Dell info on Linux firmware updates

February 2, 2016 ~ hucktech ~ Leave a comment

Regarding the new firmware update service available for Linux OEMs:

There is a new article from Dell on this topic:

"Dell Firmware Updating under Linux" https://t.co/R18t8zdEwd

— Jared Domínguez (@djdmngz) February 2, 2016

(Published on behalf of Mario Limonciello, OS Architect of Dell Client Solutions Group’s Linux Engineering team.)

I’m happy to announce that starting with the Dell Edge Gateway 5000 we will be introducing support to natively flash UEFI firmware under Linux. To achieve this we’re supporting the standards based UEFI capsule functionality from UEFI version 2.5. Furthermore, the entire tool chain used to do this is open source. Red Hat has developed the tools that enable this functionality: fwupd, fwupdate, & ESRT support in the Linux kernel. For the past year we have been working closely with Red Hat, Intel, & Canonical to jointly fix hundreds of issues related to the architecture, tools, process, and metadata on real hardware. Dell will be publishing BIOS updates to the Red Hat created Linux Vendor Firmware Service (LVFS). Red Hat provides LVFS as a central OS agnostic repository for OEMs to distribute firmware to all Linux customers. […]

http://en.community.dell.com/techcenter/b/techcenter/archive/2016/02/02/dell-firmware-updating-under-linux

Dell — along with Red Hat, apparently — are setting a great example, I hope other OEMs do as well with Linux. 🙂 It makes me think Dell is working to deal with this recent comment of William (of Dell):

Next step: people need to give Dell the benefit of the doubt… https://t.co/IfHLc2jHUi

— williamleara.eth (@WilliamLeara) December 28, 2015

VMware

January 27, 2016 ~ hucktech ~ Leave a comment

Wow. @vmware shutting down VMWare Workstation et al is like Kleenex no longer selling Kleenex.

— Dan Kaminsky (@dakami) January 27, 2016

Business changes at EMC, impacting VMWare, multiple news sites with stories on it.

http://fortune.com/2016/01/26/vmware-charge-changes-cfo/

http://www.wsj.com/articles/vmware-names-new-cfo-will-cut-800-jobs-1453847929

http://www.theregister.co.uk/2016/01/27/vmware_fusion_and_workstation_development_team_fired/

http://www.computerworld.com/article/3026842/virtualization/vmware-cuts-800-jobs-as-it-transitions-from-older-blockbuster-compute-products.html

interview with AMI founder, Subramonian Shankar

January 11, 2016 ~ hucktech ~ Leave a comment

Must See TV—S. Shankar | Basic Input/Output https://t.co/OSSjHuTfCh @AMI_PR @TWiT

— williamleara.eth (@WilliamLeara) January 11, 2016

http://www.basicinputoutput.com/2016/01/must-see-tvs-shankar.html

As reported by William Leara, a BIOS engineer at Dell, the “This Week In Tech” (TWIT episode 226) podcast did an inteview with Mr. Subramonian Shankar, founder of AMI in November. Excerpting from William’s blog post:

The interview discusses everything from how Shankar started AMI, to what he’s up to today, with lots of colorful anecdotes along the way. I especially appreciated all the old Michael Dell stories, among other great stories. It turns out Dell Inc. and AMI were allies from their infancy and helped each other grow to be the large, successful companies they are today. It was also interesting to hear about the new Android products AMI is working on, especially AMIDuOS—and it’s only $10!

https://twit.tv/shows/triangulation/episodes/226?autostart=false

Ubuntu to opt-out of fwupd?

January 8, 2016 ~ hucktech ~ Leave a comment

Not only do you have to study your Linux distribution to see if/how it uses Secure Boot, you also need to research if/how it gets firmware updates.

Ubuntu 16.04 LTS Might Get the Option of Updating Firmware Directly from the OS: One of the most interesting f… https://t.co/V6xBc70Wr1

— linuxdevices (@linuxdevices) January 8, 2016

http://www.linux.com/news/software/applications/877661-ubuntu-1604-lts-might-get-the-option-of-updating-firmware-directly-from-the-os/

https://blueprints.launchpad.net/ubuntu/+spec/foundations-w-uefi-capsule-update

“Ubuntu should support updating firmware for systems and components (but not peripherals) via EFI UpdateCapsule (see EFI Capsule specification, in Related Links), so that users do not require Windows or DOS to apply BIOS/component firmware updates, and as such updates are easily available to all Ubuntu users. Peripheral firmware updates are not technically supported by the UEFI Capsule specification, and so are out of the scope of this blueprint.”

http://www.fwupd.org/

I also wonder about non-GNOME systems, how do KDE systems get firmware updates?

Microsoft getting tough on Superfish OEMs

December 23, 2015 ~ hucktech ~ Leave a comment

Since the days of MS-DOS, OEMs have bundled lots of crap along with their Microsoft OS, and users would always blame Microsoft, not the OEM or IHV or ISV, for the user experience. Since NT was created, there have been tests for OEMs/IHVs, initially to get listed on the Hardware Compatibility List, these days to get certs and more. Now that modern versions of Windows include installer-related binaries in ACPI tables, that can be misused by attackers if OEMs don’t clean up their systems properly (Lenovo, Dell, etc.), Microsoft is increasing their testing of OEM systems bloatware.

Microsoft will begin detecting/removing #Superfish-like programs beginning Mar. 31, 2016 – https://t.co/TP9QQBk8K0

— Threatpost (@threatpost) December 23, 2015

Microsoft to Remove Superfish-Like Programs Starting in March

https://blogs.technet.microsoft.com/mmpc/2015/12/21/keeping-browsing-experience-in-users-hands/

I’ve heard one interesting potential feature of the new Microsoft laptop is that it might be the one Windows box doesn’t have OEM bloatware on it. Granted, it’ll have other Microsoft bloatware on it…

Dell laptops ship with private key

November 23, 2015 ~ hucktech ~ Leave a comment

Dell shipping laptops with Dell as a Root CA.
Bonus points: They include the private key. (via @Friday_Otter) https://t.co/iLAdwPw7rX

— SwiftOnSecurity (@SwiftOnSecurity) November 23, 2015

https://twitter.com/ClipperChip/status/668783976543309824

Dell ships laptops with rogue root CA, exactly like what happened with Lenovo and Superfish
by intechnology

Configuring Dell, Windows 10, and UEFI

September 8, 2015 ~ hucktech ~ Leave a comment

If you use Dell hardware and Microsoft Windows OS software, you should read the
blog post by Mike Terrill of 1E:

Automating Dell BIOS-UEFI Standards for Windows 10 http://t.co/7yz1AyzK1M

— Mike Terrill [MVP] (@miketerrill) August 31, 2015

Automating Dell BIOS-UEFI Standards for Windows 10

http://www.1e.com/

Dell IoT top5 security best practices

September 2, 2015 ~ hucktech ~ Leave a comment

Yesterday, after a recent security event of theirs, Dell announced some IoT security best practice guidance for organizations. Excerpt:

1) Put Security First:
Be vigilant and ensure data is secured and encrypted from the data center or the cloud to the endpoint and everything in between. Dell advocates a holistic approach to security that includes looking at endpoint security, network security, identity and access management, and more. Be aware of the data device vendors collect. If they are collecting data on all of their customers, this consolidated data set may be a very attractive target for hackers.

2) Research the Devices:
Evaluate the IoT devices accessing and planning to access the system. Understand what they do, what data they collect and communicate, who owns the data collected from the device, where the data is being collected, and any vulnerability assessments or certifications the devices have.

3) Audit the Network:
It is critical to understand the impact of IoT on network traffic in the current ‘as-is’ state. Do an audit to understand what is currently accessing the system, when, what it does when it sees data, and what it communicates to and where. This will enable an organization to reassess its network performance and identify any changes on an ongoing basis as additional devices are knowingly or unknowingly added or removed.

4) Compartmentalize Traffic:
Employ a ‘no-trust’ policy when it comes to IoT devices. Ensure they are on a separate network segment or virtual LAN (VLAN) so they are not able to access or interfere with critical corporate data.

5) Educate Everyone:
IoT is the ‘Wild West’ and will continue to evolve and change rapidly over the coming months and years. As such, it will be critical to ensure IT, security and network teams educate themselves about the latest devices, standards, and issues. Be prepared for consolidation and emerging standards, but understand today, little of that exists as some devices have weak or no security.

Full announcement:

http://www.dell.com/learn/us/en/uscorp1/press-releases/2015-09-01-dell-shares-best-practices-for-internet?c=us&l=en&s=corp&ref=rss&delphi:gr=true

http://www.dellpeakperformance.com/

DMTF Redfish 1.0 released

August 4, 2015 ~ hucktech ~ Leave a comment

Redfish, an IPMI replacement, has shipped the first release of their spec. Quoting the press release:

DMTF Helps Enable Multi-Vendor Data Center Management with New Redfish 1.0 Standard

DMTF has announced the release of Redfish 1.0, a standard for data center and systems management that delivers improved performance, functionality, scalability and security. Designed to meet the expectations of end users for simple and interoperable management of modern scalable platform hardware, Redfish takes advantage of widely-used technologies to speed implementation and help system administrators be more effective. Redfish is developed by the DMTF’s Scalable Platforms Management Forum (SPMF), which is led by Broadcom, Dell, Emerson, HP, Intel, Lenovo, Microsoft, Supermicro and VMware with additional support from AMI, Oracle, Fujitsu, Huawei, Mellanox and Seagate. The release of the Redfish 1.0 standard by the DMTF demonstrates the broad industry support of the full organization.

http://dmtf.org/standards/redfish
http://dmtf.org/join/spmf

Don’t forget to grab the Redfish “Mockup” as well as the specs and schema.

UEFI 2.5 has a JSON API to enable accessing Redfish. HP was first vendor with systems that supported UEFI 2.5’s new HTTP Boot, a PXE replacement. Intel checked in HTTP Boot support into TianoCore, so it’s just a matter of time until other vendors have similar products. JSON-based Redfish and HTTP-based booting makes UEFI much more of a “web app”, w/r/t security research, and the need for system administrators to more closely examine how firmware is updated on their systems, to best protect them.
https://firmwaresecurity.com/tag/uefi-http-boot/

US CERT BIOS Vulnerability Note VU#577140!

July 30, 2015 ~ hucktech ~ Leave a comment

Today, US CERT released a Vulernability Notice for UEFI firmware:

Vulnerability Note VU#577140
BIOS implementations fail to properly set UEFI write protections after waking from sleep mode

Multiple BIOS implementations fail to properly set write protections after waking from sleep, leading to the possibility of an arbitrary BIOS image reflash.
Description

According to Cornwell, Butterworth, Kovah, and Kallenberg, who reported the issue affecting certain Dell client systems (CVE-2015-2890):

There are a number of chipset mechanisms on Intel x86-based computers that provide protection of the BIOS from arbitrary reflash with attacker-controlled data. One of these is the BIOSLE and BIOSWE pair of bits found in the BIOS_CNTL register in the chipset. When the BIOSLE bit is set, the protection mechanism is enabled. The BIOS_CNTL is reset to its default value after a system reset. By default, the BIOSLE bit of the BIOS_CNTL register is cleared (disabled). The BIOS is responsible for re-enabling it after a reset. When a system goes to sleep and then wakes up, this is considered a reset from the hardware’s point of view.

Therefore, the BIOS_CNTL register must be reconfigured after waking from sleep. In a normal boot, the BIOS_CNTL is properly configured. However, in some instances BIOS makers do not properly re-set BIOS_CNTL bits upon wakeup. Therefore, an attacker is free to reflash the BIOS with an arbitrary image simply by forcing the system to go to sleep and wakes again. This bypasses the enforcement of signed updates or any other vendor mechanisms for protecting the BIOS from an arbitary reflash.

A similar issue affecting Apple systems (CVE-2015-3692) involves the FLOCKDN bit remaining unset after waking from sleep. For more information, refer to Pedro Vilaça’s blog disclosure.

See URL for full Notice.

VU#577140: BIOS implementations fail to properly set UEFI write protections after waking from sleep mode: Mult… http://t.co/CiMmvD1E85

— CISA Cyber (@CISACyber) July 30, 2015

http://www.kb.cert.org/vuls/id/577140

Vim syntax highlighting for EDK2 sources

June 26, 2015 ~ hucktech ~ 1 Comment

If you use Vim, there are a few projects with syntax highlighting support for TianoCore sources and config files. A recent one, from this year:
https://github.com/fedorov7/vim-uefi
Two others from 2013, with different features from above one:
https://github.com/0xeuclid/UEFI_VIM_Syntax
https://github.com/0xeuclid/vim_for_UEFI

If you use Visual Slick Edit, one firmware engineer at Dell has created some files for EDK-II support:
http://www.basicinputoutput.com/2015/05/syntax-highlighting-for-edkii-files-dec.html

I found no support found for Emacs, perhaps the FSF anti-UEFI campaign has impacted this? I don’t know of any EDK-II support in any other open source programmer’s editors or IDEs.

Besides highlighting C/assembly sources, EDK2 has 7 different build/config files, much more complex than a single Makefile to deal with. The specs for these files are listed below; it would be nice if you spend time in EDK2 sources, if your editor helps you understand these formats.
http://sourceforge.net/projects/edk2/files/Specifications/

Dell Firmware blog and Intel UEFI training

June 19, 2015 ~ hucktech ~ Leave a comment

I just became aware of another firmware blog, by William Leara of Dell:

http://www.basicinputoutput.com/

If you’ve not seen it, it’s worth reading, if you care about UEFI.

In this article, he mentions some of Intel’s UEFI web-based training:

http://www.basicinputoutput.com/2015/05/the-best-movies-youve-probably-never.html

In addition to this Flash-based training, Intel SSG also has a 3-day class for Intel employees, which they upload the labs and presentation materials to the public. They maintain this courseware, new versions of the presentations/labs are occasionally updated. If you are a Windows/Visual Studio user, you’ll be right at home with the labs. If you are a Linux user, there is a small amount of content focused on Linux, otherwise you’ll have to ignore all the screenshots of Visual Studio users clicking and right clicking. In the future, I wish Intel SSG would add audio/video layers, in addition to presentation and labs. Download Lab-Material-FW.zip and the most recent Presentations<YYMMDD>.zip from:

http://sourceforge.net/projects/edk2/files/Training/TrainingMaterial/