“Canonical has pulled downloads for its Ubuntu 17.10 Linux distribution following reports that it can trigger a bug in the UEFI firmware of selected Lenovo, Acer, and Toshiba laptops, corrupting the BIOS and disabling the ability to boot from USB Drives.”
Colin Ian King of Canonical has been packaging up the Intel Thunderbolt user-space software for Ubuntu. His Tweets are private, but he just tweeted that the tool is now in Ubuntu!
Thunderbolt user-space components:
[…]The user-space components implement device approval support:
* Easier interaction with the kernel module for approving connected devices.
* ACL for auto-approving devices white-listed by the user.
So far, I’ve not found a public security page for Thunderbolt. Only a “Fun Facts” page… 😦 I was hoping to find a page listing Thunderstrike, Thunderstrike2, the Legbacore t2e tool, CIA Sonic Screwdriver, PCILeech, etc.
The November 2017 release of FirmWare Test Suite is out, with many ACPI changes, and a few UEFI changes.
* acpi: devices: add a new test for acpi ec device
* acpi: devices: add a new test for ACPI AC adapter device
* acpi: devices: add a new test for ACPI battery device
* acpi: devices: add a new test for smart battery device
* acpi: devices: add new tests for power and sleep button devices
* acpi: madt: check GICD’s system vector according to mantis 1819 (ACPI 6.2a)
* acp: nfit: add platform capability according to manit 1831 (ACPI 6.2a)
* lib: add new large resource data type for _CRS methods
* acpi: sdev: add ACPI SDEV test (mantis 1632)
* acpi: dppt: add ACPI PDTT test (mantis 1576)
* acpi: devices: add new tests for lid device
* acpi: devices: add new tests for ambient light sensor device
* acpi: devices: add new tests for time and alarm device
* acpi: devices: add new tests for wireless power calibration device
* acpi: add tests for _SRT control method
* auto-packager: mkpackage.sh: add bionic
* fwts: add bash command-line completion
* Add ACPI 1.0 RSDP test to make sure RSDT field isn’t null
* ACPICA: Update to version 20171110
* uefi: uefidump: add dumping for BluetoothLE device path
* uefi: uefidump: add dumping for DNS device path
* uefi: uefibootpath: add test for BluetoothLE device path
* uefi: uefibootpath: add test for DNS device path
See full announcement for list of few-dozen bugfixes.
In related news, Gayatri Kammela has added this updated FWTS to LUV.
Update FWTS to version v17.11.00
The Fall UEFI Plugfest is happening, a week of interop testing with UEFI vendors, along with some presentations. The presentation abstracts are below, see the full itenary for speaker bios.
“Last Mile” Barriers to Removing Legacy BIOS (Intel)
While UEFI has become a dominant standard since its introduction in 2005, many use cases still rely on compatibility with PC/AT Legacy BIOS. These legacy corner cases are a barrier to completing the transition to modern firmware standards. Intel has identified maintaining compatibility as an issue for platform security and validation costs, and plans to eliminate legacy BIOS elements in our 2020 data center platforms. This session discusses “last mile” gaps for 16-bit compatibility and identifies UEFI capabilities that the industry can promote as alternatives, including HTTPS Boot, OS Recovery, and Signed Capsule Update.
UEFI Firmware – Security Concerns and Best Practices (Phoenix)
Strategies for Stronger Software SMI Security in UEFI Firmware (Insyde)
Avoid design errors and software coding pitfalls when implementing SMI handlers. Device manufacturers customize UEFI firmware using new runtime interfaces that are implemented using software SMIs. Heavy customization, tight deadlines and poor code implementation can accidentally allow malware to abuse the power of SMM. This session focuses on four common software SMI vulnerabilities and how to change your UEFI firmware and applications to avoid them.
Advances of UEFI Technologies in ARM Systems (ARM)
This session will discuss the ARM-related interfaces defined in the latest UEFI and ACPI specifications, the requirements of the UEFI and ACPI interfaces for the SBBR Specification, and the use of UEFI SCT and FWTS in the SBBR compliance test. Also, discussed will be the required UEFI interfaces for the embedded space when the separation of the device and OS development is desired.
Introduction to the Self-Certification Test (SCT) in UEFI World (Canonical and Intel)
The UEFI Test Working Group (UTWG) endorses two test suites: Firmware Test Suite (FWTS) and the UEFI Self-Certification Test (SCT). FWTS is focused on validating Linux compatibility, and is endorsed by UTWG for ACPI validation. The UEFI SCT is designed to validate firmware and driver behavior per the UEFI Specification. This session demonstrates the operation of both tools, and discusses how they use open source models to improve test quality.
Firmware Test Suite Introduction: Uses, Development, Contribution and GPL (Canonical)
Firmware Test Suite (FWTS) is the recommended ACPI 6.1 Self-Certification Test (SCT). This command line tool is easy to use and provides explanatory and informative. Its open-source nature allows developers to add new tests easily, and many code examples such as ACPI, UEFI and SMBIOS are available for references. Code contribution are appreciated and technical discussion and code reviews on the mailing list are answered by an active community. As licensed by GPL, FWTS ensures it is available and suitable to everyone who wants to use it publicly and privately.
NFC and UEFI (AMI)
NFC is a technology that has permeated many aspects of everyday life. Using NFC, you can now pay with your phone or enter secure building areas. However, the UEFI specification lacks any implementation of NFC. AMI will cover a proposed solution for NFC implementation in UEFI, how to best fit NFC into the UEFI specification, and potential use cases.
Edk2 Platforms Overview (Linaro)
For a couple of years now, the Linaro OpenPlatformPkg repository has been used to collate a number of (at least partially) open source EDK2 platform ports. However, with a now properly defined process for the TianoCore edk2-platforms and edk2-non-osi repositories, these platforms are now moving over there and OpenPlatformPkg. This session will discuss the process, the current state of things and the practicalities of working with edk2-platforms.
UEFI Manageability and REST Services (HPE and Intel)
With the increase in platform firmware complexity and capabilities, there is an increased need to standard firmware manageability is increasing. The UEFI 2.7 Specification defines REST services to provide secure solutions for managing modern platforms. This session describes enterprise configuration scenarios, discusses implementation gaps in the UEFI specification, and proposes enhancements related to vendor-specific REST services.
FWTS 17.09.00 has been released. New UEFI, ACPI, and IPMI features. MANY bugfixes, see the full announcement.
* ACPICA: Update to version 20170831
* dmi: dmicheck: Add BMC Interface Type definitions from IPMI spec
* lib: fwts_acpi_tables: add a new function to check Reserved field
* lib: fwts_acpi_tables: add a new function to check reserved bits
* efi_runtime: add resetsystem runtime service
FWTS 17.08.00 is released. New Features:
* ACPICA: Update to version 20170728
* New ACPI tests defined by ACPI 6.2
* acpi: sdei: add ACPI SDEI test (mantis 1714)
* acpi: pcct: refactor subspace to individual functions
* acpi: pcct: update PCCT table to ACPI 6.2 (mantis 1659 & 1755)
* acpi: dppt: add ACPI DPPT test (mantis 1795)
* acpi: pptt: add ACPI PPTT test
* acpi: hmat: add ACPI HMAT test (mantis 1705)
* acpi: method: add _LSI test according to ACPI 6.2 (mantis 1721)
* acpi: madt: Add support for ACPI 6.2
* New tests for SBBR
* acpi: fadt: add SBBR compliance tests
* acpi: madt: add SBBR compliance tests
* acpi: spcr: add SBBR compliance tests
* acpi: xsdt: add SBBR compliance tests
* acpi: dbg2: add SBBR compliance tests
* acpi: gtdt: add SBBR compliance tests
* acpi: acpitables: add SBBR compliance tests
* dmi: dmicheck: add SBBR compliance tests
* acpi: method: add SBBR compliance tests
* acpi: rsdp: add SBBR compliance tests
* acpi: sbbr: sync up with new SBBR tests
Today Alex Hung of Canonical announced the latest release of FWTS. The list of New Features appears to all be ACPI-centric:
* acpi: bgrt: update according to acpi 6.1 errata (mantis 1577)
* acpi: method: update _PSD and _TSD tests according to ACPI 6.1 errata
* acpi: rsdp: revision 1 must have length 20 according to ACPI 6.1 errata
* acpi: method: Add _CPC revision 3 according to ACPI 6.2 (mantis 1611)
* acpi: hest: add new type 11 introduced in ACPI 6.2 (mantis 1649)
* acpi: srat: add new type 4 according to ACPI 6.2 (mantis 1656)
* acpi: method: update _GCP according to ACPI 6.2 (mantis 1703)
* acpi: hest: add notification type 11 according to ACPI 6.2 (mantis 1731)
* acpi: fadt: update minor version to 2 for ACPI 6.2 (mantis 1769)
* acpi: hest: add checks for GHES_ASSIST flag value in ACPI 6.2 (mantis 1674)
* acpi: wsmt: add wsmt test according to ACPI 6.2 (mantis 1585)
* ACPICA: Update to version 20170629
* acpi: tpm2: Add additional start method values
* acpi: iort: Add PMCG support
See the full announcement for list of Fixed Bugs (which aren’t ACPI-centric).