Ubuntu whitepaper: Securing IoT device data against physical access

Ubuntu has a white-paper that discusses Secure Boot, amongst other things. But you have to register for it, it is not publicly-available.


FWTS 18.11.00 is released

* ACPICA: Update to version 20181031
* olog:olog.json: Update OPAL skiboot errors to check on olog scan
* acpi: button: check fixed hardware & control method power buttons
* kernelscan: add -k option to specify klog json filename
* README: update package dependency notes for RHEL
* acpica: fix linker issues when building with ACPI disabled
* src/lib: add module probing helper functions
* lib: fwts_efi_module: use the new module loading helper functions
* lib/fwts_cpu: use new use the new module loading helper functions
* snapcraft: update confinement and plugs
* lib: fwts_coreboot_cbmem: don’t use void * pointer arithmetic
* lib: fwts_coreboot_cbmem: shift UL values rather than signed int values
* lib: fwts_log: shift UL values rather than signed int values
* acpi: syntaxcheck: rename syntaxcheck_table to syntaxcheck_single_table
* dmicheck: fix Maximum Capacity checking range
* mcfg: fix MMIO config space checking
* madt: fix the Local APIC NMI processor UID checking
* auto-packager: mkpackage.sh: add disco


ACPI Debugging: ACPI AML Debugger in Ubuntu 18.04

Alex Hung of Canonical — and one of the FirmWare Test Suite developers — has a new blog post, showing how to debug ACPI on recent builds of Ubuntu:

ACPICA is a project that provides an operating system (OS)-independent reference implementation. It also contains a list of utilities such as ASL compiler (iasl), acpiexec (an AML emulator) and so on. However, debugging AML on Linux in real time wasn’t provided in ACPICA … until Linux Kernel 4.13. The aml-debugger.txt the instruction of how to enable AML debugger, is available at Documentation/acpi/ in Linux kernel source code. In short, two things are required to run AML debugging. […] While compiling a custom-build kernel with the above two config is nothing new to kernel developers, it is often inconvenient for firmware developers who need to verify ACPI implementation in their firmware. Fortunately, Ubuntu 18.04 (x64) enables these two config by default, and one can run acpidbg on Ubuntu 18.04 – even on Ubuntu Live from USB too! Executing acpidbg on Ubuntu 18.04 is very straight-forward[…]


See also:



FirmWare Test Suite 18.05.00 released

New Features:
* fan: add cooling_device# to error messages
* doc: adding acpitests, uefitests and sbbr options to man page
* acpi: syntaxcheck: change it from batch to batch-experimental
* fwts_framework: add an “ifv” option for Independent Firmware Vendor
* dmicheck: skip checks of DMI default values for IFV
* acpi: method: add test for _CLS control method
* lib: create helper functions for device identification objects
* acpi: devices: add common objects
* fwts-frontend-text: add a recommended option for IFV (IBV)
* fwts-frontend-text: add an option for ARM SBBR
* auto-packager: mkpackage.sh: add cosmic
* ACPICA: Update to version 20180427
* ACPICA: Update to version 20180508
* README: Add libpci-dev dependency ppc64el
* cpufreq: Add support to read boost frequencies

See announcement for list of bugfixes.


Firmware Test Suite 18.02.00 is released

New Features:
* ACPICA: Update to version 20180209
* uefirtvariable: add test for EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS attribute

See full announcement for list of bugfixes.

In related news, LUV has picked up the latest FWTS.


Ubuntu 17.10 corrupting BIOS – many Lenovo laptops models (and Acer and Toshiba)

“Canonical has pulled downloads for its Ubuntu 17.10 Linux distribution following reports that it can trigger a bug in the UEFI firmware of selected Lenovo, Acer, and Toshiba laptops, corrupting the BIOS and disabling the ability to boot from USB Drives.”



Thunderbolt-software-user-space in Ubuntu

Colin Ian King of Canonical has been packaging up the Intel Thunderbolt user-space software for Ubuntu. His Tweets are private, but he just tweeted that the tool is now in Ubuntu!


Thunderbolt user-space components:

[…]The user-space components implement device approval support:
* Easier interaction with the kernel module for approving connected devices.
* ACL for auto-approving devices white-listed by the user.

So far, I’ve not found a public security page for Thunderbolt. Only a “Fun Facts” page… 😦 I was hoping to find a page listing Thunderstrike, Thunderstrike2, the Legbacore t2e tool, CIA Sonic Screwdriver, PCILeech, etc.


FWTS 17.11.00 released (and added to LUV)

The November 2017 release of FirmWare Test Suite is out, with many ACPI changes, and a few UEFI changes.

New Features:
* acpi: devices: add a new test for acpi ec device
* acpi: devices: add a new test for ACPI AC adapter device
* acpi: devices: add a new test for ACPI battery device
* acpi: devices: add a new test for smart battery device
* acpi: devices: add new tests for power and sleep button devices
* acpi: madt: check GICD’s system vector according to mantis 1819 (ACPI 6.2a)
* acp: nfit: add platform capability according to manit 1831 (ACPI 6.2a)
* lib: add new large resource data type for _CRS methods
* acpi: sdev: add ACPI SDEV test (mantis 1632)
* acpi: dppt: add ACPI PDTT test (mantis 1576)
* acpi: devices: add new tests for lid device
* acpi: devices: add new tests for ambient light sensor device
* acpi: devices: add new tests for time and alarm device
* acpi: devices: add new tests for wireless power calibration device
* acpi: add tests for _SRT control method
* auto-packager: mkpackage.sh: add bionic
* fwts: add bash command-line completion
* Add ACPI 1.0 RSDP test to make sure RSDT field isn’t null
* ACPICA: Update to version 20171110
* uefi: uefidump: add dumping for BluetoothLE device path
* uefi: uefidump: add dumping for DNS device path
* uefi: uefibootpath: add test for BluetoothLE device path
* uefi: uefibootpath: add test for DNS device path


See full announcement for list of few-dozen bugfixes.

Full announcement:

In related news,  Gayatri Kammela has added this updated FWTS to LUV.

Update FWTS to version v17.11.00

Full patch:

Fall UEFI Plugfest agenda

The Fall UEFI Plugfest is happening, a week of interop testing with UEFI vendors, along with some presentations. The presentation abstracts are below, see the full itenary for speaker bios.



“Last Mile” Barriers to Removing Legacy BIOS (Intel)
While UEFI has become a dominant standard since its introduction in 2005, many use cases still rely on compatibility with PC/AT Legacy BIOS. These legacy corner cases are a barrier to completing the transition to modern firmware standards. Intel has identified maintaining compatibility as an issue for platform security and validation costs, and plans to eliminate legacy BIOS elements in our 2020 data center platforms. This session discusses “last mile” gaps for 16-bit compatibility and identifies UEFI capabilities that the industry can promote as alternatives, including HTTPS Boot, OS Recovery, and Signed Capsule Update.

UEFI Firmware – Security Concerns and Best Practices (Phoenix)
(no Abstract)

Strategies for Stronger Software SMI Security in UEFI Firmware (Insyde)
Avoid design errors and software coding pitfalls when implementing SMI handlers. Device manufacturers customize UEFI firmware using new runtime interfaces that are implemented using software SMIs. Heavy customization, tight deadlines and poor code implementation can accidentally allow malware to abuse the power of SMM. This session focuses on four common software SMI vulnerabilities and how to change your UEFI firmware and applications to avoid them.

Advances of UEFI Technologies in ARM Systems (ARM)
This session will discuss the ARM-related interfaces defined in the latest UEFI and ACPI specifications, the requirements of the UEFI and ACPI interfaces for the SBBR Specification, and the use of UEFI SCT and FWTS in the SBBR compliance test. Also, discussed will be the required UEFI interfaces for the embedded space when the separation of the device and OS development is desired.

Introduction to the Self-Certification Test (SCT) in UEFI World (Canonical and Intel)
The UEFI Test Working Group (UTWG) endorses two test suites: Firmware Test Suite (FWTS) and the UEFI Self-Certification Test (SCT). FWTS is focused on validating Linux compatibility, and is endorsed by UTWG for ACPI validation. The UEFI SCT is designed to validate firmware and driver behavior per the UEFI Specification. This session demonstrates the operation of both tools, and discusses how they use open source models to improve test quality.

Firmware Test Suite Introduction: Uses, Development, Contribution and GPL (Canonical)
Firmware Test Suite (FWTS) is the recommended ACPI 6.1 Self-Certification Test (SCT). This command line tool is easy to use and provides explanatory and informative. Its open-source nature allows developers to add new tests easily, and many code examples such as ACPI, UEFI and SMBIOS are available for references. Code contribution are appreciated and technical discussion and code reviews on the mailing list are answered by an active community. As licensed by GPL, FWTS ensures it is available and suitable to everyone who wants to use it publicly and privately.

NFC is a technology that has permeated many aspects of everyday life. Using NFC, you can now pay with your phone or enter secure building areas. However, the UEFI specification lacks any implementation of NFC. AMI will cover a proposed solution for NFC implementation in UEFI, how to best fit NFC into the UEFI specification, and potential use cases.

Edk2 Platforms Overview (Linaro)
For a couple of years now, the Linaro OpenPlatformPkg repository has been used to collate a number of (at least partially) open source EDK2 platform ports. However, with a now properly defined process for the TianoCore edk2-platforms and edk2-non-osi repositories, these platforms are now moving over there and OpenPlatformPkg. This session will discuss the process, the current state of things and the practicalities of working with edk2-platforms.

UEFI Manageability and REST Services (HPE and Intel)
With the increase in platform firmware complexity and capabilities, there is an increased need to standard firmware manageability is increasing. The UEFI 2.7 Specification defines REST services to provide secure solutions for managing modern platforms. This session describes enterprise configuration scenarios, discusses implementation gaps in the UEFI specification, and proposes enhancements related to vendor-specific REST services.

Firmware Test Suite 17.09.00 released

FWTS 17.09.00 has been released. New UEFI, ACPI, and IPMI features. MANY bugfixes, see the full announcement.

New Features:
* ACPICA: Update to version 20170831
* dmi: dmicheck: Add BMC Interface Type definitions from IPMI spec
* lib: fwts_acpi_tables: add a new function to check Reserved field
* lib: fwts_acpi_tables: add a new function to check reserved bits
* efi_runtime: add resetsystem runtime service




FWTS 17.08.00 released, many new ACPI tests

FWTS 17.08.00 is released. New Features:

* ACPICA: Update to version 20170728
* New ACPI tests defined by ACPI 6.2
* acpi: sdei: add ACPI SDEI test (mantis 1714)
* acpi: pcct: refactor subspace to individual functions
* acpi: pcct: update PCCT table to ACPI 6.2 (mantis 1659 & 1755)
* acpi: dppt: add ACPI DPPT test (mantis 1795)
* acpi: pptt: add ACPI PPTT test
* acpi: hmat: add ACPI HMAT test (mantis 1705)
* acpi: method: add _LSI test according to ACPI 6.2 (mantis 1721)
* acpi: madt: Add support for ACPI 6.2
* New tests for SBBR
* acpi: fadt: add SBBR compliance tests
* acpi: madt: add SBBR compliance tests
* acpi: spcr: add SBBR compliance tests
* acpi: xsdt: add SBBR compliance tests
* acpi: dbg2: add SBBR compliance tests
* acpi: gtdt: add SBBR compliance tests
* acpi: acpitables: add SBBR compliance tests
* dmi: dmicheck: add SBBR compliance tests
* acpi: method: add SBBR compliance tests
* acpi: rsdp: add SBBR compliance tests
* acpi: sbbr: sync up with new SBBR tests



Firmware Test Suite 17.07.00 released

Today Alex Hung of Canonical announced the latest release of FWTS. The list of New Features appears to all be ACPI-centric:

* acpi: bgrt: update according to acpi 6.1 errata (mantis 1577)
* acpi: method: update _PSD and _TSD tests according to ACPI 6.1 errata
* acpi: rsdp: revision 1 must have length 20 according to ACPI 6.1 errata
* acpi: method: Add _CPC revision 3 according to ACPI 6.2 (mantis 1611)
* acpi: hest: add new type 11 introduced in ACPI 6.2 (mantis 1649)
* acpi: srat: add new type 4 according to ACPI 6.2 (mantis 1656)
* acpi: method: update _GCP according to ACPI 6.2 (mantis 1703)
* acpi: hest: add notification type 11 according to ACPI 6.2 (mantis 1731)
* acpi: fadt: update minor version to 2 for ACPI 6.2 (mantis 1769)
* acpi: hest: add checks for GHES_ASSIST flag value in ACPI 6.2 (mantis 1674)
* acpi: wsmt: add wsmt test according to ACPI 6.2 (mantis 1585)
* ACPICA: Update to version 20170629
* acpi: tpm2: Add additional start method values
* acpi: iort: Add PMCG support

See the full announcement for list of Fixed Bugs (which aren’t ACPI-centric).


UEFI Forum recommends FWTS for it’s ACPI tests

FWTS has had ACPI tests for a while, and it’s basically the best public set of ACPI tests available. Better than anything the UEFI Forum has, like the SCTs. They’ve been using FWTS in the UEFI plugfests for a while, for ACPI purposes. Now the UEFI Forum is more formally recommending FWTS. Alex Hung of Canonical announces a new milestone for FWTS, the FirmWare Test Suite:

FWTS 17.03.00 is recommended as the ACPI 6.1 SCT

We have achieved another important milestone! The UEFI Board of Directors recommends Firmware Test Suite (FWTS) release 17.03.00 as the ACPI v6.1 Self-Certification Test (SCT), More information is available at:
Thank you all for who contributed patches, reported bugs, provided feedbacks and used FWTS in your work.

Thanks, FWTS, for having the best ACPI tests available!


Full announcement:


FWTS 17.06.00 released

Alex Hung of Canonical.com announced the 17.06.00 release of FWTS (FirmWare Test Suite).

New Features:
* ACPICA: Update to version 20170531
* olog: olog.json: Update OPAL skiboot errors to check on olog scan
* bios: mtrr: print out actual default type of MTRR

See the full announcement for the list of bugs fixed in this release.


FWTS 17.05.00 released

Ivan Hu of Canonical announced the 17.05.00 release of FWTS.

New Features:
  * Support SMBIOS 3.1.1 tests
  * dmi: dmicheck: check new offset in spec 3.11
  * dmi: dmicheck: check reserved bits of Type 7 offset 0x5
  * dmi: dmicheck: check reserved bits of Type 7 offset 0xd
  * dmi: dmicheck: add a function to verify reserved bits
  * dmi: dmicheck: add a helper function to check word min/max value
  * dmi: dmicheck: check pci(e) slot and segment, bus and dev/func
  * dmi: dmicheck: check reserved bits of offset 0x5 in type 13
  * dmi: dmicheck: add a helper function to check a reserved offset
  * dmi: dmicheck: check reserved bits in type 15 & type 17
  * dmi: dmicheck: check reserved fields in type 22, 23, 30, 32, 38 and 39
  * dmi: dmicheck: add 64-bit integer to dmi_reserved_bits_check
  * dmi: dmicheck: add checks for new type 43
  * dmi: dmicheck: check reserved bits in Type 0
  * fwts/opal: Power management DT Validation tests.
  * fwts/opal: Reserved memory DT validation tests.
  * Add snapcraft rules to build a fwts snap

See the list of bugfixes in the full announcement.


FWTS 17.03.00 released

Ivan Hu of Canonical announced the release of FWTS 17.03.00. There’s a new SBBR test, and a slew of bugfixes.

New Features :
  * ACPICA: Update to version 20170224
  * sbbr: Add “–sbbr” flag to support running SBBR Tests.
  * acpi: iort: Add support for SMMUv3



Firmware Test Suite 17.02.00 released

Alex Hung of Canonical announced the 17.02.00 release of FWTS, with new EFI and ACPI support. As well, IBM has been contributing some OpenPOWER support and it appears there is work to make an OpenPOWER version of FWTS-live.

One thing I recently noticed for FWTS: the UEFI Secure Boot tests are hard-coded only to work with Ubuntu’s Secure Boot key. I hope some other Linux distros add some distro-centric Secure Boot tests, beyond the Ubuntu test.

New Features:
  * ACPICA: Update to version 20170119
  * acpi: s3: Add new –s3-resume-hook option
  * Add README_JSON.txt for FWTS
  * klog.json: Add some more kernel messages to klog data base
  * klog.json: Add some EFI driver kernel messages to klog database
  * klog.json: Add some EFI quirk driver kernel messages to klog database
  * klog.json: Add some more EFI driver kernel messages to klog database
  * klog.json: Add some miscellaneous messages to klog database
  * Integrate PPC for FWTS-LIVE Frontend
  * fedora: Add fedora internal versioning number in fwts.spec
  * fedora: Add fwts.spec.in
  * fedora: Update buildsrpm.sh for dynamic versioning
  * fwts_framework: handle -? option differently from -h

See the full announcement for list of bugfixes.

FWTS 17.01.00 released

Alex Hung of Canonical has announced the release of FWTS 17.01.00, the FirmWare Test Suite.

New Features:
* ACPICA: Update to version 20161222
* klog.json: Add kernel errors to the database
* fedora/fwts.spec: Add initial version of fwts.spec
* fedora/buildrpm.sh: Add build script for RPMs

See the full announcement for more details:

FWTS 16.12.00 released

Ivan Hu of Canonical.com announced the release of FirmWare Test Suite release 16.12.00, with new features in UEFI Secure Boot, OpenPOWER Opal, and ACPI tests. See the full announcement for the list of bugfixes.

New Features:
* ACPICA: Update to version 20161117
* klog.json: Add a few more kernel errors to the database
* opal: pci_info: Add OPAL PCI Info validation
* opal: mem_info: Add OPAL MEM Info validation
* opal: cpu_info: Add OPAL CPU Info validation
* securebootcert: add variable AuditMode checking
* securebootcert: add variable DeployedMode checking