Uncategorized

Tianocore patch to increase memory protection

Ard Biesheuvel of Linaro submitted a V2 5-part patch to the EDK2 project, to harden UEFI more!

This is a proof of concept implementation that removes all executable permissions from writable memory regions, which greatly enhances security. It is based on Jiewen’s recent work, which is a step in the right direction, but still leaves most of memory exploitable due to the default R+W+X permissions. The idea is that the implementation of the CPU arch protocol goes over the memory map and removes exec permissions from all regions that are not already marked as ‘code. This requires some preparatory work to ensure that the DxeCore itself is covered by a BootServicesCode region, not a BootServicesData region. Exec permissions are re-granted selectively, when the PE/COFF loader allocates the space for it. Combined with Jiewen’s code/data split, this removes all RWX mapped regions.

Changes since v1:
– allocate code pages for PE/COFF images in PeiCore, so that DxeCore pages have the expected memory type (as suggested by Jiewen)
– add patch to inhibit page table updates while syncing the GCD memory space map with the page tables
– add PCD to set memory protection policy, which allows the policy for reserved and ACPI/NVS memory to be configured separately
– move attribute manipulation into DxeCore page allocation code: this way, we should be able to solve the EBC case by allocating BootServicesCode pool memory explicitly.

More info:
https://lists.01.org/mailman/listinfo/edk2-devel

Standard
Uncategorized

EDK2 test harness

Michael Kinney of Intel has created an edk2-test branch, to focus on testing!

I am creating a new branch in edk2-staging called edk2-test. The purpose of this branch is to develop a test harness, test case SDK, and library of test cases that can be used as part of edk2 validation. The initial version of this test harness is compatible with binary releases of the PI SCTs and UEFI SCTs, are native edk2 packages with no dependencies on the EdkCompatibilityPkg, and the test harness runs using the latest version of the UEFI Shell. 

Additional work items:
* Update to take advantage of latest edk2 features/libraries.
* Update for all supported CPU types
* Update for all supported compilers
* Review initial test harness features and determine what features should be dropped and what new features should be added.
* Determine where the test harness, test case SDK, and test cases should live once the initial functional and quality criteria are met.  Could be packages in the edk2 repo or packages in a new edk2-test repo.  Other options???
* Resolve compatibility issues with binary releases of the PI SCTs and UEFI SCTs.
* Update test harness to support PEI tests
* Update test harness to support Runtime tests
* Update test harness to support SMM tests
* Optimize performance of the test harness and tests.

More info:
https://lists.01.org/mailman/listinfo/edk2-devel

Standard
Uncategorized

Tianocore TLS library updated

Jiaxin Wu of Intel submitted a v2 update to the TLS library of Tianocore:

CryptoPkg: Add new TlsLib library

v2:
* Code refine and Typo fix:
TlsHandeAlert -> TlsHandleAlert

This patch is used to add new TlsLib library, which is wrapped over OpenSSL. The implementation provides TLS library functions for EFI TLS protocol and EFI TLS Configuration Protocol.

More info:
https://lists.01.org/mailman/listinfo/edk2-devel

Standard
Uncategorized

EBC Debugger added to EDK2

Pete Batard has added EBC Debugger support to the EDK2 project! As I understand it, there was EBC Debugger support in the original EDK project, but it was not carried forward into the EDK2 project, so this is great news! It sounds like this initial patch will need to go through an iteration or two, so hold off until the dust settles…

“The EBC Debugger, which was present in Tianocore, is an invaluable tool for EBC development.  This patch adds it back into the EDK2, allowing, for instance, the compilation of an AARCH64 EBC debugger. […]”

EBC is a bytecode and VM that is widely used, yet barely understood by most, including security researchers.  While EBC was initially an Intel-centric technology, only supporting their Itaniaum, x86, and x64 processors, and only available from their commercial-only Intel C Compiler, these days ARM is also targetting EBC support.  I’m unclear about ARM’s EBC compiler options, perhaps only via their commecial-only compiler? I hope someone gets EBC support into an open source C compiler codebase, like clang or GCC.

More information:
https://github.com/pbatard/EbcDebugger/commit/906e87ed6ceab1c361ba6f681bef48179baf549e
https://github.com/pbatard/edk2/tree/EBCDebugger
http://www.uefi.org/node/550
https://github.com/tianocore/edk/tree/master/Sample/Universal/Ebc/Dxe
https://sourceforge.net/projects/efidevkit/files/Documents/EBC%20Debugger%20User%20Manual.pdf/download
https://lists.01.org/mailman/listinfo/edk2-devel

Standard
Uncategorized

UEFI Capsule-Update and Recovery

On the EDK2-Devel mailing list, Michael Kinney of Intel has started a new EDK2 wiki page on UEFI Capsule-Based-Firmware Update/Recovery. Capsule Updates are how UEFI-based firmware updates itself.

Draft of documentation for Signed Capsule Feature:
I have started a draft of Wiki pages that describe how to use and verify the Signed Capsule feature from Jiewen Yao. I have focused this first draft on the system firmware update use case for signed capsules. Please review this content and provide feedback. I will work on the remaining 3 signed capsule use cases while the content for this fist use case is reviewed. I plan to add this content to the edk2 Wiki once the reviews are completed.

https://github.com/mdkinney/edk2/wiki/Capsule-Based-Firmware-Update-and-Firmware-Recovery

https://github.com/mdkinney/edk2/wiki/Capsule-Based-System-Firmware-Update

https://lists.01.org/mailman/listinfo/edk2-devel

Standard
Uncategorized

UEFI EDK2 Platform Proposal V2

Michael Kinney of Intel posted the V2 RFC for the EDK2 Platform Proposal, dealing with how to deal with repos and branches. Outline of changes and problem statement excerpted below, see the full proposal for much more details.

Changes from V1:
* edk2-platform is not a fork of edk2.
* edk2-platforms branches contain CPU, Chipset, SoC, and platform specific packages
* edk2-plaforms/master contains all open platforms that are synced with edk2/master.
* Each edk2-platforms branch may support many platforms (not just one)
* Use PACKAGES_PATH to do builds using packages from multiple repositories
* Update edk2-platforms branch naming to clearly identify platforms that are considered stable and platforms that are under active development.
* edk2 developers may be required to verify platforms in edk2-platforms builds as part of test criteria.  Especially platforms that are intended to be used with edk2/master in edk2-platforms/stable-* branches.

Problem statement: Need place on tianocore.org where platforms can be maintained by the EDK II community.  This serves several purposes:
* Encourage more platforms sources to be shared earlier in the development process
* Allow platform sources to be shared that may not yet meet all edk2 required quality criteria
* Allow platform source to be shared so the EDK II community may choose to help finish and validate
* Allow more platforms to be used as part of the edk2 validation and release cycle.
* Not intended to be used for bug fixes.

For more information, see the archives of the edk2-devel@lists.01.org list.

https://lists.01.org/mailman/listinfo/edk2-devel

Standard
Uncategorized

New UEFI Capsule Update and Recovery sample

Jiewen Yao of Intel checked in a *45-part* patch to the Tianocore project, adding a new UEFi Capsule sample and documentation!

This series patch provides sample on how to do signed capsule update and recovery in EDKII. The feature includes:
1) Define EDKII signed system BIOS capsule format.
2) Provide EDKII signed system BIOS update sample.
3) Provide EDKII signed recovery sample.
4) Provide Microcode update sample for X86 system.
5) Update Quark to use new capsule/recovery solution.
6) Update Vlv2(MinnowMax) to use new capsule/recovery solution.

The signed capsule/recovery solution is in MdeModulePkg. The capsule in IntelFrameworkModulePkg is deprecated. The Microcode update solution is in UefiCpuPkg.

124 files changed, 17848 insertions(+), 384 deletions(-)

For more info, see the full patch:
https://lists.01.org/mailman/listinfo/edk2-devel
.

Standard