3mdeb has a new video showing how to use BITS and CHIPSEC as coreboot payloads.
Today Ricardo Neri of Intel announced the 2.1 release of LUV. In additon to updating Linux to v4.11, FWTS to V17.06.00, CHIPSEC to v1.3.1, BITS to v2079, and NDCTL v56, they also started doing nightly builds. Here are some of the other highlights of this release, from the announcement:
Gayatri Kammela won the prize of the most active contributor with many bug fixes and a new feature. She fixed our netboot image, which was missing the ramdisk(!). She added support for debugging and logging of BITS output via network. Likewise, she reworked the LUV configuration file to make more sense to both humans and computers by making clear when parameters are not used. She also investigated and fixed dependencies in systemd that caused delays in the execution of tests. Lastly, she fixed a couple of build-time bugs.
Naresh Bhat updated our Linux kernel recipe to retrieve the kernel configuration directly from the source tree rather than manually updating it. This helped us to remove those eyesore patches for updating our configuration that needed to be sent every time we bumped to a new kernel version. The overall result looks great and is closer to the intended use of the kernel and Yocto Projects’s scripts to merge multiple configuration fragments. I took this opportunity to sanitize the configuration for x86 to add missing configurations and reorganize them.
Sai Praneeth Prakhya added functionality to dump relevant and useful dumps as part of the testing results. Now LUV is capable of dumping the kernel’s boot log, the contents of the ACPI tables as well as the properties of the CPUs in the system. Very useful! Also, he helped us to bump to Linux v4.11. He also took burden of rebasing our implementation to detect firmware’s illegal memory access in this new version of Linux.
Matt Hart updated our GRUB configuration to automate boots across all CPU architectures by not waiting for human intervention to complete boots.
See the full announcement for lists of Known and Fixed Issues:
In addition to stuff mentioned in LUV announcement, LUV also did some updates to how LUV calls CHIPSEC, see these posts:
These days, LUV-live ships with BIOS MBR or UEFI GPT partition types, local or network boot types, and x86 or x64 architecture type, multiple choices for the image:
Burt Triplett has announced the release of BITS (BIOS Implementation Test Suite) version 2073:
– efi: Support EFI_IP4_CONFIG2_PROTOCOL and associated data structures
– _socket: Use EFI_IP4_CONFIG2_PROTOCOL if available, falling back to EFI_IP4_CONFIG_PROTOCOL
BIOSes based on current versions of EDK2, including current OVMF, only support EFI_IP4_CONFIG2_PROTOCOL, and drop support for EFI_IP4_CONFIG_PROTOCOL. Support configuring IPv4 via the newer protocol, falling back to the older protocol for compatibility with existing BIOSes.
In either case, reuse the existing IPv4 configuration if present, and only kick off DHCP if not already configured. This also allows systems that require manual IPv4 configuration to perform such configuration (via the EFI shell, the BITS Python interpreter, or any other means) and subsequently use that configuration with BITS.
Get ready to test your Intel x86 systems!
Megha Dey of Intel submitted an 8-part patch to LUV that enables it to build on x86.
LUV has been useful for 64-bit x64 systems, and now is getting useful for 32-bit x86 systems!
Including 32-bit versions of BITS and CHIPSEC!
Is this the first time that pre-compiled binaries of CHIPSEC for x86 systems have been available? Not sure. Anyway, if you build from source you can start now, otherwise, look for the LUV-live binary download site to start having 32- and 64-bit versions, hopefully
Excerpt from part 0 of the patch:
[PATCH 0/8] Build and run LUV on 32 bit platforms
Currently LUV can be built only for 64 bit target platforms. This patchset contains patches which make sure that LUV can be compiled and run on both 32 as well as 64 bit target platforms. This required reworking of the PE header checks, adding call wrappers used by the shim bootloader to store and restore context, making sure chainloader.c compiled for 32 bit systems, adding support to ensure correct direct directory structure for 32 bit case and removing bugs in chipsec so that it could build without any erros on 32 bit systems. Also, the bits recipe is updated to build the grub EFI image only for target builds.This patchset addresses the following issue:
grub: chainloader: shim: rework PE header checks
grub: shim: Add call wrappers for 32 bit systems
grub: shim: compile chainloader.c for 32bit system
luv : Correct directory structure for 32 bit case
luv: Add the ARCH parameter to chipsec Makefile
luv: chipsec : compile for 32 bit systems
bits: only build grub EFI image for target builds
bits: grub: specify location of images and modules for mkimage
Burt Triplett of Intel has announced the version 2070 release of BITS (BIOS Implementation Test Suite). The main new feature is network support, but also includes new UEFI and ACPI and Python features, better command line features, and other new features. I’ve just excerpted the first paragraph of the networking-centric portion of the announcement below, there are a lot of implementation caveats to read. See the full announcement for the list of features and bugfixes.
Note that there is also a new BITS mailing list, see below URL for ‘first post’ message in the archives:
BITS on EFI now supports TCP networking, using the Python socket module and various modules built atop it. On EFI systems that provide `EFI_IP4_CONFIG_PROTOCOL` and `EFI_TCP4_SERVICE_BINDING_PROTOCOL`, we implement a `_socket` module in Python with support for TCP sockets over IPv4. We then include Python’s higher-level socket module that runs on top of `_socket`.
It is sometimes funny to watch a company do open source. Intel’s 01.org, for Open Source projects, has a mailing list server with multiple lists:
There is a list for Thunderbolt Software. …but it is a closed list, with no public archives. 😦
The text that it is a closed list:
“This is a hidden list, which means that the list of members is available only to the list administrator.”
There’s a list for Intel Kernel Guard Technology (KGT). It also is a closed list, with the same text as the Thunderbolt list. BUT, their archives are publicly-available.
There’s a list for BIOS Implementation Test Suite (BITS)!
But there are no archives, perhaps a closed list, or just broken archives?
I rather wish Intel used intel.com or 01.com for closed lists, and kept the Open Source-centric 01.0rg’s list all public, with working archives. 😦
Ricardo Neri of Intel announced Linux UEFI Validation (LUV) v2.0-rc4 release, with lots of changes, new versions of CHIPSEC, BITS, FWTS, and multiple UEFI improvements in LUV. IMO, one of the most important features it that LUV-live’s CHIPSEC should properly log results now! Excerpts from Ricardo’s announcement:
This release touches many areas. Here are some highlights:
Naresh Bhat implemented changes to build from Linus’ tree when building LUV for ARM. While doing this, he got rid of the leg-kernel recipe. Now the kernel is built from linux-yocto-efi-test for all architectures. Also, he took the opportunity to remove some of the LUV-specific changes we had in the meta layer (i.e., our genericarmv8 machine). It always good to restrict ourselves to the meta-luv layer, unless we plan to upstream to the Yocto Project. Now LUV for aarch64 is built using qemuarm64.
It was reported that CHIPSEC was not running correctly in LUV due to missing configuration files and Python modules. This release includes a major rework of CHIPSEC integration into LUV. It ran correctly on all the systems in which we tested. Also, we bumped to v1.2.2; the CHIPSEC latest release.
This release includes new functionality to build BITS from its source rather than just deploying its binaries. BITS is a challenging piece of software when it comes to integration into a bitbake recipe. The build process was broken into several steps. This work help for future work to customize BITS for other CPU architectures and netboot.
The UEFI specification v2.5 includes a Properties Table for the memory map. Under this feature, it is possible to split into separate memory sections the code and data regions of the PE/COFF image. Unfortunately, kernels previous to v4.3 crash if this features is enabled. We have backported a fix pushed to Linux v4.3. We will be bumping the kernel for x86 to 4.3 in our next release.
The EFI stub feature in the kernel allows to run the kernel as an EFI application. Also, it allows the kernel to parse the memory map directly from the firmware rather than taking the map from the bootloader. This is clearly advantageous in case of bugs in the bootloader.
Now that LUV support storing the results of multiple bots, it may happen that disk runs out of space. Gayatri Kammela made updates to increase the size of the results partition and issue a warning when available space runs below 2MB.
Finally, keeping up with the latest changes in the Yocto Project has paid off handsomely. This release is based on Jethro, the latest version of the Yocto Project. Rebasing to this new version as done with very little effort. In the LUV tree you can find the jethro and jethro-next branches; the bases of this release. The fido and fido-next branches are still maintained.
We have bumped the following test suite versions:
*FTWS is now V15.12.00
*CHIPSEC is now v1.2.2
*BITS is 2005
Time to update your LUV-live images! It is a Release Candidate, so please help the LUV team by testing it out and pointing out any issues on the LUV mailing list. This version of CHIPSEC includes VMM tests, so time to test LUV-luv in your virtual machines, not just on bare-metal boxes.
Many people contributed to this release, including: Ricardo Neri, Naresh Bhat, Darren Bilby, Megha Dey, Gayatri Kammela, John Loucaides, Sai Praneeth Prakhya, and Thiebaud Weksteen. It was nice to see the LUV and CHIPSEC teams work together in this release!
Recently, Josh Triplett of Intel gave a talk on using BIOS Interface Test Suite (BITS) at LinuxCon North America.
Demystifying ACPI and EFI via Python and BITS
BTW, Josh also gave this talk at LinuxConNA’15 as well:
Everything’s a File Descriptor
I think I’ve mentioned BITS in this blog before. But just in case I’ve not, BITS is a powerful, strange set of BIOS diagnostic tools. BITS started as a BIOS-centric tool, but now includes some UEFI support as well. BITS uses the GRUB boot manager as it’s UI, using GRUB menus for different features, see the screenshots page for a better understanding:
BITS also includes a Python interpreter, so you can do interactive Python, or write scripts to test firmware. BITS has interfaces for BIOS, UEFI, and ACPI data.
Jake Edge wrote an excellent follow-up to Josh’s LinuxCON talk, with an article in LWN.net, discussing BITS’s Python for UEFI and ACPI investigations.
In a talk that could easily be seen as a follow-on to his PyCon 2015 talk, Josh Triplett presented at LinuxCon North America on using Python to explore the low-level firmware of today’s systems. The BIOS Implementation Test Suite (BITS) provides an environment that hearkens back to the days of BASIC, PEEK, and POKE, as he demonstrated at PyCon in Montréal in April, but it is much more than that. In Seattle at LinuxCon, he showed that it can also be used to look at and use the EFI and ACPI code in a system—all from Python.
The article is part of LWN.net subscriber-only content, and has been ‘leaked’ (see next URL below), and as the link on the page mentions, an occasional leak isn’t too bad, and helps with subscriptions. If you don’t have a LWN subscription, please think about it, they are probably the best news source for low-level Linux technologies. They have a 1-month free trial.
After reading this article, Laszlo Ersek of Red Hat started up a thread with Josh on the QEMU and UEFI dev mailing lists, with some new ways of thinking about using BITS Python for ACPI testing. Lots of good ideas on this thread, if you care about QEMU, ACPI, AML, or ACPICA tools please read the thread: sorry, I’m too lazy to summarize all of the ACPI nuances in the thread, it’s only a few messages.
Using Python to investigate EFI and ACPI
Newsgroups: gmane.comp.emulators.qemu, gmane.comp.bios.edk2.devel
I hope some of the ACPI/AML testing ideas in this thread happen!
Last week Intel updated The BIOS Interface Test Suite (BITS). Sorry, I don’t know what’s new in it yet, the readme is a bit sparse. I could be wrong, but I think their Github project is new as well!
[[ UPDATE: Comment from Ricardo Neri of Intel on the checksums: The checksum file is in the same directory as the source tarball:
I thought I checked there before commenting on this, but I probably missed it. Sorry! ]]
Today Ricardo Neri of the Intel LUV team announced the release of LUV 2.0-RC2 release.
It updates the bits to fresher ones: Yocto Fido, Linux kernel 4.1, FTWS 15.7.0, BITS 1219, and CHIPSEC 1.2.1, as well as improvements in the HTML output of LUV’s test manager. IMO, fresh test suites are reason enough for updates, beyond additional changes, especially CHIPSEC 1.2.1 update…
PS: There was no checksum in the announce email, nor any on the web site which I could find. It would be nice to include that kind of information in future releases.
LinuxCon North America is happening this August, in Seattle for the first time (I think). A quick look at their schedule shows a variety of interesting presentations related to firmware security:
* Extending the Secure Boot Certificate and Signature Chain of Trust in the OS – Fionnuala Gunter, Hypori
* Resurrecting Internet Booting – Boot Boot, Booting Over the Internet – John Hawley, Intel
* Demystifying ACPI and EFI via Python and BITS – Josh Triplett
* ACPI for Network Switches – Dustin Byford, Cumulus Networks
* Tying TPMs Throughout The Stack – Matthew Garrett, CoreOS
* Turtles All The Way: Running Linux on Open Hardware – Rob Landley
* ACPI 6 and Linux – Rafael J. Wysocki, Intel
* The Bare-Metal Hypervisor as a Platform for Innovation – Russell Pavlicek, Citrix
* Suspend/Resume at the Speed of Light – Len Brown, Intel
Josh Triplett on BIOS BITS sounds especially interesting. It’ll be interesting to see if the boot boot reboot will get integrated with UEFI HTTP Boot support.
LUVos (Linux UEFI Validation — aka luvOS or LUVos, is a Yocto-based Linux distro that helps diagnose UEFI firmware. LUV-live is a liveimage boot version of LUVos. LUV-live also includes other hardware/firmware tools, such as BITS, FWTS, and CHIPSEC.
Intel-based LUV was initially only targeting Intel platforms. But LUV is an open source project, with a healthy community of contributors.
Recently Linaro has been porting LUV to ARM64. Thanks, Linaro! This is great news for ARM64 Linux enterprise hardware. Once Linaro ports CHIPSEC to ARM, it’ll be a very good day for ARM64 firmware defensive security tools.
It would be nice to consider an ARM32 port, as well as ARM64. All devices need bootkit detection tools, not just enterprise-class systems. 🙂
[Someone please wake up AMD. Right now, AFAICT, their platform now has the worst defensive tools. They need a LUV-live with a CHIPSEC that works on ARM systems.]