Google wants servers without Intel ME and UEFI

Golem has a story about the recent Google presentation at OSSEU2017:

From Google Translation of German text:

Google wants servers without Intel ME and UEFI
by Sebastian Grüner
According to the motto “Are you afraid?” a team of Google’s coreboot developers is working with colleagues to make Intel’s ME and the proprietary UEFI harmless in servers. And probably with success.[…]




Ronald Minnich auf dem Open Source Summit in Prag

Maybe I missed it, but I didn’t see the video of this presentation archived.



ChromeOS impact of Infineon TPM problem

More on: https://firmwaresecurity.com/2017/10/10/infineon-tpms-generating-weak-keys/

“You can check the TPM firmware running on your device by looking at the firmware_version line of the tpm_version entry in chrome://system. If the tpm_version entry is absent, this is likely because you are running an old Chrome OS version which doesn’t report this information. Upgrade to a newer version and check again.”




more on Google NERF

Google NERF looks interesting, they keep UEFI’s PI but replace the UEFI layers with Linux kernel, and the code is written in Go. Looks like they’re focusing on removing dynamic code in UEFI and SMM. Unclear about their position towards dynamic code in ACPI, as well as PCIe (eg, PCIleech-style attacks).

The slides from the recent North American OSS presentation are online, but I can’t find the video online:


There’s an upcoming European OSS event upcoming:

Replace Your Exploit-Ridden Firmware with Linux
Ronald Minnich, Google

With the WikiLeaks release of the vault7 material, the security of the UEFI (Unified Extensible Firmware Interface) firmware used in most PCs and laptops is once again a concern. UEFI is a proprietary and closed-source operating system, with a codebase almost as large as the Linux kernel, that runs when the system is powered on and continues to run after it boots the OS (hence its designation as a “Ring -2 hypervisor”). It is a great place to hide exploits since it never stops running, and these exploits are undetectable by kernels and programs. Our answer to this is NERF (Non-Extensible Reduced Firmware), an open source software system developed at Google to replace almost all of UEFI firmware with a tiny Linux kernel and initramfs. The initramfs file system contains an init and command line utilities from the u-root project (http://u-root.tk/), which are written in the Go language.







Google Titan trust paper available

A Vendor-Agnostic Root of Trust for Measurement
Jon McCune, Rick Altherr
We report the success of a project that Google performed as a proof-of-concept for increasing confidence in first-instruction integrity across a variety of server and peripheral environments. We begin by motivating the problem of first-instruction integrity and share the lessons learned from our proof-of-concept implementation. Our goal in sharing this information is to increase industry support and engagement for similar designs. Notable features include a vendor-agnostic capability to interpose on the SPI peripheral bus (from which bootstrap firmware is loaded upon power-on in a wide variety of devices today) without negatively impacting the efficacy of any existing vendor- or device-specific integrity mechanisms, thereby providing additional defense-in-depth.



Yuriy of Eclypsium has a few comments on the doc, click on below tweet for thread:



Android 8.0 and Project Treble



“The Android 8.0 release includes Project Treble, a major re-architect of the Android OS framework designed to make it easier, faster, and less costly for manufacturers to update devices to a new version of Android. Treble is for all new devices launching with Android 8.0 and beyond (the new architecture is already running on the Developer Preview for Pixel phones).[…]”


Google Pawn: Intel firmware dumping tool!

Exciting, Google has a new tool that helps dump the UEFI/BIOS into a rom.bin, like FlashROM and CHIPSEC! Pawn is written in C++/C, Apache-licensed, requires Linux and GCC toolchain. Given 2014-2017 copyright, it has been around for YEARS, only went public 3 months ago, and I just noticed it today. See below, I am still looking for “Bishop”…

Pawn BIOS Dumping Tool
Copyright 2014-2017 Google Inc.
Disclaimer: This is not an official Google product (experimental or otherwise), it is just code that happens to be owned by Google.
Pawn is a tool to extract the BIOS firmware from Intel-based workstations and laptops. The name is a play on an internal tool that is also named after a chess piece.
sudo .build/pawn bios_image.bin
You can then use other tools like UEFITool to process the firmware image further.


What/where is Pawn’s companion utility, Bishop?? From pawn.cc comments:

Pawn, a companion utility to Bishop (go/bishop) to extract BIOS firmware from corp machines.

If you find it, please leave a Comment.