UEFI 2.5 HTTP boot support.”

Samer El-Haj-Mahmoud of HP also replied, and said:

“Both HTTP Boot and Redfish are very new standards. HTTP Boot got standardized as part of UEFI 2.5 in March. Redfish is still not even 1.0 (last published spec is 0.96.0a, with a target 1.0 spec sometime this month according to DMTF). It is expected that implementation will take some time to catch up to the spec. At the same time, PXE and IPMI have been there for quite some time, are implemented across the board on servers (and many clients), and are already in wide use. I do not expect them to go away anytime soon. But the goal is to switch over to HTTP and Redfish/REST over time, especially as they enable new use cases and capabilities that were not possible (or easy to do) before. The first step though is to get the specs implemented. As Ting explained, Intel is working on UEFI 2.5 HTTP Boot implementation (that I expect will show up in EDK2. I see the header files submitted already). DMTF is also working on a Redfish mockup/simulator that can be used to exercise clients. HP ProLiant Gen9 servers already support proprietary flavors of both HTTP Boot (or “Boot from URL”) and Redfish (or the “HP RESTful API”). I do not know of any other servers that implement such technologies at this time.”

So, it sounds like HP is the only vendor that supports UEFI HTTP Boot at the moment, and Intel is working on an implementation. If Intel’s implementation is part of TianoCore, other vendors may use it.

I’m looking forward to a TianoCore implementation, as well as DMTF’s Redfish simulator.

Thanks to Ye Ting and Samer El-Haj-Mahmoud for the answers!

CHIPSEC v1.2.0 Released

June 10, 2015 ~ hucktech ~ 3 Comments

The Intel CHIPSEC team just posted the latest version of CHIPSEC, 1.2.0. Release notes excerpt below, see the full text on the github site, with known issues:

New/updates modules:
* Merged common.secureboot.keys module into common.secureboot.variables module
* Updated tools.secureboot.te module to be able to test PE/TE issue on Linux or UEFI shell
* Updated tools.smm.smm_ptr module

Updates:
* Added the *controls* abstraction. Modules are encouraged to use “get_control“ and “set_control“ when interacting with platform registers. This permits greater flexibility in case the register that controls a given feature or configuration changes between platform generations. The controls are defined in the platform XML file. At this time, only a small number of controls are defined. We plan to move existing modules over to this new mechanism.
* Added XML Schema for the XML configuration files
* Support for reading, writing, and listing UEFI variables from the UEFI Shell environment has been added.
* Added support for decompression while SPI flash parsing via “decode“ or “uefi decode“ commands in Linux
* Added basic ACPI table parsing to HAL (RSDP, RSDT/XSDT, APIC, DMAR)
* Added UEFI tables searching and parsing to HAL (EFI system table, runtime services table, boot services table, DXE services table, EFI configuration table)
* Added DIMM Serial Presence Detect (SPD) ROM dumping and parsing to HAL
* Added “uefi s3bootscript“ command parsing the S3 boot script to chipsec_util.py
* Added virtual-to-physical address translation function to Linux/EFI/Windows helpers
* Added support of server platforms (Haswell server and Ivy Town) to chipset.py

More Information:

https://github.com/chipsec/chipsec

UEFI Advanced Security Settings for Microsoft Surface devices

June 9, 2015June 11, 2015 ~ hucktech ~ Leave a comment

A while ago, Mark Morowczynski of Microsoft wrote a blog post, “How to Manage Surface Pro 3 UEFI Through PowerShell”. In the post, he describes advanced UEFI security configuration options for the Microsoft Surface, such as enable/disable cameras, WiFi, Blootooth, Network Boot. There’s also information about using PowerShell to configure UEFI settings, scaling to control “tends of thousands” of Surface devices.

IMO, this is a nice use of UEFI to configure security settings, I hope other OEMs and OS vendors enable this kind of granularity to configure their systems. I also hope malware authors don’t exploit this ability to scale to all Surface devices in an enterprise with a single PowerShell command. 🙂
More information:

http://blogs.technet.com/b/askpfeplat/archive/2015/04/20/how-to-manage-surface-pro-3-uefi-through-powershell.aspx
https://technet.microsoft.com/en-us/windows/dn965440

Coreboot gains LLVM Clang support

June 9, 2015 ~ hucktech ~ Leave a comment

According to an article on Phoronix by Michael Larabel, the coreboot project has been updated to support LLVM Clang, in addition to GCC. This is great news, having additional compilers target a project is good for finding errors, and LLVM has the klee fuzzer that might become useful with coreboot when used with a VM like QEMU.

More information:

http://www.phoronix.com/scan.php?page=news_item&px=Clang-Coreboot-Crossgcc

VZ recent blog posts

June 8, 2015 ~ hucktech ~ Leave a comment

Vincent Zimmer of Intel has been busy blogging the last few days… 🙂

His personal blog has a few topics related to UEFI. He talks about evolving EFI-based procotols, using hardware interrupts in the polled driver model-based UEFI OS, and MdePkg library design, and Intel TXT along with Secure Boot and Measured Boot, and member of a recently former Intel employee, George Cox, who recently passed on.

At work, Vincent wrote a blog for the Intel Firmware blog. In this blog post, he covers some background on the “Beyond BIOS” white paper series that they’ve been doing for a decade.

(These are both blogs I follow, and I’ll list on the blogroll once I figure out how to use WordPress to expose the blogroll.)

There are MANY links in these two blog posts, a few of them are new. Worth reading, if you care about UEFI on Intel.

More Information:

http://vzimmer.blogspot.com/2015/06/guids-revisions-interrupts.html
http://vzimmer.blogspot.com
http://firmware.intel.com/blog/beyond-bios
http://firmware.intel.com/blog

LegbaCore Summer Tour announced

June 8, 2015 ~ hucktech ~ Leave a comment

LegbaCore, one of the main BIOS security research firms around, has updated their web site to include calendar information about their upcoming presentations and training for the Summer and early Fall.

They will be at HITB Singaport giving BIOS training in October. They’ll be speaking at BlackHat/DEFCON on Mac firmware attacks. They’ll be giving “Understanding x86-64 Assembly for Reverse Engineering and Exploits” training at BlackHat USA. They’ll be talking at SummerCon, entitled “How Many Million BIOSes Would You Like to Infect?”. “This talk will detail the result of our 1 month effort to infect the BIOS of every business class system we could get our hands on.”

They’ve also updated their Training resources. They now have *SIX* full days of BIOS/UEFI training!

More Information:

http://gsec.hitb.org/sg2015/sessions/tech-training-6-introductory-bios-smm-attack-defense/
https://www.blackhat.com/us-15/training/understanding-x86-64-assembly-for-reverse-engineering-and-exploits.html
http://www.legbacore.com/News.html

Tweets by legbacore

http://www.legbacore.com/Training.html
http://www.summercon.org/presentations.html#bioses

PC Advisor article on BIOS Updating for Windows users

June 8, 2015 ~ hucktech ~ Leave a comment

Jim Martin wrote an article in PC Advisor earlier this week:

“How to update your BIOS: get the latest features and fixes for your PC and laptop.”

The article is a beginner’s introduction to how to update your BIOS, for Windows users. If you’re new to updating your BIOS, you might benefit from reading this!

More Information:

http://www.pcadvisor.co.uk/how-to/pc-upgrades/how-update-your-bios-3428662/