Purism Librem15 fails CHIPSEC security tests

Current Purism Librem15 systems — based on Intel x64/coreboot/SeaBIOS tech — results in 3 FAILs and 1 WARNING from CHIPSEC:

The UEFI Forum recommends that OEMs pass CHIPSEC’s tests before shipping units to customers. I wish modern BIOS-based OEMs would also heed that advice… The default install is to use an MBR-based partition, so also be wary of all of the existing BIOS-centric, MBR-based rootkits. Adhere all ‘evil maid’ warning signs with this laptop. If you have corporate policies that require NIST 800-147/155/193 requirements, you might have to work hard to justify this device. I wish it were not true: configurable or secure, choose one.

In other computer review news: the trackpad did not work during initial install, had to be rebooted. I’m guessing trackpad drivers aren’t integrated? You’ll have to use external mouse if you need to click on something during install of Linux. Same with backlit key and display intensity features: only worked after OS setup. Firmware security pedantry aside, nice hardware. Fan rarely kicks in, unlike some OEMs. It is nice to see a Mac-style trackpad instead of a PC-style touchpad with 2 explicit button areas, I’ve grown to dislike those. Startup and poweroff are both very fast. Reminds me of what a modern non-UEFI system should be like. Great, except we’re no longer in a world where security can be ignored. If you want an insecure BIOS box, you’ll probably enjoy this system. If you care about security, this is a BIOS box….

European Coreboot Conference 2017: some presentations online

Multiple PDFs from the European Coreboot Conference 2017, are already online, linked off their individual event pages, eg:

https://ecc2017.coreboot.org/schedule-location

And hopefully we can watch videos of the other presentations soon:

PS: The Coreboot event is happening in Europe nearly the same time the UEFI event is happening in Asia. I with those two firmware communities would sync their events and host them adjacently.

Agenda for ECC’17

The schedule for the European Coreboot Conference 2017 (ECC’17) is out:

* Keynote, Stefan Reinauer
* Run upstream coreboot on an ARM Chromebook. Paul Menzel
* DDR3 memory initialization basics on Intel Sandybrige platforms. Patrick Rudolph
* Booting UEFI-aware OS on coreboot enabled platform – “In God’s Name, Why?”. Piotr Król, Kamil Wcisło
* Reverse engineering MT8173 PCM firmwares and ISA for a fully free bootchain. Paul Kocialkowski
* Let’s move SMM out of firmware and into the kernel. Ron Minnich
* A Tale of six motherboards, two BSDs and coreboot. Piotr Kubaj
* Buying trustworthy hardware for federal agencies: How open source firmware saves the day. Carl-Daniel Hailfinger
* SINUMERIK 840D sl – step ahead with coreboot. Werner Zeh
* Enabling TPM 2.0 on coreboot based devices Piotr Król, Kamil Wcisło
* Reverse Engineering x86 Processor Microcode. Philipp Koppe, Benjamin Kollenda
* Porting coreboot to the HP ProLiant MicroServer Gen8. Alexander Couzens, Felix Held
* Implementing coreboot in a ground breaking secure system: ORWL. Wim Vervoorn , Gerard Duynisveld

https://ecc2017.coreboot.org/

European coreboot conference 2017: Call for Papers

Note the request for SECURITY talks!

We are particularly interested in advances in the application of technology in a particular discipline primarily around coreboot, hardware, firmware, and security. As a result, the conference will be structured around the following topics:
– Free and Open Source hardware and firmware.
– Attacks against current hardware and firmware, like side and covert channel attacks.
– Firmware and hardware reverse engineering.
– coreboot payloads, extensions, and features.
– Advances of coreboot and UEFI on the market.
– Applications of free and open source hardware/firmware in practice.
– State-of-the-art security in embedded devices.

Conference talks, lightning talks, and workshops will be video taped and published afterwards. If a recording is not desired by a speaker or workshop instructor, no recordings will be made (notification in advance of the talk / workshop requested)[…]

https://ecc2017.coreboot.org/

coreboot and Intel ME

https://www.coreboot.org/

A Life Without Vendors Binary Blobs, part1

This blogpost will be about my first steps with coreboot and libreboot and a life with as few proprietary firmware blobs as possible. My main motivation were the latest headlines about fancy firmware things like Intel ME, Computrace and UEFI backdoors. This post is not intended to be about a as much as possible hardened system or about coreboot/libreboot being more secure, but rather to be able to look into every part of software running on that system if you want to.[…]A followup will involve different payloads like SeaBios or Tiano Core (UEFI) to be tested, maybe I can get even more from this old piece of hardware! So look out for my next blog post about my journey into coreboot! -Jann

https://insinuator.net/2017/08/a-life-without-vendors-binary-blobs/

 

Hardened Linux: coreboot and CHIPSEC

A bit more information on Hardened Linux’s use of CHIPSEC, in this case coreboot-centric:

https://firmwaresecurity.com/2017/07/31/hardened-linux-using-chipsec/

“# Enabling some security features at runtime in case of which vendor provided implementation improperly.”

https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/scripts/harbian_fw/fw_hardening_runtime.py

There aren’t many CHIPSEC-based codebases, Hardened Linux is one relatively new one.

Google NERF: Non-Extensible Reduced Firmware

 

Open Source Summit North America 2017
September 11-14, 2017 – Los Angeles, CA
Replace Your Exploit-Ridden Firmware with Linux – Ronald Minnich, Google

With the WikiLeaks release of the vault7 material, the security of the UEFI (Unified Extensible Firmware Interface) firmware used in most PCs and laptops is once again a concern. UEFI is a proprietary and closed-source operating system, with a codebase almost as large as the Linux kernel, that runs when the system is powered on and continues to run after it boots the OS (hence its designation as a “Ring -2 hypervisor”). It is a great place to hide exploits since it never stops running, and these exploits are undetectable by kernels and programs. Our answer to this is NERF (Non-Extensible Reduced Firmware), an open source software system developed at Google to replace almost all of UEFI firmware with a tiny Linux kernel and initramfs. The initramfs file system contains an init and command line utilities from the u-root project (http://u-root.tk/), which are written in the Go language.

https://ossna2017.sched.com/event/BCsr/replace-your-exploit-ridden-firmware-with-linux-ronald-minnich-google?iframe=no&w=100%&sidebar=yes&bg=no

https://www.linkedin.com/pulse/open-hardware-servers-step-forward-jean-marie-verdun

Click to access Denver_2017_coreboot_u-root.pdf

https://firmwaresecurity.com/2017/02/21/u-root-firmware-solution-written-in-go/

https://linuxfr.org/news/un-pas-en-avant-pour-les-serveurs-libres-le-projet-nerf

coreboot security slides from REcon available

Digging Into the Core of Boot by Yuriy Bulygin, Oleksandr Bazhaniuk

Click to access RECON-MTL-2017-DiggingIntoTheCoreOfBoot.pdf

https://recon.cx/2017/montreal/slides/

See-also the SGX talk…

coreboot 4.6 released!

Martin Roth posted a new entry on the coreboot blog, announcing coreboot 4.6, excerpting his announcement below, see the full announcement here:

http://blogs.coreboot.org/blog/2017/05/08/announcing-coreboot-4-6/

The full announcement is many pages long, too long to properly summarize.

“Since the last release in October 2016, the coreboot project had 1708 commits by 121 authors.”

There’s a new payload called cbui:

“We provide the libpayload project which is used for writing own payloads from scratch. The library is MOSTLY licensed under BSD and recently received new functionality in order to prepare for the upcoming replacement for the old nvramcui payload. This new payload is called cbui and is based on the nuklear graphics library including keyboard and mouse support. The cbui payload is currently expected to be merged into the main coreboot tree before the next release.  The upstream repository is here: https://github.com/siro20/coreboot/tree/cbui/payloads/cbui

coreboot now integrates ME Cleaner in it’s build system, and has a new tool called blobtool:

“Fighting blobs and proprietary HW components: coreboot’s ultimate goal would be to replace any closed source firmware stack with free software components. Unfortunately this is not always possible due to signed binaries such as the Intel ME firmware, the AMD PSP and microcode. Recently, a way was discovered to let the Intel ME run in a functional error state and reduce it from 1.5/5MB to 80KB. It’s not perfect but it works from Nehalem up to Skylake based Intel systems. The tool is now integrated into the coreboot build system. The upstream repository is https://github.com/corna/me_cleaner

“Another ongoing improvement is the new utility blobtool. It is currently used for generating the flash descriptor and GbE configuration data on older mainboard which are known to be free software. It can easily be extended for different binaries with well-defined specifications.”

coreboot supports the Ada programming langauge:

“coreboot now supports Ada, and a lot work was done integrating Ada into our toolchain. At the moment only the support for formal verification is missing and will be soon added. At that point, we can prove the absence of runtime errors in our Ada code. In short, everybody can start developing Ada code for our project. The existing Ada code which can be used from now on is another native graphics initialization which will replace in the long term the current implementation. The native graphics code supports all Intel platforms up to skylake. We offer support for HDMI, VGA, DVI and DP external interfaces as well and is ready to be integrated into our mainboard implementations.”

http://www.adaic.org/

https://www.coreboot.org/

Raptor meets OpenBMC crowdsourcing pledge goal!

Overall Goal:    $50,000 USD
Raptor’s Contribution:    $30,000 USD
Community Goal:    $20,000 USD
Current Pledges:    $20,000 USD
Remaining Deficit:    $0 USD
 Overall Funding Status:    100.0%
Community Funding Status:    100.0%

https://www.raptorengineering.com/coreboot/kgpe-d16-bmc-port-offer.php

 

Purism Librem 13 coreboot update

Here are the news you’ve been waiting for: the coreboot port for the Librem 13 v1 is 100% done! I fixed all of the remaining issues, it is now fully working and is stable, ready for others to enjoy. I fixed the instability problem with the M.2 SATA port, finished running all the tests to ensure coreboot is working correctly, fixed the headphone jack that was not working, made the boot prettier, and started investigating the Intel Management Engine issue. Read on for details.[…]

https://puri.sm/posts/librem-13-coreboot-report-february-25th-2017/

 

coreboot to join Software Freedom Conservancy

Martin Roth made a post on the coreboot blog about the project joining the Software Freedom Conservancy. I hope this means the project will get more funding.

The coreboot project applied to join the Software Freedom Conservancy[0] and has been approved for membership by their board.  There is still some work to be done in hammering out the governance details, but we hope to have everything completed by April. Joining the SFC as coreboot’s fiscal sponsor \will allow us to go forward with fundraising, and that all donations to the coreboot project from the United States will be tax-deductible.  Up to this point, coreboot hasn’t had any official way to accept donations or payments.  This has meant that the project was mainly supported financially by members of the coreboot leadership, which has put some limitations on what we were able to do. Another of the things that joining the SFC means is that we will be formalizing and fully documenting the coreboot leadership structure.  This is one of the Conservancy’s requirements, and something that they will help the project with. The Conservancy offers a number of other services[1]to its members. We encourage everyone to take a look at the SFC, and to consider joining as individual supporters[2].

[0] https://sfconservancy.org/
[1] https://sfconservancy.org/projects/services/
[2] https://sfconservancy.org/supporter/

https://sfconservancy.org/donate/
https://sfconservancy.org/sponsors/

Full post:
http://blogs.coreboot.org/blog/2017/02/22/coreboot-is-joining-the-software-freedom-conservancy/

Raptor Engineering seeks funds for OpenBMC port

Raptor Engineering is asking for crowdsource funding to help them port OpenBMC to an ASUS system:

“Make coreboot a first-class citizen in the datacenter on modern, blob-free hardware.”

https://www.raptorengineering.com/coreboot/kgpe-d16-bmc-port-offer.php