Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Which UEFI vendors care — or at least may care — about security? The list (alphabetically) is shorter than you might expect:
AMD
AMI
Apple
Dell
Hewlett Packard Enterprises
HP Inc.
Insyde Software
Intel Corp.
Lenovo
Microsoft
Phoenix Technologies
Nobody else. If your vendor is not listed above, ask them why you should purchase a UEFI-based system from them.
The above list is from the list of vendors who have feedback mechanisms listed on the UEFI Forum’s security contact page.
Nikolaj has completed (?) his 4-part blog series on NVRAM formats in UEFI. Part 4 is on AMI’s NVAR.
https://habrahabr.ru/post/281901/
Here’s a pointer to the last edition:
I think that UEFITool NE has another alpha released, with some UI changes.
https://twitter.com/AMI_PR/with_replies
AMI has announced Redfish support for their UEFI implementation:
American Megatrends Announces Out-of-Band BIOS Configuration through Redfish
AMIĀ is proud to announce out-of-band BIOS configuration compatible with DMTF Redfish. DMTF’s Redfish API platform was created by DMTF’s Scalable Platforms Management Forum as an open industry standard specification designed to provide end users simple and powerful, yet scalable management platform hardware. To meet the needs of end users, Redfish allows users to develop solutions that combat homogenous interfaces and reduced functionality. Redfish utilizes a combination of REST, JSON and OData and serves as a secure replacement for IPMI-over-LAN. AMI’s OOB (Out-of-Band) Firmware Management delivers extended management solutions through the adoption of Redfish between BIOS, BMC and Extensible Management Architecture (EMA). AMI OOB Firmware Management provides complete Redfish support and allows for the consistent exchange of information between the BIOS and BMC. AMI has been diligently working on providing an OOB firmware solution for datacenter solutions providers such as QCT (Quanta Cloud Technology).
https://ami.com/news/press-releases/?PressReleaseID=354
https://ami.com/products/bios-uefi-firmware/aptio-v/
http://www.dmtf.org/standards/redfish
http://redfish.dmtf.org/
AMI has Linux file system support in their UEFI implementation! I hope ZFS is also on AMI’s radar. š
American Megatrends Adds Support for EXT(x) File System in Aptio V
American Megatrends Inc. (AMI) is offering EXT(x) file system support in Aptio V, an additionally licensed component driver. File systems keep track of information on storage mediums and there are various file systems that are used by different operating systems such as Windows and Linux. Normally at the UEFI firmware level, the legacy FAT (File Allocation Table) file system is supported. In order to overcome limitations of early file systems, the Linux community created the EXT file system. Over time, the EXT filesystem has gone through four revisions (EXT, EXT2, EXT3 and EXT4) and is specifically designed to improve storage space and performance. Support for different file systems has been added to Aptio over time and the EXT(x) file system joins as the newest addition. With the new support for EXT(x) drivers, any EXT(x) formatted media can be accessed by the UEFI firmware. This addition allows for files to be read and UEFI programs to be executed from EXT(x) media. Customers have the ability to develop pre-boot applications without having to provide a separate FAT file system, making the process simpler and more seamless. The new EXT(x) driver is designed to be read-only to support all EXT versions and to maintain filesystem integrity.
http://ami.com/products/bios-uefi-firmware/aptio-v/
http://ami.com/news/press-releases/?PressReleaseID=352
I’m confused. Dragos points to AMI’s Utilities page and mentions that AMI now has Rowhammer protection. But I don’t see where he’s getting the Rowhammer improvement. If someone knows what he’s talking about, please speak up.
I do wish that AMI would make these tools available to sysadmins and security researchers, not just for their partners. Imagine how much harder it would be to diagnose Windows app problems if Microsoft did not make their SDK available to the public. That’s what it is like with firmware vendors and their tools. š¦
BIOS/UEFI Utilities for Aptio and AMIBIOS
http://ami.com/products/bios-uefi-tools-and-utilities/bios-uefi-utilities/
Firmware vendor AMI announced that it is building the firmware for the DAQRI smart helmet.
Excerpt of AMI press release:
[…] DAQRI, a company known for its innovative work in augmented reality, recently announced the next generation of its flagship product, DAQRI SMART HELMET. Powered by a 6th generation IntelĀ® COREā¢ m7 processor and IntelĀ® RealSenseā¢ camera technology, DAQRI SMART HELMET is a wearable human-machine interface (HMI) giving workers in industrial sectors a whole new way of seeing data while on the job. The Smart Helmet is designed to work in enterprise settings and displays real-time information based on the user’s surroundings, increasing safety and worker productivity. It comes equipped with many features to enhance user awareness including: 4D/augmented reality, thermal vision, and industry leading Intellitrackā¢ computer vision technology. With increasing interest in augmented reality technology, AMI has collaborated with DAQRI in the development of the next generation DAQRI SMART HELMET. […]
http://daqri.com/home/product/daqri-smart-helmet/
http://www.basicinputoutput.com/2016/01/must-see-tvs-shankar.html
As reported by William Leara, a BIOS engineer at Dell, the “This Week In Tech” (TWIT episode 226) podcast did an inteview with Mr. Subramonian Shankar, founder of AMI in November. Excerpting from William’s blog post:
The interview discusses everything from how Shankar started AMI, to what heās up to today, with lots of colorful anecdotes along the way.Ā I especially appreciated all the old Michael Dell stories, among other great stories.Ā It turns out Dell Inc. and AMI were allies from their infancy and helped each other grow to be the large, successful companies they are today.Ā It was also interesting to hear about the new Android products AMI is working on, especially AMIDuOSāand itās only $10!
https://twit.tv/shows/triangulation/episodes/226?autostart=false
AMI has announced support of NFC (near field communication) support for Aptio V, their UEFI firmware solution. Excerpt from press release on the features added to adding to secure NFC:
“With the increasing use of NFC technology, American Megatrends Inc. is now developing NFC support for its flagship Aptio(R) V UEFI BIOS firmware to further security measures. Alongside this support, various features that incorporate NFC technology will be available to users. One of the features, the NFC BIOS Authentication, acts as a replacement to standard password authentication and gives users the ability to authenticate their BIOS using various methods and devices. Authentication can take place using an NFC-enabled cell phone, tablet or identification badge. Administrator and user privileges are based on badge identifications. When an NFC device is detected, the NFC device can be configured to initiate BIOS recovery and specific device booting. Other features will include a single sign on to pass information to the OS, diagnostic and debugging information, and NFC-based Bluetooth pairing.”
I presume this means that Tianocore has no NFC support. (I just realize I’ve never checked…)
AntiVirus Today just ‘revived’ an old story from 2013, AFAICT no new news at all:
https://twitter.com/antivirustoday/status/652933400479711232
http://www.theregister.co.uk/2013/04/11/ami_uefi_key_leak/
It is old news, but a good read if you missed this story 3 years ago, and it does remind vendors about the need for security in your firmware.
Since IDF this Summer, a few UEFI Forum vendors have announced support for Intel’s “Innovation Engine”, which was announced at IDF. Recently, AMI just announced more support for it:
The problem is, Intel has yet to provide ANY information on this Innovation Engine vaporware. These “we also support Intel IE” press releases, with no information on what Intel IE is, are getting tiresome. Intel, please produce some information on IE, not just get partners to ship vague vaporware press releases!
BIOS manufacturer AMI has updated their Aptio V UEFI-based firmware solution for the Intel Compute Stick. The update adds “UEFI Bluetooth Keyboard Support”.
Excerpt:
AMI is pleased to announce the addition of UEFI BluetoothĀ® keyboard support for the IntelĀ® Compute Stick in its flagship AptioĀ® V UEFI Firmware. The IntelĀ® Compute Stick is a small form factor computer with a quad-core IntelĀ® Atomā¢ processor and IntelĀ® HD Graphics. It features integrated WiFiĀ® and Bluetooth capability and offers 32 GB of storage and 2 GB of RAM memory along with a USB 2.0 port and microSDā¢ card reader that can be plugged into any HDMI capable monitor. Users can add their own Bluetooth peripherals, such as keyboard and mouse, to create a full-fledged computer from this tiny yet powerful device. By adding Bluetooth keyboard support to Aptio V, the flagship UEFI firmware from American Megatrends, users of small form factor devices like the IntelĀ® Compute Stick can now access the UEFI BIOS settings with their Bluetooth keyboard to make BIOS customizations that get the most out of these pocket powerhouse computers.
āIntel is pleased to have partnered with AMI on this achievement,ā said Joel Christensen, General Manager, IntelĀ® Compute Stick. āAdding the ability to utilize Bluetooth keyboards while in BIOS is a great step in improving the end user experience.ā
(I’m not sure if this is a new UEFI protocol for BT keyboards, or just a normal BT stack with a normal keyboard, nor if this is new AMI code or part of what is in Tianocore.org.)
More Information:
Today AMI announced AMIDuOS 2.0, with support for Windows 7-10 along with Android 5.0.1 (Lollipop). AMIDuOS lets you run both OSes at the same time, using hardware acceleration and emulation. AMIDuOS 1.x supports Android 4.3 (Jellybean), and is still available for $10, free upgrade to 2.0 if you bought 1.x before August 7th. AMIDuOS is a closed-source OS.
“People should be able to run their Android apps on any device they wish,” explained Subramonian Shankar, AMI founder and President. āWe created AMIDuOS to make it easy for anyone to get the full Android experience on their Windows machines. Now, even the most recent Android apps developed for Android 5.0.1 will run smoothly and with full compatibility on the Windows platform.ā
AMI has utilized its decades of expertise to build hardware acceleration support into the app and support direct hardware access whenever possible. Emulation is only used when needed ā otherwise code runs natively. This, plus 3D acceleration support, means incredible performance, so games and video-intensive apps run smoothly and quickly. Since AMIDuOS can access native PC hardware and drivers, any apps installed in the Android environment can take advantage of the touchscreen, sensors, peripherals, GPS, camera and more – to deliver a fully immersive Android experience. AMI has tested AMIDuOS with over 4,000 apps and is continually releasing updates to improve its compatibility.
Some of the requirements include: x86 processor, 32/64-bit version of Windows 7/8/8.1/10, OpenGL 3.0 and above, and Hardware Virtualization Technology enabled in the systemās BIOS.
https://www.facebook.com/amiduos
http://ami.com/news/press-releases/?PressReleaseID=327&/American%20Megatrends%20Unwraps%20Lollipop%20%E2%80%93%20Run%20Android%205.0.1%20Apps%20on%20Windows%20PCs%20without%20Compromise/
This week at Intel Developer Forum (IDF), AMI showcased their MegaRAC manageability solutions. MegaRAC is AMI’s Remote Management Firmware family of products for both in-band and out-of-band management, including supporting IPMI, Intel AMT, AMD systems with DMTF DASH. Amongst the new features of MegaRAC SP-X are DMTF Redfish support, and Intel(R) Innovation Engine support.
I don’t know much about Intel’s new “Innovation Engine” is yet, so I’ll excerpt one paragraph from the AMI press release:
“The Innovation Engine is a small, embedded, Intel-architecture processor and I/O subsystem built into future Intel data center platforms,” said Lisa Spelman, General Manager of Data Center Marketing at Intel. “Firmware such as MegaRAC PM-X running on the IE can improve or differentiate the system-buildersā platforms in a wide range of ways, including manageability, cost reduction or security.”
Maybe this means that AMI is the second vendor to support Redfish, after HP?
Read AMI’s full press release here:
http://www.ami.com/news/press-releases/?PressReleaseID=325&/American%20Megatrends%20to%20Showcase%20MegaRAC%20Manageability%20Solutions%20for%20Rack%20Scale%20Architecture%20and%20Innovation%20Engine%20at%20IDF%20San%20Francisco%202015/
https://www.megarac.com/live/document-library/
http://www.ami.com/products/remote-management/
https://firmwaresecurity.com/tag/redfish/
SPOILER ALERT: This post discusses patents. If you’re an employee at a company, ask your manager if you’re able to read this sort of information…..
.
.
.
Monday AMI announced that StorTrends(R), their data storage division, has been granted three U.S. Patents related to flash storage. Excerpting their press release:
AMI was granted U.S. Patent No. 8,954,339 on Data Deduplication for Information Storage Systems, which was filed on April 18, 2012. This awarded patent covers the means to have deduplication run at optimal and efficient space-saving levels. Specifically, it optimizes the amount of system RAM space used in the system to reduce (or dedupe) terabytes worth of data without affecting performance. In terms of customer benefit, this greatly reduces the amount of SSD capacity that a company is required to purchase within the SAN while also delivering the lowest latency in the industry to significantly increase value and response times within an IT environment.
AMI was granted the second patent ā U.S. Patent No. 8,812,811 on Data Migration between Multiple Tiers in a Storage System ā which was filed on August 10, 2012. This awarded patent covers the means that StorTrends utilizes to efficiently analyze blocks of data and move the individual blocks among different tiers of storage. Customers lower their costs significantly from StorTrends taking the highly accessed blocks of data in the environment and putting only those blocks into the expensive drive SSD tiers, while the less frequently accessed blocks occupy only the lower, less expensive tier of the storage array.
AMI was granted the third patentāPatent No. 8,711,851 on Multi-Protocol Data Transfers ā which was filed on July 18, 2008. This patent covers the means that StorTrends uses to maximize the reliability of transmission control protocol and the performance of user datagram protocol to ensure that StorTrendsā replication is the fastest in the industry. This decreases replication management and increases the possible recovery point objective (RPO) for a customer by giving more available bandwidth for the blocks that need to go to their disaster recovery (DR) location. StorTrends also incorporates periodicity, which allows the customer to set the priority bandwidth for the replication of the data and avoid bogging down the network during peak business hours. The Wide-Area Data Services (WDS) technology suite includes data deduplication, compression, encryption, and WAN optimization. This technology ensures that the primary site stays in-sync with the secondary site, allowing for increased RPO and recovery time objective.
Read the full press release here:
http://www.stortrends.com/products/stortrends-models/stortrends-3600i
http://www.stortrends.com/resources/stortrends-idata-tool
http://www.stortrends.com/resources/stortrends-deduplication-analyzer-tool/
UEFITool is useful, so I was looking into OZMTool, a fork of UEFITool, and was wondering what new features it has, what Ozmosis BIOSes were, andĀ how I might be able to use this tool.Ā For me, some of the additional features beyond UEFITool are interesting, but so far I don’t see them as being general-purpose, they require this OEM hw/fw target, so I am not sure that I can use OZMTool.
OZMTool was created to make the process of creating an Ozmosis patched BIOS easier. It is based on UEFITool (awesome application!) by CodeRush. It includes the following useful tools to help you in this process:
–dsdtextractĀ Ā Ā Extracts DSDT from BIOS
–dsdtinjectĀ Ā Ā Injects DSDT into BIOS
–ozmupdateĀ Ā Ā Updates clean BIOS with files from old OZM-flavoured one
–ozmextractĀ Ā Ā Extracts Ozmosis files (ffs) from BIOS
–ozmcreateĀ Ā Ā Patches Original BIOS with Ozmosis
–kext2ffsĀ Ā Ā Converts kext-directories to FFS
–dsdt2biosĀ Ā Ā Injects (bigger) DSDT into AmiBoardInfo
–help, -hĀ Ā Ā Print usage (append command to print cmd-usage!)
See the full OSMTool readme for disclaimer.
OZMTool is a fork of UEFITool for us with Ozmosis BIOSes.
https://github.com/tuxuser/UEFITool/tree/OZM/OZMTool
Repo which holds Ozmosis binary BIOSes from Hermit Crab Labs
https://github.com/tuxuser/OzmosisBIOS
Wow, strange history behind this tool. I’m not into the firmware modding community, so didn’t know most of this. Quo Computers is (was?) a kickstarted hardware project with custom BIOS (that requires OZMTool), a Tor darknet-hosted IBV, “Hermit Crab Labs“, that builds special BIOS to use with MacOSX and other OSes. Quo Computer was created by Rashantha De Silva. I’m not sure of the current status of this project. It appears to have been active starting around 2013. The quecomputer.com web site is currently down. Yet Rashantha appears to have logged into the Kickstart page as of last week (“Last login Aug 13 2015”). OZMTool appears to be last updated around 2014. Comments on the kickstart page may indicate some fraud, I’m not sure. There appears to be deeper history pre-Quo, but I’m not digging that far down, I’m just curious about the OZMTool’s features…
Some history behind this BIOS and tool:
http://www.hackintoshosx.com/topic/20657-ozmosis/
http://www.insanelymac.com/forum/topic/291655-ozmosis/
https://www.facebook.com/QUOcomputer
http://quocomputer.com/
http://webcache.googleusercontent.com/search?q=cache:u9ZwLg1EwaUJ:quocomputer.com/+&cd=1&hl=en&ct=clnk&gl=us
http://webcache.googleusercontent.com/search?q=cache:OCVYFyoypvYJ:quocomputer.com/projectq/+&cd=2&hl=en&ct=clnk&gl=us
http://www.techspot.comĀ /article/720-building-a-hackintosh/
http://www.techspot.comĀ /news/51835-projectq-motherboard-promises-to-boot-any-os-in-under-10-seconds.html
Kickstart link with space in it, so you can see the link, else WordPress just converts it to a video:
https://www.kickstarter.comĀ Ā /projects/quo/projectq-run-any-os-the-unique-motherboard/comments
A few excerpts from the kickstart page and the Google web cache of the no-longer-available QuoComputer.com web site, some excerpts:
“509 backers pledged $189,451 to help bring this project to life.”
“Quo Computer: your computer. your configuration. your choice.”
“The first motherboard designed to run ANY Operating System {AOS(TM)} of your choice out of the box.”
projectQ – Run Any OS: The Unique Motherboard
The first motherboard designed to run any Operating System you choose out of the box.
Quo has stunned the computing world with the release of the unparalleled AOS motherboard. A world first, the Z77MX-QUO-AOS was built from the ground up to run any OS.Ā Fitted with premium components, we include custom software and UEFI that initiates the booting of an OS in under 10 seconds. Exclusive to QUO, the AOS motherboard provides system builders worldwide a platform specifically engineered to meet their needs. QUOās AOS motherboard is the only one in the industry with Firewire 400 and 800 (1394A and 1394B).Ā The motherboard features Intel certified Thunderbolt, Intel LAN for high demand network sharing, and compatible audio in an expandable microATX form factor.Ā Our unrivaled AOS motherboard comes with a 3 year warranty.
Excerpts from the TechSpot stories:
The company said they have perfected the motherboard and have tested the BIOS / UEFI with developers in China, England, Romania and the US. The team plans to continue to support the BIOS / UEFI after release and will ship with a three year warranty. A pledge of $219 will guarantee youāll be one of the first to own a projectQ motherboard. As of writing, 90 backers have pledged more than $26,000 of the $87,000 needed to get the board into production. The campaign runs until April 1, 2013 so thereās still plenty of time to make it happen. The first 100 pledges will receive the first batch of boards within six weeks, weāre told. The Z77MX-QUO-AOS motherboard, otherwise known as projectQ, is manufactured by Gigabyte as an exclusive OEM project. The Taiwanese manufacturer had quietly embraced the Hackintosh community months before with their own Z77 boards, which feature special code in their UEFI that made booting into OS X much easier. But projectQ goes a step further by using specific Mac compatible components for everything from audio to networking. The board even uses the same Texas Instruments IEEE-1394b OHCI Controller as the Mac Pro for Firewire 400/800 and packs two Thunderbolt ports for good measure — which the outgoing model notably lacks. Add a custom open-source BIOS and you have the workings for a zero effort Hackintosh. Or so is the goal.Ā Now, I’m not really sure what exactly is the back story here and Quo is not telling. The BIOS is credited to a group called HermitCrab Labs and hosted off the public web inside the Tor network. Thereās no official affiliation between Quo and HermitCrab Labs — at least none that either party would openly admit to for obvious reasons — but it appears to be an integral part of the hassle-free Hackintosh promise. After youāve flashed it onto your projectQ motherboard thereās no need for additional third party tools in order to install OS X. Youāll need to download a modified BIOS designed specifically for this board. After youāve flashed it thereās no need for additional third party tools in order to install OS X.
[Correction: the .EXE is for MS-DOS, not for Windows.]
Feedback from a very smart reader:
“The Read Universal utility is a Swiss-Army-Knife for BIOS debugging, the tools that provides direct access to almost all resources like memory, IO space, PCI, SMBIOS data, UEFI variables and so on. The tool is written by AMI’s UEFI engineer James Wang.”
James site say: “I wrote RU.EXE for debugging BIOS problems in 1993. It was a simple tool but it turns out to be too complex now. And yes, I am still working for a BIOS company.”
The release includes MS-DOS-based ru.exe and UEFI-based ru.efi binaries. AFAICT, there are no sources on Google Code, it looks like this is a closed-source freeware tool. The release page for each release includes a password. Read the blog for multiple articles that describe new features.
[I’m just learning about this tool, obviously. I’ve been using open source tools for so long that I’m a bit nervous about using closed-source freeware binaries, but recommendation is from someone smart, so I’m setting up a safe environment to learn to use this tool. š ]
http://ruexe.blogspot.de/
https://code.google.com/p/ru-uefi/
Redfish, an IPMI replacement, has shipped the first release of their spec. Quoting the press release:
DMTF Helps Enable Multi-Vendor Data Center Management with New Redfish 1.0 Standard
DMTF has announced the release ofĀ Redfish 1.0, a standard for data center and systems management that delivers improved performance, functionality, scalability and security. Designed to meet the expectations of end users for simple and interoperable management of modern scalable platform hardware, Redfish takes advantage of widely-used technologies to speed implementation and help system administrators be more effective. Redfish is developed by the DMTF’s Scalable Platforms Management Forum (SPMF), which is led by Broadcom, Dell, Emerson, HP, Intel, Lenovo, Microsoft, Supermicro and VMware with additional support from AMI, Oracle, Fujitsu, Huawei, Mellanox and Seagate. The release of the Redfish 1.0 standard by the DMTF demonstrates the broad industry support of the full organization.
http://dmtf.org/standards/redfish
http://dmtf.org/join/spmf
Don’t forget to grab the Redfish “Mockup” as well as the specs and schema.
UEFI 2.5 has a JSON API to enable accessing Redfish. HP was first vendor with systems that supported UEFI 2.5’s new HTTP Boot, a PXE replacement.Ā Intel checked in HTTP Boot support into TianoCore, so it’s just a matter of time until other vendors have similar products. JSON-based Redfish and HTTP-based booting makes UEFI much more of a “web app”, w/r/t security research, and the need for system administrators to more closely examine how firmware is updated on their systems, to best protect them.
https://firmwaresecurity.com/tag/uefi-http-boot/
I’m learning about AMD firmware solutions, and AGESA is first acronym on the list. According to Wikipedia:
“AMD Generic Encapsulated Software Architecture (AGESA), is a bootstrap protocol by which system devices on AMD64-architecture mainboards are initialized. The AGESA software in the BIOS of such mainboards is responsible for the initialization of the processor cores, memory, and the HyperTransport controller. AGESA documentation was previously available only to AMD partners that had signed an NDA. AGESA source code was open sourced in early 2011 to gain track in coreboot.”
There are two firmware ecosystems, coreboot and UEFI, where the former has a lot of Chrome OEMs, and the latter has a lot of Windows OEMs. UEFI and coreboot work on Intel and AMD (and ARM) systems. AMD makes both x86 and ARM systems, but I’m focusing on their x86 systems here.
For coreboot, Sage Engineering is main coreboot IBVs (Independent BIOS Vendors), AFAICT. Sage currently supports AMD systems, offering coreboot with AGESA.
https://www.se-eng.com/products/sagebios-bsp-for-amd-processors/
“Sage supports many modern x86 platforms from AMD. In early BSP releases,our source code license allowed us to directly modify and include AGESA source code. Later versions include the AGESA binary PI from AMD to initialize the CPU. SageBIOS(TM) Custom BSPs deliver full-featured firmware designed for AMD platforms.”
https://www.se-eng.com/firmware-solutions-for-intel-and-amd-x86-processor-systems/
“AMD was the first […] to support an open source boot solution with its support of the One Laptop Per Child program, which was immersed in the Linux open source community, and the Linux firmware boot solutions that would ultimately become coreboot. Sage Electronic Engineering founder Scott Hoot was heavily involved in that the childrenās laptop project, as a firmware designer for AMD, and would soon embrace open source firmware solution as a foundation for his startup company. Sage would have distinct advantages over other open source firmware development companies in that Hoot already had a insight into AMDās proprietary architecture, which he would cement with a agreements with AMD to help forge the way into expanded open source BIOS and firmware coding. Sage would continue to forge a trail in the community with its support of the coreboot(R) solution and the proprietary hybrid that Sage developed for more rapid deployment, SageBIOS. Open source development as a whole continue to progress with AMDās AGESAĀ and Intelās Firmware Support Package, essentially giving open source firmware designers a better look at the architecture than was previously allowed.”
Over in the UEFI Forum ecosystem, it appears that most of the ‘mainstream’ IBVs also support ARM via AGESA in their products as well. I see support from Insyde Software and AMI, at least.
I’m still not clear if TianoCore can use AGESA directly, or if an IBV is still needed to integrate the two.
More Information:
http://review.coreboot.org/gitweb?p=coreboot.git;a=tree;f=src/vendorcode/amd
https://chromium.googlesource.com/chromiumos/third_party/coreboot/+/a46a712610c130cdadfe1ebf6bec9ad22e474dac/src/cpu/amd/agesa
Click to access AGESA_Interface_specification_for_Arch2008.pdf
[I just realized that I’ve not written a blog on Intel Firmware Support Package (FSP) yet…. I’ll do one in a few days.]
[UDPATE: comment from a smart reader:
AMIDebug technology is not useful for end users and researchers because it’s support should be specifically compiled in in a special DEBUG build. The AMI DebugRX hardware part is OK to get port 80h codes via USB, mediocre source-level debugging. Intel XDP or Arium-ITP are similar to AMIDebug, both nice products, and don’t require any firmware changes or special build modes.
BTW, I don’t know why Comments don’t show up on blog web site, working on trying to fix that… ]
Earlier this week AMI announced USB3 support for their AMIDebug for UEFI product.
Apparently AMI has 3 versions of this: 1) AMIDebug for UEFI software for Aptio V, 2) the AMIDebug Rx handheld USB debug device, and 3) Aptio V UEFI Firmware from AMI.
Press release excerpts:
American Megatrends, Inc. (AMI), a global leader in BIOS, remote management, network data storage products and solutions for the Android(TM) operating system, is pleased to announce support for USB 3.0 controllers in the latest release of its AMIDebug(TM) for UEFI debugging solution for Aptio(R) V UEFI Firmware.
AMIDebug for UEFI from American Megatrends is a powerful software-based solution for debugging UEFI projects based on Aptio or the UEFI Shell, offering source-level symbolic (C and Assembler) debugging without the need for expensive JTAG hardware debug tools.
The latest AMIDebug for UEFI release, developed specifically for the companyās flagship Aptio V UEFI Firmware, adds support for USB 3.0 debug among other important features. These newly-added features signify a key development in the evolution of this debug software, since many chipsets now only support USB 3.0 (XHCI) and in many cases no longer incorporate older USB standards (EHCI) in their hardware designs, such as the Intel(R) Atom(TM) x5-Z8300 series processors.
What remains unchanged in AMIDebug for UEFI is its ability to facilitate firmware development for AMI OEM and ODM customers in unprecedented ways thanks to its deep integration into the entire UEFI development ecosystem. AMIDebug for UEFI continues to offer standard debugging features like Break, Step, Step Over, Step Into, Step, run to cursor and set next statement, in addition to UEFI-specific debugging features like Stop at Driver Name Entry, Stop at PEIM Name Entry, Stop at CheckPoint, Stop at beginning of PEI/DXE, SMM Debugging and disassembly view. Moreover, many different firmware development viewers are supported including memory, CPU registers, PCI Bus, call stack, I/O and Indirect I/O.
Sigh, I wish these were available for UEFI ISVs and UEFI Security Researchers, not just restricted to AMI’s UEFI OEM/ODMs! I want one. š¦
More Information:
http://www.ami.com/news/press-releases/?PressReleaseID=322&/American%20Megatrends%20Announces%20Support%20for%20USB%203.0%20Controllers%20in%20Aptio%20V%20AMIDebug%20for%20UEFI/
http://www.ami.com/products/bios-uefi-tools-and-utilities/amidebug-rx/
http://www.ami.com/resources/resource-library/?documentationSearch=amidebug
Today AMI announced an update for their Aptio V UEFI Firmware. For security perspective, this release is supposed to be compatible with NIST SP 800-155, BIOS Integrity Measurement Guidelines. Quoting an excerpt from their press release:
“In its Special Publication 800-155, NIST outlines the fundamentals of BIOS integrity measurement. This description includes a method to determine if the BIOS has been modified as well as the method for reporting and mitigating attacks against the BIOS. “These guidelines describe what is needed to establish a chain of trust for the BIOS,” commented Subramonian Shankar, President and CEO of American Megatrends. “In accordance with the NIST SP 800-155 guidelines, our Aptio V Firmware solution provides a means of generating and collecting the original BIOS measurements, called ‘the Golden Measurement Generation’, along with a means of storing the measurements that is either tamper-resistant or tamper-evident, called ‘the Collection Agent’ and a means of conveying the measurements to an analyzing agent, called the ‘Transmission and Reporting Agents’.” “Our goal in developing a NIST SP 800-155 compatible solution for Aptio V was to demonstrate to our customers that AMI is deeply committed to developing the most secure and tamper-resistant UEFI solutions available in the market today,” he commented.
I’m not sure if previous releases or other versions of AMI’s firmware products were/are SP800-155-compatible. Last time I looked at SP800-155, I thought it was still DRAFT, so I am not sure how that impacts compatibility.
On a nontechnical note, look at all the spaces that AMI uses in their press release URLs, yuck.
More Information:
http://ami.com/news/press-releases/?PressReleaseID=318&/American%20Megatrends%20Announces%20New%20Solution%20Compatible%20with%20NIST%20SP%20800-155%20%27BIOS%20Integrity%20Measurement%20Guidelines%27%20for%20Aptio%20V%20UEFI%20Firmware/
http://www.prnewswire.com/news-releases/american-megatrends-announces-new-solution-compatible-with-nist-sp-800-155-bios-integrity-measurement-guidelines-for-aptio-v-uefi-firmware-300107720.html
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Discover the Desktop
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
News from coreboot world
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Just another WordPress.com site
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Firmware Security 
You must be logged in to post a comment.