FWTS 16.011.00 released

Ivan Hu of Canonical announced the 16.011.00 release of FWTS, the FirmWare Test Suite.

New Features include:
 * ACPICA: Update to version 20160930
 * uefibootpath: add test for eMMC device path
 * uefidump: add dumping for the eMMC device path

There are lots of bugfixes as well, see the Changelog.

https://launchpad.net/ubuntu/+source/fwts
http://fwts.ubuntu.com/release/fwts-V16.11.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.11.00

FWTS 16.09.00 released

Alex Hung of Canonical announced the latest release of FWTS, the FirmWare Test Suite, on the fwts-announce  and other lists.

New Features include:
  * lib: acpi: add supports for WPBT
  * acpi: wpbt: add ACPI WPBT test
  * lib: acpi: add supports for DRTM
  * acpi: drtm: add ACPI DRTM test
  * lib: fwts_guid: add a compare function
  * acpi: nfit: check fields equals 0 for Virtual CD and Disk
  * opal: mtd: Add OPAL MTD Validation
  * acpi: ACPI Platform check updates
  * acpi: fadt: Remove HEADLESS check on reduced hardware
  * pci: aspm: Add segment support
  * ACPICA: Update to version 20160831

See the full announcement for list of bugfixes.

http://fwts.ubuntu.com/release/fwts-V16.09.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.09.00
https://launchpad.net/ubuntu/+source/fwts

FWTS v16.08.01 released

Alex Hung of Canonical announced v16.08.01 of FWTS, the FirmWare Test Suite.

There are a few new ACPI tests in this release:

  * acpi: nfit: add ACPI NFIT test
  * lib: acpi: add support for MPST
  * acpi: mpst: add ACPI MPST test
  * lib: acpi: add support for PMTT
  * acpi: pmtt: add ACPI PMTT test
  * ACPICA: Update to version 20160729

See the release notes for the list of bugfixes.

https://launchpad.net/ubuntu/+source/fwts
http://fwts.ubuntu.com/release/fwts-V16.08.01.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.08.01

FWTS 16.07.00 released

Ivan Hu of Canonical announced the release of FirmWare Test Suite 16.07.00:

New Features:
   * acpi: method: add _FIT test
   * acpi: pcct: add ACPI PCCT test
   * opal/prd_info: Add OPAL Processor Recovery Diagnostics
   * olog: olog.json: Add OPAL skiboot errors for olog scan
   * Add klog checking for errors from drivers/acpi/tables.c
   * klog: data.json: Add klog checking for kernel NUMA errors from drivers/acpi/numa.c
   * klog: data.json: Add klog checking for kernel EC errors from drivers/acpi/ec.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/acpi_cmos_rtc.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/nfit.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/pci_root.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/pci_mcfg.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/cppc_acpi.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/battery.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/processor_idle.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/sleep.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/acpica/rsmisc.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/evged.c
   * efi: enable module loading to load legacy or new efi driver
   * acpi: madt: Add support for ACPI 6.0a
   * acpi: madt: Add support for ACPI 6.1
   * uefi: update reset type to uefi 2.6
   * acpi: dbg2: Add missing debug port types

See the full release notes for list of bugfixes.

http://fwts.ubuntu.com/release/fwts-V16.07.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.07.00
https://launchpad.net/ubuntu/+source/fwts

FWTS 16.06.00 released, new ACPI features

Ivan Hu of Canonical.com announced the 16.06.00 release of Firmware Test Suite (FWTS).

New Features in this release include ACPI-related functionality:
  * acpi: method: acpi 6.0 adds USB-C Connection to _UPC
  * acpi: method: add _WPP method test (introduced in ACPI 6.1)
  * acpi: method: add _WPC method test (introduced in ACPI 6.1)
  * ACPICA: Update to version 20160527
  * acpi: hest: Add GHESv2 checking (LP: #1587624)
  * lib: acpi: Add support for HEST GHESv2

http://fwts.ubuntu.com/release/fwts-V16.06.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.06.00
https://launchpad.net/ubuntu/+source/fwts

There were some bugfixes, in ACPI, IPMI, UEFI, and some other technology areas, see the release notes — or the post on the FWTS list — for the list of bugfixes.

UEFIOP

Ivan Hu of Canonical has two related projects on Github, UEFIOP and EFI_runtime, the former app depends on the latter Linux kernel driver:

The uefiop is an application that allows users to manipulate UEFI runtime interfaces provided by Bios at runtime. Current capabilities:
 * set and delete uefi variables

The Efi_runtime kernel driver module aims to provide the interfaces for fwts (firmware test suite) to test the UEFI Runtime services provide by firmware. Current capabilities:
 * provide the RT service interfaces:
 * GetVariable
 * SetVariable
 * GetTime
 * SetTime
 * GetWakeupTime
 * SetWakeupTime
 * GetNextVariableName

https://github.com/Ivanhu5866/uefiop
https://github.com/Ivanhu5866/efi_runtime

FWTS 16.05.01 released

Alex Hung of Canonical has announced the 16.05.01 release of FWTS, the FirmWare Test Suite.

There are new ACPI and IPMI and TCG OVAL and Linux device-tree tests. In addition to new features, there’s an even larger list of bugfixes for most classes (UEFI, BIOS, ACPI, etc.) of tools, not excerpted below, see the full announcement for those.

New Features:
  * acpi: add MSCT table sanity check
  * acpi: add EINJ table sanity check
  * ACPICA: Update to version 20160318 (LP: #1559312)
  * Introduce olog scan, to check OPAL msglog.
  * Introduce IPMI BMC Info
  * devicetree: add infrastructure for device-tree tests
  * devicetree/dt_sysinfo: Add device tree system information tests
  * devicetree/dt_base: Add base device-tree validity checks
  * debian/control: change depends on libjson0-dev to libjson-c-dev
  * auto-packager: mkpackage.sh: add yakkety and remove vivid
  * debian/control: add back libjson0-dev for precise

http://fwts.ubuntu.com/release/fwts-V16.05.01.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.05.01
https://launchpad.net/ubuntu/+source/fwts

Firmware Test Suite 16.02.00 is released

Ivan Hu of Canonical has announced the release of FirmWare Test Suite (FWTS) version 16.02.00.

New Features:
  * ACPICA: Update to version 20160212 (LP: #1545099)
  * Full ACPI compliance testing for the FADT
   * FADT: enable compiling on non-x86 architectures
   * FADT: non-x86 machines need an FADT but x86 can survive without one
   * FADT: disable SCI_EN and RESET_REG tests when in reduced hardware mode
   * FADT: add in code to log basic info about the various FADT flag fields
   * Add in bit masks for FACS flags.
   * FADT: move log info out of test2, will provide it elsewhere
   * ACPI: Add hypervisor ID field to FADT.
   * FADT: minor cleanup and initial compliance tests
   * FADT: expand the compliance test for FIRMWARE_CTRL fields
   * FADT: expand compliance checks for DSDT and X_DSDT fields
   * FADT: add compliance tests for reserved fields, PM profile, reduced hardware
   * FADT: restructure test sequence around reduced hardware mode
   * FADT: expand compliance tests for the SMI_CMD field
   * FADT: add compliance tests for the ACPI_ENABLE and ACPI_DISABLE fields
   * FADT: add compliance tests for S4BIOS_REQ and PSTATE_CNT fields
   * FADT: extend and add PM address block compliance tests
   * FADT: enhance compliance tests for GPE blocks
   * FADT: add compliance test for the CST_CNT field
   * FADT: add in compliance tests for C2/C3 latency fields
   * FADT: add in SLEEP_CONTROL_REG and SLEEP_STATUS_REG compliance tests
   * FADT: remove no longer useful variables from test1
   * FADT: add safety checks for older versions of FADT
  * acpi: method: add _PMC test
  * acpi: method: add _PRT test
  * acpi: method: add _RDI test
  * acpi: method: add _LPI test
  * data: klog.json: update to sync with 4.6 kernel changes

See the changelog or full announcement for the list of fixed bug:

https://launchpad.net/ubuntu/+source/fwts
http://fwts.ubuntu.com/release/fwts-V16.02.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.02.00
http://wiki.osdev.org/FADT

FWTS 10.01.00 released

Ivan Hu of Canonical announced the 10.01.00 release of FWTS, the FirmWare Test Suite, which uses a fresh ACPIC, and includes with some new ACPI and UEFI test features, including supporting some new UEFI 2.5 variables.

Significant Updates:
* ACPICA: Update to version 20160108 (LP: #1532268)

New Features:
* acpi: method: add _PTC test
* sync with uefi 2.5 global variables
* uefidump: add dumping global variabl AuditMode
* uefidump: add dumping global variabl DeployedMode
* uefidump: add dumping global variable OsRecoveryOrder
* uefidump: add dumping global variable PlatformRecovery####
* uefidump: add dumping global variable SysPrepOrder
* uefidump: add dumping global variable SysPrep####
* ACPICA: Update to version 20151218 (LP: #1527733)
* esrtdump: add dumping for esrt table (LP: #1532103)

See full changelog for list of bugs fixed.

http://fwts.ubuntu.com/release/fwts-V16.01.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.01.00
https://launchpad.net/ubuntu/+source/fwts
https://lists.01.org/pipermail/luv/2016-January/000777.html

FWTS 15.12.00 released

Alex Hung of Canonical has announced the quarterly release of 15.12.00 of FirmWare TestSuite (FWTS). Besides updating to ACPICA to 20151124, it includes the following new features, including a handful of new UEFI features:

  * live-image/fwts-frontend-text: add a selection for recommended
  * data: klog.json: add in some more kernel error messages for 4.3
  * ACPI: Add ASPT test
  * lib: framework: allow mixed tests and test category options
  * fwts: framework: Add –log-level option
  * lib: fwts_uefi: add SD device path define
  * Boot path sync with UEFI spec. 2.5
  * uefibootpath: add test for the SD device path
  * uefidump: add dumping for the SD device path
  * lib: fwts_uefi: add efi bluetooth device path define
  * uefibootpath: add test for the bluetooth device path
  * uefidump: add dumping for the bluetooth device path
  * lib: fwts_uefi: add wireless device path define
  * uefibootpath: add test for the wireless device path
  * uefidump: add dumping for the wireless device path
  * lib: fwts_uefi: add ramdisk device path define
  * uefibootpath: add test for the ramdisk device path
  * uefidump: add dumping for the ramdisk device path

See full announcement for list of bugs fixed in this release.

https://launchpad.net/ubuntu/+source/fwts
http://fwts.ubuntu.com/release/fwts-V15.12.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/15.12.00

FWTS adds test for undocumented ASPT ACPI

[[
UPDATE: see-also: https://firmwaresecurity.com/2016/01/22/who-created-the-acpi-aspt-spec/
]]

Colin  King of Canonical has added a new ACPI test to the FirmWare Test Suit (FWTS). The new test is for ASPT (ACPI System Performance Tuning). The problem is that ASPT is an undocumented ACPI table. As Colin says:

This table is not well described anywhere, however it is a frequently used table on AMD machines and the format is relatively simple set of 4 32 bit addresses.  This table has been discussed on the ACPICA devel mailing list:

https://lists.acpica.org/pipermail/devel/2015-November/000850.html

and this description matches the various acpi dumps of this table on AMD machines that I have access too. I believe the table refers to an AMD performance monitoring feature.

Here are some scary comments from the new test code to clarify the problem:

/* ASPT Table (reverse engineered, table is common on AMD machines) */

/* Without a specification to work with there is very little we can do to validate this apart from the
implest sanity check */
 
/* ACPI ASPT: determined by reverse engineering */

For more information see the fwts-devel list or the fwts source code:
https://lists.ubuntu.com/archives/fwts-devel/2015-December/007107.html
http://www.uefi.org/acpi
IMO, the UEFI Forum, who has recently taken over ownership of ACPI, should be working with this vendor to provide a proper public spec, if the table is being used in modern hardware.

FWTS 15.11.00 released

Alex Hung of Canonlical has announced the release of FWTS (FirmWare Test Suite) version 15.11.00, the November 2015 quarterly release, with multiple changes to the UEFI and ACPI tools.

= Significant Updates =
 * Update ACPICA to version 20150930

= New Features =
  * Add in the notion of ACPI compliance tests.
  * MADT subtables: Local SAPIC structure has 3 reserved bytes, not 1
  * ACPI: MADT: update GICC flag checks for ACPI 6.0
  * ACPI: MADT: further update to GICC flag checks for 6.0
  * acpi: method: skip scope names in method_evaluate_method
  * acpi: method: add _GPE test
  * acpi: method: add _TSN test
  * acpi: method: add _TFP test
  * acpi: method: add _EC test
  * acpi: method: add _CWS test
  * acpi: method: add _BTH test
  * auto-packager: mkpackage.sh: add xenial
  * acpi: tpm2: add check for zero control area address (LP: #1506442)
  * securebootcert: change fail to warning when MS UEFI CA not found in DB
  * lib: fwts_uefi: add BMC device path define
  * uefidump: add dumping the BMC device path
  * uefibootpath: add test for the BMC device path
  * lib: fwts_uefi: add the URI device path define
  * uefibootpath: add test for the URI device path
  * uefidump: add dumping for the URI device path
  * lib: fwts_uefi: add the UFS device path define
  * uefidump: add dumping for the UFS device path
  * uefibootpath: add test for the UFS device path

= Fixed Bugs =
  * dmi: dmicheck: fix SMBIOS issues on aarch64 systems
  * acpidump: add missing reserved fields to MADT structures
  * cpufreq: the calibration is taking a long time, make it faster
  * acpi: tcpa: replace tab with spaces to fix formatting alignment

More Information:

http://fwts.ubuntu.com/release/fwts-V15.11.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/15.11.00
https://launchpad.net/ubuntu/+source/fwts

 

FWTS updated

Ivan Hu of Canonical has announced the release of FWTS (FirmWare TestSuite), to 5.09.00. FWTS is a set of command line tools for Ubuntu-based and related Linux systems. It also includes a curses-based interface frontend, which is also the default UI to FWTS-live. FWTS is also included in LUV, the Linux UEFI Validation distribution, but it may be a few days until this latest release has been updated in LUV-live. The release features many bugfixes, as well as some new updates/features, including:

* Update ACPICA to version 20150717
* SMBios 3.0.0 tests supported
* acpi: add _CR3 test
* acpi: add _MTL test
* acpi: add _RST test
* acpi: add _PRR test
* dmicheck: SMBIOS 3.0.0 test

For more information, see the full announcement on the fwts-announce mailling list, and see the full changelog, /usr/share/doc/fwts/changelog.Debian.gz in the source tarball.

https://launchpad.net/ubuntu/+source/fwts
http://fwts.ubuntu.com/release/fwts-V15.09.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/15.09.00

Linux Security Summit 2015 proceedings available

As part of LinuxCon North America, the Linux Security Summit recently finished, and presentations are now available (I omitted the few talks which had no presentations from below list):

* Keynote: Giant Bags of Mostly Water – Securing your IT Infrastructure by Securing your Team, Konstantin Ryabitsev, Linux Foundation
* CC3: An Identity Attested Linux Security Supervisor Architecture, Greg Wettstein, IDfusion
* SELinux in Android Lollipop and Android M, Stephen Smalley, NSA
* Discussion: Rethinking Audit, Paul Moore, Red Hat
* Assembling Secure OS Images, Elena Reshetova, Intel
* Linux and Mobile Device Encryption, Paul Lawrence, Mike Halcrow, Google
* Discussion: Core Infrastructure Initiative, Emily Ratliff, Linux Foundation
* Security Framework for Constraining Application Privileges, Lukasz Wojciechowski, Samsung
* IMA/EVM: Real Applications for Embedded Networking Systems, Petko Manolov, Konsulko Group, Mark Baushke, Juniper Networks
* Ioctl Command Whitelisting in SELinux, Jeffrey Vander Stoep, Google
* IMA/EVM on Android Device, Dmitry Kasatkin, Huawei Technologies
* Subsystem Update: Smack, Casey Schaufler, Intel
* Subsystem Update: AppArmor, John Johansen, Canonical
* Subsystem Update: Integrity, Mimi Zohar, IBM
* Subsystem Update: SELinux, Paul Moore, Red Hat
* Subsystem Update: Capabilities, Serge Hallyn, Canonical
* Subsystem Update: Seccomp, Kees Cook, Google
* Discussion: LSM Stacking Next Steps, Casey Schaufler, Intel

http://kernsec.org/wiki/index.php/Linux_Security_Summit_2015/Schedule

FWTS 15.08.00 released

Today Canonical has released version 15.08.00 of FWTS (FirmWare Test Suite), a set of firmware-related tests for Linux-based systems. The tests can be run via command line, or via a curses front-end, the latter of which is used by the FWS-live distribution. FWTS is also included in Intel’s LUV-live (Linux UEFI Validation) distribution, but it’ll take LUV a bit of time to update to new FWTS release. FWTS is also available as packages on Ubuntu-based distributions.

It appears that most new features are ACPI-related. New ACPI TPM2 and IORT tests, new tables for: FPDT, MCHI, STAO, ASF!, WDAT, and a few other things. There were a lot of bugfixes as well. For more information, see the full announcement, the changelog, and sources:

http://fwts.ubuntu.com/release/fwts-V15.08.00.tar.gz
https://launchpad.net/ubuntu/+source/fwts
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/15.08.00

I wish ALL Linux/FreeBSD distributions would ship FWTS, not just Ubuntu-based ones: FTWS is very useful to detect if system has anomalies which’ll make it difficult to install/use the OS. Granted, those distro uses can just use FWTS-live, but they have to reboot into FWTS-live to use FWTS, with no native packaging.

Linux distros (and FreeBSD): join the UEFI Forum

Hey Linux/FreeBSD distros: it’s great that you’ve got UEFI support including Secure Boot certs. But that’s not enough, you need to join the UEFI Forum, and help evolve UEFI to be more Linux-friendly.

Right now, the last time I checked, the only Linux distros that had joined were: Canonical (Ubuntu), Red Hat, and SuSE. As well as Linaro. Excluding SuSE and Redhat’s commercial products, that means that Ubuntu, Fedora, and OpenSUSE are the community Linux distros that may have the best UEFI support.

UEFI Forum members have access to:
* member-only communications (web forums)
* member-only invites to meetings/events (including the 1-3 plugfests they do each year).
* member-only access to software and specs the public doesn’t have.
* access to file bugs/change requests, which the public cannot do.

I think you get access to their non-public trunk, a subset of which is exported to the public as TianoCore, but I’m not sure. (Hypocritically, I’m not a member yet, still working on it, blocking on some new company infrastructure.)

If you join, you can help evolve and improve UEFI, and have early access to UEFI resources so your distros can be ready for any changes. You can attend the plugfests and do interop testing with other UEFI products/projects, to find problems before your users have to see them.

If you don’t join, you’ll be constantly reacting to UEFI Forum releases, have less resources than UEFI Member distros have, and if there’s a problem all you can do is whine and blame Intel and/or Microsoft, when you should look into the mirror instead.

The Linux Foundation should help enable community distros, which don’t have large corporations to back their membership, to get involved as well. The Free Software Foundation should join and participate, instead of keeping their heads in the sand and wish everyone would stop using UEFI. Embrace and Extend.

In addition to Linux distros, FreeBSD also supports UEFI, and is not a UEFI Forum member. iX Systems and FreeBSD Foundation: this also applies to you.

You also need to register your distro with the UEFI Forum’s ESP Subdirectory Registry, so you can have some UEFI binaries (boot loader, etc.) in a well-known location. Ex, if Debian’s cbootstrap gets ported to a UEFI Application, then \EFI\Debian\cbootstrap.efi would be an example of where the file would be stored. Right now, Debian is registered, but not a member of the UEFI Forum!?

Intel, ARM, Linaro, Red Hat, SuSE, and Canonical have been doing a great job improving UEFI so it works better with non-Apple, non-Microsoft operating systems. IMO, more distros need to get involved and help.

More Information:

http://uefi.org/members
http://uefi.org/join
http://uefi.org/registry

While I’m on my soapbox, Linux distros should consider some UEFI-centric rescue options in their boot CDs. ALT Linux Rescue ISOs include rEFInd boot manager, and let you optionally jump into UEFI Shell. You could use UEFI-aware GRUB for this, instead of rEFInd. Additionally, it would be nice to also give access to running: FWTS (FirmWare Test Suite), Intel CHIPSEC to test the hardware/firmware for security. It would also be nice to include the UEFI port of CPython 2.7x, along with the UEFI Shell, for more powerful diagnostic abilities. Distro installers should also consider installing UEFI Shell and UEFI Python and CHIPSEC onto system’s ESP, in an advanced mode, not just let them access via install ISO. Of course, there are security issues by enabling extra Pre-OS tools, user would need to opt-into all of this. Intel’s LUV-live, which Linaro is porting to AArch64, contains BITS (BIOS Interface Test Suite), FWTS, CHIPSEC all in one convenient location. I hope other Linux distros emulate some of LUV-live’s diagnostic and rescue abilities.

Secure Boot strength varies by Linux implementation

[UPDATE, with input from readers, see EOM. Thanks!]

UEFI Secure Boot is a build-time feature of UEFI that helps secure the boot process from some boot-time attacks, optionally using TPM hardware if available. Secure Boot became widespread on Windows hardware during Windows 8 timeframe. Windows aside, other operating systems have to support UEFI Secure Boot. Linux supports UEFI and UEFI Secure Boot (as does FreeBSD). Different Linux distributions have different Linux kernels, with different versions, different patchsets, and different build-time directives enabled. So, Fedora’s Linux kernel is different than SuSE’s Linux kernel, etc.

I saw a recent comment from a UEFI security researcher who had been building a Linux liveboot CD and running CHIPSEC — which includes a native Linux kernel driver, and running it on UEFI systems with Secure Boot enabled.

“Ubuntu appears to have shim and do secure boot but not enforce kernel module signing.”

This Ubuntu behaviour was a change in behaviour from the Fedora-based systems the researcher was used to using. I was curious about the difference in distros w/r/t enforcing kernel module signing. So I asked on the FirmWare TestSuite (FWTS) list if there was a test for this. Roderick W. Smith of Canonical — and author of rEFInd boot manager and the definitive Linux boot loader/manager reference on RodsBooks.com — replied clarifying the situation:

“Yes, that’s correct. Ubuntu’s kernel doesn’t attempt to enforce Secure Boot policy beyond the main kernel file; once the kernel’s loaded, it’s possible to load an unsigned kernel module. Fedora, as you inferred, does require signing of kernel modules. Fedora’s approach is arguably more secure, since an attacker can’t load a malicious kernel module once the system has booted, but leads to problems with third-party kernel modules, like the in-kernel portions of nVidia and ATI/AMD video drivers. FWIW, the decision to do it this way was made before I joined Canonical, so I’m not sure who made the decision.”

Ivan of Canonical replied with more information:

“On Linux, two stage booting has implemented for secureboot. First stage is firmware boot to shim and then shim will take care to check signature and boot with grub and kernel. Booting with/without kernel signed is under shim and grub implementation, Ubuntu provides the singed kernel in official releases, and would like to keep the flexibility for user to build their kernel, so Ubuntu doesn’t block booting when user uses unsigned kernel.”

The security researcher who reported this speculated that Canonical’s policy may be due to them not wanting to put their distro signature (or perhaps worry about license issues in doing so) on some 3rd party (non open) binary.

As I understand things, this is beyond the strict “UEFI Secure Boot” definition, and on to what OS-centric post-UEFI Secure Boot security techniques it will implement. I guess some call it “OS Secure Boot” to differentiate it from “UEFI Secure Boot”, but I don’t see any formal definition for that term.

I wish there was more precise information about Secure Boot implementation from each Linux distro. System administrators and technical support engineers will need to know these nuances, as will security researchers. Pehaps Linux Foundation or UEFI Forum — or some Wikipedian(s) — could help with a comparison of Secure Boot on different OSes? Perhaps FWTS or CHIPSEC could have a test to check? Perhaps the UEFI Forum could note these nuances at their next plugfest, and setup test cases combinining Linux OSVs with a test case that loads dynamically load native OS drivers: perhaps using CHIPSEC as the test case may suffice, it loads a native helper driver.

So, don’t just look at if Secure Boot is enabled or not, look at what Linux OS you’re using, and how it implements Secure Boot. And remember attackers are also making this choice, and looking for your softer Linux targets, so be more careful when using those systems.

——-

Updated information:

The reason this issue came up is that the researcher was using Intel CHIPSEC, which when run on Linux it uses a Linux kernel module. Unlike most drivers, which get loaded when OS initializes, then stay loaded, the CHIPSEC driver behaves differently. The CHIPSEC userland Python app compiles the kernel module, and loads the module when it starts, then unloads the driver when it finishes (because the driver enables risky things, see it’s warning.txt). On Fedora, this kind of CHIPSEC driver loading behavior will not work, with Secure Boot enabled, until you setup moklist and sign the module. By contrast with Fedora, on Ubuntu, CHIPSEC is able to load the unsigned driver without the user having to change anything (convenience). Here’s more information on how Fedora does it’s module signing process:
http://docs.fedoraproject.org/en-US/Fedora/22/html/System_Administrators_Guide/sect-kernel-module-authentication.html

FirmWare Test Suite 15.07.00 released

[Update: Colin King also blogged about this release:
http://smackerelofopinion.blogspot.com/2015/07/new-acpi-table-tests-in-fwts150700.html ]

Today Alex Hung of Canonical announced the latest release of FWTS, the FirmWare Test Suite.

Tar: http://fwts.ubuntu.com/release/fwts-V15.07.00.tar.gz
PPA: https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
Release Notes: https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/15.07.00

Changes to existing Features:
* –uefi and –acpi options renamed to –uefitests and –acpitests
* ACPI table tests in the acpitables test have been moved into specific ACPI tests.

New Features:
* acpi: acpidump: update TCPA table and acpidump accordingly
* acpi: add ACPI TCPA test
* acpi: add XENV table test
* lib: fwts_framework: Append “tests” to –uefi and –acpi
* live-image/fwts-frontend-text: update to –uefitests and –acpitests
* lib: acpi, acpidump: rename slit tables types
* lib: acpi: add in new GICC table fwts_acpi_table_gicc_affinity
* acpi: add SRAT table sanity checking (LP: #1464658)
* acpi: add BERT table sanity checking (LP: #1464712)
* lib: acpi: Add in GAS address types
* acpi: add ECDT table sanity checking (LP: #1464716)
* lib: acpi: Add support for the SPMI table
* acpi: add ACPI SPMI table sanity checking (LP: #1465256)
* acpi: add ACPI SLIT table sanity checking (LP: #1465276)
* lib: acpi: Add support for the HEST family of ACPI tables
* acpi: add ACPI HEST table sanity checking (LP: #1465379)
* acpi: Add BOOT table test (LP: #1465435)
* acpi: Add DBGP table test (LP: #1465441)
* acpi: Add DBG2 table test (LP: #1465710)
* acpi: re-orgainise HPET tests
* acpi: move MADT test from acpitables into new MADT test
* acpi: move GTDT test from acpitables into new GTDT test
* acpi: move XSDT test from acpitables into new XSDT test
* acpi: move RSDP test from acpitables into new RSDP test
* acpi: move RSDT test from acpitables into new RSDT test
* acpi: acpitables: remove no-op MCFG test
* acpi: move SBST test from acpitables into new SBST test
* acpi: move FADT test from acpitables into existing FADT test
* acpi: acpitables: remove redundant acpi table checking
* acpi: allow various ACPI table tests to run without root access
* lib: fwts_acpi_tables: fully pad out fixed up ACPI OEM IDs
* acpi: spcr: add missing white space in error messages
* acpi: add ACPI ERST test (LP: #1467835)
* acpi: correct ACPI BGRT table type
* acpi: add ACPI BGRT test (LP: #1467863)
* acpi: add ACPI CPEP test (LP: #1467870)
* acpi: add ACPI FACS test (LP: #1467966)
* acpi: acpidump: add in missing exponent field to SLIC
* acpi: add CSRT ACPI Table test (LP: #1470116)
* acpi: add LPIT ACPI test (LP: #1470184)
* acpi: add WAET ACPI table test (LP: #1470495)
* acpi: add SLIC table test (LP: #1470518)
* acpi: add MSDM table test (LP: #1470538)
* acpi: add UEFI ACPI data table test (LP: #1471698)
* bios: os2gap: remove ancient legacy test (LP: #1470573)

Fixed Bugs:
* acpi: acpidump: update SMM Communication fields on UEFI table
* lib: make acpidump parser more robust (LP: #1471202)
* fwts: cpufreq: fix theoretical division by zero (LP: #1466905)
* acpi: method: remove extraneous “_” in error message
* lib: fwts_klog: fix vector size and handle errors from pcre_exec (LP: #1461520)
* acpi: lib: fwts_acpi_tables: force fixup when loading tables from /sys/firmware
* lib: acpica: compiler: link in missing objects (LP: #1461936)