William reviews CrScreenshotDxe

August 23, 2016 ~ hucktech ~ 1 Comment

William has done another tool review, this time of Nikolaj’s CrScreenshotDxe tool. He does must longer blog posts on tool reviews than me, so it is always nice to see another review from him. 🙂

[…] “Nikolaj did us all a great service by posting this utility on Github. It was easy to integrate and worked flawlessly.” […]

http://www.basicinputoutput.com/2016/08/the-joy-of-crscreenshotdxe.html

https://github.com/LongSoft/CrScreenshotDxe

Forgot to add some examples of screenshots made by CrScreenshotDxe, here they are.https://t.co/BfXiQBd6mP pic.twitter.com/S63gL2SbtK

— Nikolaj Schlej (@NikolajSchlej) January 4, 2016

https://firmwaresecurity.com/2016/01/04/screenshot-taking-uefi-dxe-driver/

VGA persistent rootkit

March 21, 2016 ~ hucktech ~ Leave a comment

This Ekoparty 2012 presentation — uploaded this month — (video in Spanish) covers both BIOS and UEFI (GOP).

VGA persistent Rootkit – Diego Juarez & Nicolás Economou @NicoEconomou en la ekoparty 2012 #eko8 https://t.co/9GmG8h2thH

— ekoparty (@ekoparty) March 9, 2016

Click to access corelabs-ekoparty-2012-VGA_Persistent_Rootkit.pdf

FreeBSD 10.3.b3 adds new commands to UEFI boot loader

March 1, 2016 ~ hucktech ~ Leave a comment

Third BETA build for the #FreeBSD 10.3 release cycle now available https://t.co/UMov6UFOSW

— FreeBSD Bytes (@freebsdbytes) March 1, 2016

Marius Strobl of the FreeBSD project has announced the 10.3-BETA3 FreeBSD. In terms of UEFI, there are two new UEFI bootloader commands, ‘gop‘ and ‘uga‘:

Two new commands have been added to the amd64 framebuffer driver
of the UEFI boot loader. The first is `gop` (as in Graphics Output
Protocol), which allows to diagnose problems with efifb(4) but also
to set the current graphics mode on machines employing GOP. With
`uga` (as in Universal Graphics Adapter), it is possible to do the
same on systems using the UGA protocol, which mainly translates to
Apple hardware. The latter change also generally introduced UGA
support and currently hardcodes the necessary settings for mid-2007
iMacs (iMac7,1) and late-2007 MacBooks (MacBook3,1). But it is
likewise possible to manually supply the necessary information for
additional systems.

https://lists.freebsd.org/pipermail/freebsd-stable/2016-February/084238.html

screenshot-taking UEFI DXE driver

January 4, 2016 ~ hucktech ~ 1 Comment

Nikolaj has written a UEFI DXE driver that takes screenshots. In addition to a useful new UEFI tool (since taking pre-OS screenshots outside of a VMM are often a PITA), the article is a nice introduction to EFI development. Attackers can use techniques like this to capture display activity in the background, just like they do in OS-level malware.

Wrote a DXE driver for taking screenshots from UEFI apps (aimed for non-ugly Setup shots) and a blog post about it.https://t.co/BfXiQBd6mP

— Nikolaj Schlej (@NikolajSchlej) January 4, 2016

Forgot to add some examples of screenshots made by CrScreenshotDxe, here they are.https://t.co/BfXiQBd6mP pic.twitter.com/S63gL2SbtK

— Nikolaj Schlej (@NikolajSchlej) January 4, 2016

UEFI DXE driver to take screenshots from GOP-compatible graphic console: This DXE driver tries to register keyboard shortcut (LCtrl + LAlt + F12) handler for all text input devices. The handler tries to find a writable FS, enumerates all GOP-capable video devices, takes screenshots from them and saves the result as PNG files on that writable FS. The main goal is to be able to make BIOS Setup screenshots for systems without serial console redirection support, but it can also be used to take screenshot from UEFI shell, UEFI apps and UEFI bootloaders.

See the readme and the blog post (in Russian) for more information:

https://github.com/NikolajSchlej/CrScreenshotDxe

http://habrahabr.ru/post/274463/

http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fhabrahabr.ru%2Fpost%2F274463%2F&sandbox=1

UefiGopRotate project

October 15, 2015 ~ hucktech ~ Leave a comment

Aaron Pop has created a new Tianocore module:

A EDK2 Package that supplies a UEFI driver that will bind on top of Graphics Output Devices and rotate any Blt operations by 0, 90, 180 or 270 degrees.

The license appears to be custom, but BSD-like. Perhaps someone can convince Aaron to relicense to BSD and submit to Tianocore? 🙂 Presumably more vendors will need this as they ship UEFI-based tablets/smartphones and want to let user use the device the way they want.

https://github.com/apop2/UefiGopRotate

Microsoft increases use of Secure Boot as marketing tool

June 7, 2015 ~ hucktech ~ Leave a comment

Earlier this week, Sam Varghese wrote an article in iTWire about Windows 10 and UEFI. According to the article, Window 10 will not enable Secure Boot unless the system has a Windows 8-compliant logo. It appears from the article Microsoft is hesitant to answer further questions from the author.

“System BIOS detected a non-Windows 8 logo graphic card. There is no Graphic Output Protocol support detected in this card. Windows 8 feature settings in BIOS will be changed to disabled.”

This will likely not impact users of new systems, as OEMs will ensure their logos are complaint and pominently displayed.

This appears to imply that users upgrading to Windows 10 from Windows 8 may lose the ability to use Secure Boot, unless they buy a new video card or have a recent one.

It also may mean an attacker can simply swap video cards and bypass SecureBoot; so much for tamper resistance in TPM chips…

It seems very strange for an OS vendor to be enabling or disabling firmware features. It is worse to see security features being disabled in the name of marketing. If Microsoft disables Secure Boot on a system, this may mean that Secure Boot is also disabled for any other OS installed on that system, like Linux, via the Micorosoft-signed Shim. So this Windows marketing technique likely impacts non-Windows system security. I am not sure, maybe their change only impacts their own OS, and other OSes on that system will still continue to Securely Boot.

It is also bad that this vendor is default Certificate Authority representing the UEFI Forum. It is also disconcerting to see Microsoft adding additional restrictions to all UEFI pre-OS applications. The UEFI Forum and Intel is letting Microsoft bully Intel-based Windows OEMs. I was reading some ARM slides recently, sorry I don’t have the URL handy for exact quote, but it said something like “no bully in our playground telling us what to run”. I wish Intel had the ability to stand up to the bully in their playground.

Ironically, Microsoft appears to have just learned to play Apple’s game better. Before Microsoft was playing UEFI-based games with systems, Apple was already using EFI to prevent non-Apple OSes on some of their systems. Since APPL and MSFT are OEMs as well as OS vendors, I expect their own systems would use UEFI as a form of “DRM” to keep their OS on their hardware. But Microsoft is now impacting all Windows OEMs, in addition to their own systems, each release of Windows makes more use of UEFI to restrict what OEMs and users can do and let Microsoft have more control over these systems. Chrome OEMs are looking better and better… 😦

More information:

http://www.itwire.com/opinion-and-analysis/open-sauce/68262-windows-10-no-secure-boot-unless-microsoft-tax-is-paid
https://msdn.microsoft.com/en-us/library/dn917885%28v=vs.85%29.aspx
https://msdn.microsoft.com/en-us/library/dn756793%28v=vs.85%29.aspx