Tim has a new blog post — first of a series — on writing UEFI code in C++.
Brian Richardson of Intel announced a pre-release of UDK2017, a snapshot of the Tianocore.org EDK2 trunk code matching a set of UEFI.org specs.
Information on UDK2017, the next stable snapshot release of EDK II, is available on the TianoCore wiki.
From the release page on the wiki, here’s the list of
UDK2017 Key Features
Industry Standards & Public Specifications
UEFI PI 1.4a
UEFI Shell 2.2
Intel® 64 and IA-32 Architectures Software Developer Manuals
RAM Disk (UEFI 2.6, Section 12.17, RAM Disk Protocol)
UEFI HTTP/HTTPS Boot
Adapter Information Protocol
Regular Expression Protocol
Signed Capsule Update
Signed Recovery Images
SMM Communication Buffer Protections
Memory Allocation/Free Profiler
NX Page Protection in DXE
LZMA Compression 16.04
MP Init Library
Laszlo Ersek of Red Hat wrote a wiki article on tianocore.org, showing how to setup the EDK2 with QEMU/OVMF for testing SMM code using Fedora.
Recently, Alex Floyd of PreOS Security wrote a shell script to codify this wiki article.
Laszlo’s wiki is dense, I expect this script will be useful for some UEFI firmware engineers and security researchers.
According to Alex, “some things needed tweaking to get to work, and the Windows portion of the tutorial is not included in the script.”
“Source Insight 4.0 Settings for reading EDK2 Language easily.”
BinX Song of Intel has submitted a patch to EDK2 with support for Google’s Brotli compression algorithm.
[PATCH 0/4] MdeModulePkg/BaseTools: Add Brotli algorithm support
Brotli algorithm has a little less compress ratio than Lzma, but has better decompress performance than it. Add Brotli algorithm support, include Brotli decompression library and tool set.
Brotli is a generic-purpose lossless compression algorithm that compresses data using a combination of a modern variant of the LZ77 algorithm, Huffman coding and 2nd order context modeling, with a compression ratio comparable to the best currently available general-purpose compression methods. It is similar in speed with deflate but offers more dense compression.
Ard Biesheuvel of Linaro submitted a V2 5-part patch to the EDK2 project, to harden UEFI more!
This is a proof of concept implementation that removes all executable permissions from writable memory regions, which greatly enhances security. It is based on Jiewen’s recent work, which is a step in the right direction, but still leaves most of memory exploitable due to the default R+W+X permissions. The idea is that the implementation of the CPU arch protocol goes over the memory map and removes exec permissions from all regions that are not already marked as ‘code. This requires some preparatory work to ensure that the DxeCore itself is covered by a BootServicesCode region, not a BootServicesData region. Exec permissions are re-granted selectively, when the PE/COFF loader allocates the space for it. Combined with Jiewen’s code/data split, this removes all RWX mapped regions.
Changes since v1:
– allocate code pages for PE/COFF images in PeiCore, so that DxeCore pages have the expected memory type (as suggested by Jiewen)
– add patch to inhibit page table updates while syncing the GCD memory space map with the page tables
– add PCD to set memory protection policy, which allows the policy for reserved and ACPI/NVS memory to be configured separately
– move attribute manipulation into DxeCore page allocation code: this way, we should be able to solve the EBC case by allocating BootServicesCode pool memory explicitly.