“This repo contains the exploit for the Dell 2410U monitor. It contains utilities for communicating with and executing code on the device. The research presented here was done in order to highlight the lack of security in “modern” on-screen-display controllers. Please check out our Recon 0xA presentation (included) for a detailed description of our research findings and process.[…]”
William Leara has a new blog post which is an introduction to CHIPSEC. It is a nice introduction to CHIPSEC, if you have never used it before, this is a great way to get started.
Which UEFI vendors care — or at least may care — about security? The list (alphabetically) is shorter than you might expect:
Hewlett Packard Enterprises
Nobody else. If your vendor is not listed above, ask them why you should purchase a UEFI-based system from them.
The above list is from the list of vendors who have feedback mechanisms listed on the UEFI Forum’s security contact page.
William Leara, a firmware engineer at Dell, has a new blog post on Nikolaj Schlej’s UEFI Tool. He shows how to use it, starting with using Intel’s Flash Programing Tool (FPT) to acquire a BIOS image. Lots of screenshots of the various menu UI components of this GUI tool.
“It is extremely useful for interrogating and manipulating the components of a UEFI BIOS image. Download it and give it a test drive today!”
Regarding the new firmware update service available for Linux OEMs:
There is a new article from Dell on this topic:
(Published on behalf of Mario Limonciello, OS Architect of Dell Client Solutions Group’s Linux Engineering team.)
I’m happy to announce that starting with the Dell Edge Gateway 5000 we will be introducing support to natively flash UEFI firmware under Linux. To achieve this we’re supporting the standards based UEFI capsule functionality from UEFI version 2.5. Furthermore, the entire tool chain used to do this is open source. Red Hat has developed the tools that enable this functionality: fwupd, fwupdate, & ESRT support in the Linux kernel. For the past year we have been working closely with Red Hat, Intel, & Canonical to jointly fix hundreds of issues related to the architecture, tools, process, and metadata on real hardware. Dell will be publishing BIOS updates to the Red Hat created Linux Vendor Firmware Service (LVFS). Red Hat provides LVFS as a central OS agnostic repository for OEMs to distribute firmware to all Linux customers. […]
Dell — along with Red Hat, apparently — are setting a great example, I hope other OEMs do as well with Linux. 🙂 It makes me think Dell is working to deal with this recent comment of William (of Dell):
Business changes at EMC, impacting VMWare, multiple news sites with stories on it.
As reported by William Leara, a BIOS engineer at Dell, the “This Week In Tech” (TWIT episode 226) podcast did an inteview with Mr. Subramonian Shankar, founder of AMI in November. Excerpting from William’s blog post:
The interview discusses everything from how Shankar started AMI, to what he’s up to today, with lots of colorful anecdotes along the way. I especially appreciated all the old Michael Dell stories, among other great stories. It turns out Dell Inc. and AMI were allies from their infancy and helped each other grow to be the large, successful companies they are today. It was also interesting to hear about the new Android products AMI is working on, especially AMIDuOS—and it’s only $10!