Tag: ACPI

Intel ATR research on CERT VU 976132

~ hucktech ~ Leave a comment

Earlier today I posted on US-CERT’s recent vulnerability note for multiple UEFI vulnerabilties:

US CERT BIOS Vulnerability Note VU#577140!

Later today, Intel has released new research about this:

Technical Details of the S3 Resume Boot Script Vulnerability

“This paper describes technical details of a vulnerability (VU #976132 / CVE-2014-8274) in the protection of EFI based system firmware and platform configuration when resuming from the S3 sleep state.  The issue was independently discovered and presented at 31C3 in December 2014. After discovering this issue, the Advanced Threat Research team has been working to notify BIOS developers and ensure that mitigations are created. We are releasing a test module for the open source CHIPSEC platform security assessment framework. This will assist users in identifying whether their platforms might be affected by this issue.

Read the full report here:

Click to access WP_Intel_ATR_S3_ResBS_Vuln.pdf

Note the part about a new CHIPSEC test, to test for this vulnerability, so watch the CHIPSEC Github for an update. I don’t see an update as of yet.

OEMS: please watch the security talk from Phoenix from the last UEFI Forum plugfest, especially the advise to run CHIPSEC before you ship any new systems. Please ensure your QA team uses fresh CHIPSEC builds.

Consumer Reports and other PC reviewers: Please add the CHIPSEC pass/fail data for any new systems. OEMs will improve their internal QA once they realize that the first thing the public reviewers will be calling out the OEMs on known-bad products.

More information:

US CERT BIOS Vulnerability Note VU#577140!

Click to access WP_Intel_ATR_S3_ResBS_Vuln.pdf

tool mini-review: untermensch UEFI Windows Secure Boot injection tools

~ hucktech ~ Leave a comment

Back in 2013, Untermensch wrote a series of tools to help with Windows8 UEFI Secure Boot testing.

Since I mostly use Unix-based platforms these days, I haven’t dug deep into this tool.

If you’re a security researcher who is looking into vulnerablties in Windows use of Secure Boot, these tools may be very useful to you.

Be very careful using the tools, they come with a strong warning:

CAUTION: this module is experimental!!! Be prepared to recover a bricked motherboard!
For best results use MMTool to replace module!!

WindSLIC:
WindSLIC SLIC injectors: includes UEFI, NTFS, bootmgr SLIC injectors and installers.

Injector:
UEFI SLIC injector alternate method: uses alternate method to inject SLIC into ACPI tables use LicenseData.exe to add key, marker & slp string to nvram.

FirmwareModule:
UEFI SLIC injector firmware module: build process generates an ffs image. use MMtool.exe to replace MSOA in target firmware. flash modified firmware use InstallData.cmd to write Marker, Key, Slp string to NVRAM.

More Information:
https://github.com/untermensch/WindSLIC
https://github.com/untermensch/Injector
https://github.com/untermensch/FirmwareModule

LinuxCon North America this August in Seattle

~ hucktech ~ Leave a comment

LinuxCon North America is happening this August, in Seattle for the first time (I think). A quick look at their schedule shows a variety of interesting presentations related to firmware security:

* Extending the Secure Boot Certificate and Signature Chain of Trust in the OS – Fionnuala Gunter, Hypori
* Resurrecting Internet Booting – Boot Boot, Booting Over the Internet – John Hawley, Intel
* Demystifying ACPI and EFI via Python and BITS – Josh Triplett
* ACPI for Network Switches – Dustin Byford, Cumulus Networks
* Tying TPMs Throughout The Stack – Matthew Garrett, CoreOS
* Turtles All The Way: Running Linux on Open Hardware – Rob Landley
* ACPI 6 and Linux – Rafael J. Wysocki, Intel
* The Bare-Metal Hypervisor as a Platform for Innovation – Russell Pavlicek, Citrix
* Suspend/Resume at the Speed of Light – Len Brown, Intel

Josh Triplett on BIOS BITS sounds especially interesting. It’ll be interesting to see if the boot boot reboot will get integrated with UEFI HTTP Boot support.

More information:
http://events.linuxfoundation.org/events/linuxcon-north-america
http://events.linuxfoundation.org/events/linuxcon-north-america/program/schedule

FreeBSD 10.2 beta1 released

~ hucktech ~ Leave a comment

Today FreeBSD announced availability of release 10.2-BETA1.

Amongst the new features/changes in this release, for firmware these changes are interesting:

* The uefisign(8) utility has been added. [r282974] (Sponsored by The FreeBSD Foundation)
* The acpi(4) subsystem has been updated to version 20150515. [r284460]
* Throttling via ACPI and P4TCC via device.hints(5) have been turned off by default. [r276986]
* The boot loader has been updated to support entering the GELI passphrase before loading the kernel. To enable this behavior, add geom_eli_passphrase_prompt=”YES” to loader.conf(5). [r281843]
* The memory test run at boot time on FreeBSD/amd64 platforms has been disabled by default. [r283262] (Sponsored by The FreeBSD Foundation)

Besides the above changes, there’ve also been a variety of iSCSI changes, unclear if this impacts UEFI’s iSCSI at all. And the Hyper-V drivers have been updated, sponsored by Microsoft’s Open Source Technology Center. [I am ignorant to Hyper-V technology, I guess I need to check how open source Hyper-V code in NanoBSD  impacts UEFI.]

More Information:
https://www.freebsd.org/relnotes/10-STABLE/relnotes/article.html
https://lists.freebsd.org/pipermail/freebsd-stable/2015-July/082704.html

PS: Unrelated to FreeBSD release, appears Intel CHIPSEC team is about to release 1.2.1, there is activity on their Github site:

https://github.com/chipsec/chipsec

FirmWare Test Suite 15.07.00 released

~ hucktech ~ Leave a comment

[Update: Colin King also blogged about this release:
http://smackerelofopinion.blogspot.com/2015/07/new-acpi-table-tests-in-fwts150700.html ]

Today Alex Hung of Canonical announced the latest release of FWTS, the FirmWare Test Suite.

Tar: http://fwts.ubuntu.com/release/fwts-V15.07.00.tar.gz
PPA: https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
Release Notes: https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/15.07.00

Changes to existing Features:
* –uefi and –acpi options renamed to –uefitests and –acpitests
* ACPI table tests in the acpitables test have been moved into specific ACPI tests.

New Features:
* acpi: acpidump: update TCPA table and acpidump accordingly
* acpi: add ACPI TCPA test
* acpi: add XENV table test
* lib: fwts_framework: Append “tests” to –uefi and –acpi
* live-image/fwts-frontend-text: update to –uefitests and –acpitests
* lib: acpi, acpidump: rename slit tables types
* lib: acpi: add in new GICC table fwts_acpi_table_gicc_affinity
* acpi: add SRAT table sanity checking (LP: #1464658)
* acpi: add BERT table sanity checking (LP: #1464712)
* lib: acpi: Add in GAS address types
* acpi: add ECDT table sanity checking (LP: #1464716)
* lib: acpi: Add support for the SPMI table
* acpi: add ACPI SPMI table sanity checking (LP: #1465256)
* acpi: add ACPI SLIT table sanity checking (LP: #1465276)
* lib: acpi: Add support for the HEST family of ACPI tables
* acpi: add ACPI HEST table sanity checking (LP: #1465379)
* acpi: Add BOOT table test (LP: #1465435)
* acpi: Add DBGP table test (LP: #1465441)
* acpi: Add DBG2 table test (LP: #1465710)
* acpi: re-orgainise HPET tests
* acpi: move MADT test from acpitables into new MADT test
* acpi: move GTDT test from acpitables into new GTDT test
* acpi: move XSDT test from acpitables into new XSDT test
* acpi: move RSDP test from acpitables into new RSDP test
* acpi: move RSDT test from acpitables into new RSDT test
* acpi: acpitables: remove no-op MCFG test
* acpi: move SBST test from acpitables into new SBST test
* acpi: move FADT test from acpitables into existing FADT test
* acpi: acpitables: remove redundant acpi table checking
* acpi: allow various ACPI table tests to run without root access
* lib: fwts_acpi_tables: fully pad out fixed up ACPI OEM IDs
* acpi: spcr: add missing white space in error messages
* acpi: add ACPI ERST test (LP: #1467835)
* acpi: correct ACPI BGRT table type
* acpi: add ACPI BGRT test (LP: #1467863)
* acpi: add ACPI CPEP test (LP: #1467870)
* acpi: add ACPI FACS test (LP: #1467966)
* acpi: acpidump: add in missing exponent field to SLIC
* acpi: add CSRT ACPI Table test (LP: #1470116)
* acpi: add LPIT ACPI test (LP: #1470184)
* acpi: add WAET ACPI table test (LP: #1470495)
* acpi: add SLIC table test (LP: #1470518)
* acpi: add MSDM table test (LP: #1470538)
* acpi: add UEFI ACPI data table test (LP: #1471698)
* bios: os2gap: remove ancient legacy test (LP: #1470573)

Fixed Bugs:
* acpi: acpidump: update SMM Communication fields on UEFI table
* lib: make acpidump parser more robust (LP: #1471202)
* fwts: cpufreq: fix theoretical division by zero (LP: #1466905)
* acpi: method: remove extraneous “_” in error message
* lib: fwts_klog: fix vector size and handle errors from pcre_exec (LP: #1461520)
* acpi: lib: fwts_acpi_tables: force fixup when loading tables from /sys/firmware
* lib: acpica: compiler: link in missing objects (LP: #1461936)

CHIPSEC v1.2.0 Released

~ hucktech ~ 3 Comments

The Intel CHIPSEC team just posted the latest version of CHIPSEC, 1.2.0. Release notes excerpt below, see the full text on the github site, with known issues:

New/updates modules:
* Merged common.secureboot.keys module into common.secureboot.variables module
* Updated tools.secureboot.te module to be able to test PE/TE issue on Linux or UEFI shell
* Updated tools.smm.smm_ptr module

Updates:
* Added the *controls* abstraction. Modules are encouraged to use “get_control“ and “set_control“ when interacting with platform registers. This permits greater flexibility in case the register that controls a given feature or configuration changes between platform generations. The controls are defined in the platform XML file. At this time, only a small number of controls are defined. We plan to move existing modules over to this new mechanism.
* Added XML Schema for the XML configuration files
* Support for reading, writing, and listing UEFI variables from the UEFI Shell environment has been added.
* Added support for decompression while SPI flash parsing via “decode“ or “uefi decode“ commands in Linux
* Added basic ACPI table parsing to HAL (RSDP, RSDT/XSDT, APIC, DMAR)
* Added UEFI tables searching and parsing to HAL (EFI system table, runtime services table, boot services table, DXE services table, EFI configuration table)
* Added DIMM Serial Presence Detect (SPD) ROM dumping and parsing to HAL
* Added “uefi s3bootscript“ command parsing the S3 boot script to chipsec_util.py
* Added virtual-to-physical address translation function to Linux/EFI/Windows helpers
* Added support of server platforms (Haswell server and Ivy Town) to chipset.py

More Information:

https://github.com/chipsec/chipsec

Linux ACPI support for ARM-v8

~ hucktech ~ Leave a comment

Earlier this month, Linaro announced their effort to upstream the Linux patches to enable ACPI on ARMv8. It appears the patch may make it in Linux 4.1, but it is not done yet.

The Linaro blog post credits a large list of people who helped: UEFI Forums’ ACPI Working Group, Linaro, ARM, Red Hat, Huwaei, Qualcomm, AMD, AMD, APM, HP, other Linaro LEG members, and Linux kernel maintainers, including Linus.

As part of this effort, on March 26th, ARM hosted a Firmware Summit focused on ARMv8 and ACPI, with dozens attending, including SoC vendors, BIOS vendors, firmware and kernel developers, ODMs and OEMs.

The Linux kernel checking comment for this patchset includes this description:

‘This series introduces preliminary ACPI 5.1 support to the arm64 kernel using the “hardware reduced” profile. We don’t support any peripherals yet, so it’s fairly limited in scope:
– MEMORY init (UEFI)
– ACPI discovery (RSDP via UEFI)
– CPU init (FADT)
– GIC init (MADT)
– SMP boot (MADT + PSCI)
– ACPI Kconfig options (dependent on EXPERT)
ACPI for arm64 has been in development for a while now and hardware has been available that can boot with either FDT or ACPI tables. This has been made possible by both changes to the ACPI spec to cater for ARM-based machines (known as “hardware-reduced” in ACPI parlance) but also a Linaro-driven effort to get this supported on top of the Linux kernel. This pull request is the result of that work. These changes allow us to initialise the CPUs, interrupt controller, and timers via ACPI tables, with memory information and cmdline coming from EFI. We don’t support a hybrid ACPI/FDT scheme. Of course, there is still plenty of work to do (a serial console would be nice!) but I expect that to happen on a per-driver basis after this core series has been merged.’

Upon accepting the patch, Linus said:

‘No earth-shattering new features come to mind, even if initial support for ACPI on arm64 looks funny. Depending on what you care about, your notion of “big new feature” may differ from mine, of course. There’s a lot of work all over, and some of it might just make a big difference to your use cases.’

This *is* big new feature, if you care about firmware and Linux.
More Information:

https://www.linaro.org/blog/collaborative-effort-to-upstream-acpi/

Spring UEFI Forum agenda announced

~ hucktech ~ Leave a comment

The UEFI Forum Spring event is happening in Tacoma.WA.US this coming week. They just announced the presentations for the event:

* Zachary Bobroff, AMI – PreBoot Provisioning solution with UEFI
* Kevin Davis, Insyde – System Prep Applications, A Powerful New Feature in UEFI 2.5
* Olivier Martin, ARM – Porting a PCI driver to ARM AArch64 platforms
* Lief Lindholm, ARM – Demonstrating a common EDK2 pltforms & drivers tree
* Dick Wilkins, Phoenix – UEFI FIrmware – Securing SMM
* Gabe Stocco and Scott Anderson, Microsoft – Windows Requirements for TPM, HVCI and Secure Boot
* Jeremiah Cox
* Vincent Zimmer, Intel – Filling UEFI/FW Gaps in the Cloud
* David Box, Intel – An overview of ACPICA userspace tools
* Samer El-Haj-Mahmoud, HP – Firmware in the Datacenter: Goodbye PXE and IPMI. Welcome Http

Typically, the UEFI Forum makes slides for these presentations available on their web site a few weeks later…

More information:
http://www.uefi.org/node/887