announcing PreOS Security Inc.

March 5, 2017 ~ hucktech ~ Leave a comment

FirmwareSecurity.com is my personal blog. I use it to post information about firmware as I come across it, in the hope that it might help others. I try to keep it impersonal and only focus on news/information, but my bias towards open source HW/FW/SW is not hard to find.

I started the blog a few years ago to learn firmware by focusing on the security perspective of firmware and learning from existing security researchers. I’d been doing OS-level driver consulting for a while, and was moving from OS-level moving down into firmware. Along the way, I’ve learned a lot and given talks and training on firmware security at LinuxFest Northwest, B-Sides PDX, SOURCE Seattle, and other places.

With great advice from both firmware engineers as well as firmware security researchers, I’ve seen an opportunity to help secure enterprises at the firmware level.

I’ve started a small new company, PreOS Security Inc., https://preossec.com/ . Besides attending the last UEFI Plugfest, we’ve been mostly in ‘stealth mode’, busy working on code. We have a small group of advisors who are teaching us lots of things about security/b2b/tool startups.

We’re creating a product to help enterprises secure their system firmware, as per NIST SP 800-147 guidance. We’re leveraging the expertise of existing firmware security researchers, and some of their tools (for example CHIPSEC). We’re also writing new tools to fill in some of the gaps. Our product is currently in a pre-alpha stage, and are looking for a few enterprises who’re eager to secure their firmware to work on the alpha release.

We have a draft document on ‘enterprise firmware guidance’ that we’ll be publishing on our web site (and Github), as well as that ‘awesome firmware’ links that I’ve been promising in previous blog posts. We have some patches to existing tools that we need to upstream.

We also offer training to UEFI/ACPI device vendor QA teams, data centers, and security-minded enterprises, on using firmware security tools, and consulting to customize/integrate these tools. We’ve got a half-day training event that we’ll announce shortly.

We need a Python developer, either as a partner, or a few as contractors. Currently we have equity to offer. For more information, see: https://preossec.com/careers/ .

We’re currently self-funded, hoping to fund our product development with training/consulting. But to offer more than equity, we’ve begun looking at some other sources of funding. If there are any firmware-friendly angel investors reading this, we should talk.

https://preossec.com/careers/

ACPI registry updates

March 2, 2017 ~ hucktech ~ Leave a comment

https://twitter.com/coreboot_org/status/836748151247749120

It looks like there have been 3 new ACPI regisrations so far this year:

Coreboot Project BOOT 02/28/2017
https://www.coreboot.org/

Exar Corporation EXAR 02/28/2017
https://www.exar.com/

VR Technology Holdings Limited 3GVR 01/19/2017
http://www.3glasses.com/en/

http://www.uefi.org/acpi_id_list

Microsoft updates Secure Boot and ACPI requirements

February 24, 2017 ~ hucktech ~ Leave a comment

These Microsoft pages have recently (last month) been updated. No changelog, so unclear what has changed. 😦

https://msdn.microsoft.com/en-us/windows/hardware/drivers/bringup/secure-boot-and-device-encryption-overview

https://msdn.microsoft.com/en-us/windows/hardware/commercialize/design/device-experiences/acpi-firmware-implementation-requirements

https://msdn.microsoft.com/en-us/windows/hardware/drivers/bringup/firmware-requirements-for-d3cold

political/firmware humor (and poll)

February 7, 2017 ~ hucktech ~ Leave a comment

https://plus.google.com/+JonMasters/posts/hpp84Eye76K

ACPI graph support

February 3, 2017 ~ hucktech ~ Leave a comment

Sakari Ailus of Intel posted a patch to the Linux-ACPI list that enables ‘ACPI graph support’. Slightly edited version of announcement below:

I posted a previous RFC labelled set of ACPI graph support a while ago[1]. Since then, the matter of how the properties should be used as in ACPI _DSD was discussed in Ksummit and LPC, and a document detailing the rules was written [1]. I’ve additionally posted v1 which can be found here[2]. This set contains patches written by Mika Westerberg and by myself. The patchset brings support for graphs to ACPI. The functionality achieved by these patches is very similar to what the Device tree provides: the port and the endpoint concept are being employed. The patches make use of the _DSD property and data extensions to achieve this. The fwnode interface is extended by graph functionality; this way graph information originating from both OF and ACPI may be accessed using the same interface, without being aware of the underlying firmware interface. The last patch of the set contains ASL documentation including an example. The entire set may also be found here (on mediatree.git master, but it also applies cleanly on linux-next)[3]. The resulting fwnode graph interface has been tested using V4L2 async with fwnode matching and smiapp and omap3isp drivers, with appropriate changes to make use of the fwnode interface in drivers. The V4L2 patches can be found here. The fwnode graph interface is used by the newly added V4L2 fwnode framework which replaces the V4L2 OF framework, with equivalent functionality.[4]

[1] http://www.spinics.net/lists/linux-acpi/msg69547.html
[2] http://www.spinics.net/lists/linux-acpi/msg71661.html
[3] https://git.linuxtv.org/sailus/media_tree.git/log/?h=acpi-graph
[4] https://git.linuxtv.org/sailus/media_tree.git/log/?h=v4l2-acpi

Full announcement — including changes for v1 — is on the linux-acpi list:
http://vger.kernel.org/majordomo-info.html
http://www.spinics.net/lists/linux-acpi/

faking virtual firmware to thwart malware authors

January 31, 2017 ~ hucktech ~ Leave a comment

Thomas Roccia write a new blog post on watching how malware detects VM’s virtualized hardware/firmware resources, including a defensive POC and a pointer to a similar tool.

Stopping Malware With a Fake Virtual Machine
As we explained in a previous post, some advanced malware can detect a virtual environment such as a sandbox to avoid detection and analysis. Some threats can also detect monitoring tools used for malware analysis. Often such malware will not execute or change their behavior to appear harmless. Because some malware uses these tactics, planting fake virtual machine artefacts or fake analysis tools on a system could stop their malicious behavior. We have created a quick proof of concept (POC) to demonstrate this defensive tactic. […] A lot of registry keys are created by specific tools or by sandbox emulation. Using the Windows API RegCreateKeyEx we can create all the (fake) keys normally created by a virtual hypervisor. The following list shows of few of the potential registry keys that malware can detect:
    HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\“Identifier”;“VMWARE”
    HKLM\SOFTWARE\VMware, Inc.\VMware Tools
    HKLM\HARDWARE\Description\System\ “SystemBiosVersion”;”VMWARE”
    HKLM\HARDWARE\Description\System\”SystemBiosVersion”;VBOX
    HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
    HKLM\HARDWARE\ACPI\DSDT\VBOX__

https://securingtomorrow.mcafee.com/mcafee-labs/stopping-malware-fake-virtual-machine/

https://github.com/fr0gger/RocProtect-V1

AMI announces UEFI 2.6 and ACPI 6.1 support

January 25, 2017 ~ hucktech ~ Leave a comment

Aptio V is compliant with UEFI 2.6 and ACPI v6.1 https://t.co/q8MTNqnCtv

— AMI (@AMI_PR) January 25, 2017

AMI announced that their UEFI implementation, Aptio V, supports UEFI 2.6 and ACPI 6.1

American Megatrends Announces Aptio V Compliance with UEFI 2.6 and ACPI v6.1

AMI is proud to announce Aptio® V support and compliance for UEFI 2.6 and ACPI v6.1 specifications. As a leader in the BIOS/UEFI firmware industry and board member in the UEFI community, AMI keeps up with the latest upgrades and specifications to better serve its customers in the technology industry. Aptio® V, AMI’s flagship UEFI firmware, is developed according to UEFI specifications and the added support for UEFI 2.6 and ACPI v6.1 gives manufacturers the ability to enhance select platforms based on the latest UEFI specifications. The newest specifications, announced this past March, keeps up with the increasing expectations of the market, providing OEMs and ODMs greater manageability across various user systems and creating more expansive support for newer platforms and designs. By integrating and expanding support for UEFI 2.6 and ACPI v6.1 on its core UEFI firmware, Aptio V, AMI standardizes operating systems booting and optimizes pre-boot applications for its customers.

Full PR:

https://ami.com/news/press-releases/?PressReleaseID=373

FWTS 17.01.00 released

January 19, 2017 ~ hucktech ~ Leave a comment

Firmware Test Suite 17.01.00 released https://t.co/69nPar9r8b

— vincent zimmer (@vincentzimmer) January 19, 2017

Alex Hung of Canonical has announced the release of FWTS 17.01.00, the FirmWare Test Suite.

New Features:
* ACPICA: Update to version 20161222
* klog.json: Add kernel errors to the database
* fedora/fwts.spec: Add initial version of fwts.spec
* fedora/buildrpm.sh: Add build script for RPMs

See the full announcement for more details:
http://fwts.ubuntu.com/release/fwts-V17.01.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/17.01.00
https://launchpad.net/ubuntu/+source/fwts

Yuriy and Oleksandr at REcon

January 18, 2017 ~ hucktech ~ Leave a comment

"Baring the system: New vulnerabilities in SMM of Coreboot and UEFI based systems" @reconbrx by @ABazhaniuk & myself https://t.co/Yq1mO4fpl8

— Yuriy Bulygin (@c7zero) January 17, 2017

Baring the system: New vulnerabilities in SMM of Coreboot and UEFI based systems
By: Yuriy Bulygin, Oleksandr Bazhaniuk

Previously, we discovered a number of vulnerabilities in UEFI based firmware including software vulnerabilities in SMI handlers that could lead to SMM code execution, attacks on hypervisors like Xen, Hyper-V and bypassing modern security protections in Windows 10 such as Virtual Secure Mode with Credential and Device Guard. These issues led to changes in the way OS communicates with SMM on UEFI based systems and new Windows SMM Security Mitigations ACPI Table (WSMT). This research describes an entirely new class of vulnerabilities affecting SMI handlers on systems with Coreboot and UEFI based firmware. These issues are caused by incorrect trust assumptions between the firmware and underlying hardware which makes them applicable to any type of system firmware. We will describe impact and various mitigation techniques. We will also release a module for open source CHIPSEC framework to automatically detect this type of issues on a running system.

https://recon.cx/2017/brussels/talks/baring_the_system.html

Yuriy to speak at REcon Brussels

FWTS 16.12.00 released

December 31, 2016 ~ hucktech ~ Leave a comment

Ivan Hu of Canonical.com announced the release of FirmWare Test Suite release 16.12.00, with new features in UEFI Secure Boot, OpenPOWER Opal, and ACPI tests. See the full announcement for the list of bugfixes.

New Features:
* ACPICA: Update to version 20161117
* klog.json: Add a few more kernel errors to the database
* opal: pci_info: Add OPAL PCI Info validation
* opal: mem_info: Add OPAL MEM Info validation
* opal: cpu_info: Add OPAL CPU Info validation
* securebootcert: add variable AuditMode checking
* securebootcert: add variable DeployedMode checking

http://fwts.ubuntu.com/release/fwts-V16.12.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.12.00
https://launchpad.net/ubuntu/+source/fwts

Mark Doran on device IDs

December 25, 2016 ~ hucktech ~ Leave a comment

Mark Doran of Intel is interviewed for an article in EECatalog on device IDs, a useful read for those that care about device IDs (and ACPI).

http://eecatalog.com/intel/2016/12/07/a-singular-perspective-on-unique-ids-qa-with-uefi-forum-president-mark-doran/

ACPIview

December 16, 2016 ~ hucktech ~ Leave a comment

Evan Lloyd and Sami Mujawar of ARM have submitted a new ACPI UEFI Shell tool for Tianocore.

[edk2] [PATCH] ShellPkg: Add acpiview tool to dump ACPI tables

This program is provided to allow examination of ACPI table contents from the UEFI Shell. This can help with investigations, especially at that stage where the tables are not enabling an OS to boot. The program is not exhaustive, and only encapsulates detailed knowledge of a limited number of table types. Default behaviour is to display the content of all tables installed. ‘Known’ table types will be parsed and displayed with descriptions and field values. Where appropriate a degree of consistency checking is done and errors may be reported in the output. Other table types will be displayed as an array of Hexadecimal bytes. To facilitate debugging, the -t and -b options can be used to generate a binary file image of a table that can be copied elsewhere for investigation using tools such as those provided by acpica.org. This is especially relevant for AML type tables like DSDT and SSDT. The inspiration for this is the existing smbiosview Debug1 Shell command, and the command is also intended for Debug1. Many tables are not explicitly handled, in part because no examples are available for our testing. The program is designed to be extended to new tables with minimal effort, and contributions are invited.

The code is available for examination at:
https://github.com/EvanLloyd/tianocore/tree/651_acpiview_v1

Linux Kernel lockdown

November 17, 2016 ~ hucktech ~ Leave a comment

David Howells of Red Hat submitted a 16-part patch to the Linux-(Security,EFI,Kernel) mailing lists, with an interesting security patch for the Linux kenel. The patch includes contributions from: David Howells, Josh Boyer, Kyle McMartin, Matthew Garrett, and Dave Young. Quoting the patch announcement:

These patches provide a facility by which a variety of avenues by which userspace can feasibly modify the running kernel image can be locked down. These include:

* No unsigned modules and no modules for which can’t validate the signature.
* No use of ioperm(), iopl() and no writing to /dev/port.
* No writing to /dev/mem or /dev/kmem.
* No hibernation.
* Restrict PCI BAR access.
* Restrict MSR access.
* No kexec_load().
* Certain ACPI restrictions.
* Restrict debugfs interface to ASUS WMI.

The lock-down can be configured to be triggered by the EFI secure boot status, provided the shim isn’t insecure. The lock-down can be lifted by typing SysRq+x on a keyboard attached to the system. They are dependent for some EFI definitions on the keys-uefi branch.

Copy secure_boot flag in boot params across kexec reboot
Add the ability to lock down access to the running kernel image
efi: Get the secure boot status
efi: Lock down the kernel if booted in secure boot mode
efi: Disable secure boot if shim is in insecure mode
efi: Add EFI_SECURE_BOOT bit
hibernate: Disable when the kernel is locked down
acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down
Add a sysrq option to exit secure boot mode
kexec: Disable at runtime if the kernel is locked down
PCI: Lock down BAR access when the kernel is locked down
x86: Lock down IO port access when the kernel is locked down
ACPI: Limit access to custom_method when the kernel is locked down
asus-wmi: Restrict debugfs interface when the kernel is locked down
Restrict /dev/mem and /dev/kmem when the kernel is locked down
x86: Restrict MSR access when the kernel is locked down

More information:
http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-lockdown
http://vger.kernel.org/majordomo-info.html

FWTS 16.011.00 released

November 10, 2016 ~ hucktech ~ Leave a comment

Ivan Hu of Canonical announced the 16.011.00 release of FWTS, the FirmWare Test Suite.

New Features include:
* ACPICA: Update to version 20160930
* uefibootpath: add test for eMMC device path
* uefidump: add dumping for the eMMC device path

There are lots of bugfixes as well, see the Changelog.

https://launchpad.net/ubuntu/+source/fwts
http://fwts.ubuntu.com/release/fwts-V16.11.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.11.00

FWTS 16.09.00 released

September 12, 2016 ~ hucktech ~ Leave a comment

Alex Hung of Canonical announced the latest release of FWTS, the FirmWare Test Suite, on the fwts-announce and other lists.

New Features include:
* lib: acpi: add supports for WPBT
* acpi: wpbt: add ACPI WPBT test
* lib: acpi: add supports for DRTM
* acpi: drtm: add ACPI DRTM test
* lib: fwts_guid: add a compare function
* acpi: nfit: check fields equals 0 for Virtual CD and Disk
* opal: mtd: Add OPAL MTD Validation
* acpi: ACPI Platform check updates
* acpi: fadt: Remove HEADLESS check on reduced hardware
* pci: aspm: Add segment support
* ACPICA: Update to version 20160831

See the full announcement for list of bugfixes.

http://fwts.ubuntu.com/release/fwts-V16.09.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.09.00
https://launchpad.net/ubuntu/+source/fwts

_DSD Guidance updated

September 5, 2016 ~ hucktech ~ Leave a comment

Re: this previous post:

Guidance on using ACPI _DSD with Linux

Al Stone of Red Hat published an updated version of 3 documents giving guidance on using _DSD ACPI:

[RFC DSD v3 00/04] How to Use the ACPI _DSD Device Properties UUIDs

A copy of the ChangeLog is also attached so that you can see what the primary changes were for this second version.

https://github.com/ahs3/dsd/tree/master/documentation

https://github.com/ahs3/dsd/commit/7fbdce494b9b7b952e709e43b8dbbfd5cf8d4fcb
https://github.com/ahs3/dsd/commits/master

Click to access _DSD-device-properties-UUID.pdf

Click to access _DSD-hierarchical-data-extension-UUID-v1.pdf

ACPICA shipping acpidump.efi

August 29, 2016 ~ hucktech ~ Leave a comment

In recent news on the ACPICA site is:

“AcpiDump for UEFI is now available at Downloads/uefi-support – 26 August, 2016 – 13:57”

The tool acpidump now targets UEFI, in addition to OSes. In addition to shipping source via Github, they ship a zip with prebuilt Intel 32- and 64-bit .efi binaries, no ARM binaries.

https://github.com/acpica/acpica/tree/master/source/tools/acpidump

https://acpica.org/downloads/uefi-support

https://acpica.org/

If there is a place where the above web site’s ‘recent news’ is delivered via RSS or Atom or Twitter or NNTP or some announce mailing list or even Facebook, please leave a Comment. I think I’m not on the right ACPI list or something… Thanks.

FWTS v16.08.01 released

August 18, 2016 ~ hucktech ~ Leave a comment

Alex Hung of Canonical announced v16.08.01 of FWTS, the FirmWare Test Suite.

There are a few new ACPI tests in this release:

* acpi: nfit: add ACPI NFIT test
* lib: acpi: add support for MPST
* acpi: mpst: add ACPI MPST test
* lib: acpi: add support for PMTT
* acpi: pmtt: add ACPI PMTT test
* ACPICA: Update to version 20160729

See the release notes for the list of bugfixes.

https://launchpad.net/ubuntu/+source/fwts
http://fwts.ubuntu.com/release/fwts-V16.08.01.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.08.01

new ACPI spec on TCG D-RTM

August 3, 2016 ~ hucktech ~ Leave a comment

I just noticed there’s a new file on the list of ACPI specs, a 1.0 doc from TCG on D-RTM from mid-June:

TCG D-RTM Architecture
Document Version 1.0.0
June 17, 2013

This specification describes the architecture and implementation examples for a Dynamic Root of Trust for Measurement (D-RTM) used for measured platform initialization without a hardware platform restart. This specification extends the TCG PC Client specification (See (1)). The term “dynamic” is used because the measured platform initialization may occur while the hardware platform is running. In contrast, the Static Root of Trust for Measurement (S-RTM) requires a platform shutdown or restart.

Click to access TCG_D-RTM_Architecture_v1-0_Published_06172013.pdf

http://uefi.org/acpi

I wish there was an ACPI-announce list, or even a Twitter feed, to keep track of new ACPI specs…

FWTS 16.07.00 released

July 27, 2016 ~ hucktech ~ Leave a comment

Ivan Hu of Canonical announced the release of FirmWare Test Suite 16.07.00:

New Features:
   * acpi: method: add _FIT test
   * acpi: pcct: add ACPI PCCT test
   * opal/prd_info: Add OPAL Processor Recovery Diagnostics
   * olog: olog.json: Add OPAL skiboot errors for olog scan
   * Add klog checking for errors from drivers/acpi/tables.c
   * klog: data.json: Add klog checking for kernel NUMA errors from drivers/acpi/numa.c
   * klog: data.json: Add klog checking for kernel EC errors from drivers/acpi/ec.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/acpi_cmos_rtc.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/nfit.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/pci_root.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/pci_mcfg.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/cppc_acpi.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/battery.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/processor_idle.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/sleep.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/acpica/rsmisc.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/evged.c
   * efi: enable module loading to load legacy or new efi driver
   * acpi: madt: Add support for ACPI 6.0a
   * acpi: madt: Add support for ACPI 6.1
   * uefi: update reset type to uefi 2.6
   * acpi: dbg2: Add missing debug port types

See the full release notes for list of bugfixes.

http://fwts.ubuntu.com/release/fwts-V16.07.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.07.00
https://launchpad.net/ubuntu/+source/fwts