For a long time Intel has offered a “freeware” (not open source) solution to debug UEFI with a 2-system solution, one running either Linux/GDB or Windows/Windbg:
Last updated in 2017, it used to work on the old TunnelMountain desktop systems, I’ve been meaning to see if it works on MinnowBoard2 systems. And this is Intel-centric (and I presume it may also work on AMD), but, I’m not aware of ARM — nor UEFI Forum’s Tianocore — having a similar offering, which I’d like to be able to use on a UEFI-based Rasberry Pi. HOWEVER… I just noticed this, which came out LAST YEAR, somehow I missed it, an open source solution!!
This is a open code replacement for Intel’s binary only GDB server that comes as part of the ‘Intel UEFI Development Kit Debugger Tool’. Since that tool is Intel x86/64 Linux/Windows only this allows more flexibility. E.g. you can run this on any ARM based SoC with python3 and a USB OTG port connected directly to your target via a USB2.0 EHCI Debug port using the Linux USB OTG Debug Port gadget. You can then connect to that target remotely from your build box, etc. This also allows you to tweak the debugger itself. I’ve already added some additional functionality here to assist when using SourceLevelDebugPkg on non-EDK2 (i.e. no source available) firmwares such as AMI Aptio IV.
Now it just needs also add LLDB support (especially for the Clang-centric HBFA branch)… 🙂 Given this is open source, unlike the Intel solution, this is a possiblity!
A few interesting things in this batch, SGX, rowhammer, OpenAttestation, etc.
In recent months US-CERT is getting a bit faster at noticing HW/FW issues, which is nice. It seems Intel manages to update their security announcements page right after I look at it for the day… 😦
Intel® NUC Firmware Advisory
Intel® RAID Web Console 3 for Windows* Advisory
Intel® Omni-Path Fabric Manager GUI Advisory
Open Cloud Integrity Technology and OpenAttestation Advisory
Partial Physical Address Leakage Advisory
Intel® Turbo Boost Max Technology 3.0 Advisory
Intel® SGX for Linux Advisory
Intel® PROSet/Wireless WiFi Software Advisory
Intel® Accelerated Storage Manager in Intel® Rapid Storage Technology Enterprise Advisory
Intel® Chipset Device Software (INF Update Utility) Advisory
ITE Tech* Consumer Infrared Driver for Windows 10 Advisory
Instead of the ‘disable it and presume everything is fine’ approach, I’ve been looking around for something like an Intel AMT/ME Security Best Practices document, to help sysadmins (and end users) secure that processor as much as possible. A friend at Intel found this, closest-fit document, with AMT configuration information, that is interesting to read. First released in 2015, last updated Janurary 2019.
Intel® Setup and Configuration Software (Intel® SCS)
This deployment guide is an instructional document providing simple steps to enable the discovery, configuration and maintenance of Intel® Active Management Technology (Intel® AMT) platforms using Intel® Setup and Configuration Software (Intel® SCS). Intel® AMT operates independently of the CPU and the firmware is delivered in an un-configured state. Intel® SCS is provided by Intel to support the setup and configuration of the firmware for the target environment and enable remote, out-of-band access to Intel® AMT features. Guidance is provided to enable a baseline implementation of Intel® AMT and identifies common configuration settings to support an enterprise deployment that take advantage of the manageability and security features available on platforms that support Intel® AMT and Intel® Standard Manageability. After configuration, Intel® AMT systems can be remotely managed by products, toolsets and solutions including Microsoft System Center Configuration Manager, Microsoft PowerShell, and Intel® Manageability Commander.
Click to access Intel_SCS_Deployment_Guide.pdf
[Reminder: I occasionally post interesting-sounding job postings for firmware security researchers and/or developers, using a tag of ‘job-posting’.]
Intel Security Center of Excellence’s goal is to be a prominent leader in the industry to assure security in computing platforms by conducting advanced security research. If you are a seasoned threat, vulnerability and exploit research expert who craves for tons of fun and pride in raising the security bar for ubiquitous computing systems, we would like you to join us as a proud member of Intel’s Advanced Security Research Team. Through your deep vulnerability analysis and mitigation development expertise, you will influence the security of a variety of Hardware, Firmware, Software & Systems spanning a range of products including Devices, Cloud, Auto, IOT, AI, VR, Drones, and Networks. Intel’s Product Assurance & Security team is chartered with building & maintaining customer trust through unparalleled security, privacy & assurance of Intel products. This team drives security & assurance governance, identifies emerging threats, secures existing products through mitigations and defines & initiates future security innovations for Intel products.
This paper presents a methodology for generating formally proven equivalence theorems between decompiled x86-64 machine code and big step semantics. These proofs are built on top of two additional contributions. First, a robust and tested formal x86-64 machine model containing small step semantics for 1625 instructions. Second, a decompilation-into-logic methodology supporting both x86-64 assembly and machine code at large scale. This work enables black-box binary verification, i.e., formal verification of a binary where source code is unavailable. As such, it can be applied to safety-critical systems that consist of legacy components, or components whose source code is unavailable due to proprietary reasons. The methodology minimizes the trusted code base by leveraging machine-learned semantics to build a formal machine model. We apply the methodology to several case studies, including binaries that heavily rely on the SSE2 floating-point instruction set, and binaries that are obtained by compiling code that is obtained by inlining assembly into C code.
Roger Feng announced the availability of a new document for Project Celadon, the Intel-specific version of Android.
The Trusty Hardware Binding Developer Guide is now available at 01.org:
2019 OCP Global Summit:
Case Study: Alternatives for SMM usage in Intel Platforms
Sarathy Jayakumar, Principal Engineer – Firmware, Intel Corporation
The broadcast System Management Mode (SMM) model has been used for many years to manage priority system events but has a number of disadvantages. Overuse of System Management Interrupts (SMI) results in performance degradation, increases latency with higher core counts, and introduces potential race conditions. SMM is also difficult to debug and has access to system resources outside of the OS environment, which makes it target for firmware exploits. This session expands on Intel’s initiative to reduce SMM footprint and provide alternatives for handling runtime platform events. Intel described SMI reduction methods based on Protected Runtime Mechanism (PRM), UEFI Capsule, and the Baseboard Management Controller (BMC) at the 2018 OCP Regional Summit. The presentation features a case study and demonstration using Intel® Xeon® Scalable Processors with EDK II firmware.
Power Management Controller (PMC) Security Advisory
Intel ID: INTEL-SA-00131
Advisory Category: Firmware
Impact of vulnerability: Escalation of Privilege, Information Disclosure
Severity rating: HIGH
Original release: 09/11/2018
Last revised: 12/18/2018
A potential security vulnerability in power management controller firmware may allow escalation of privilege and/ or information disclosure. Intel is releasing firmware updates to mitigate this potential vulnerability.
Advisory Category: Software
Impact of vulnerability: Information Disclosure
Severity rating: MEDIUM
Original release: 12/05/2018
A potential security vulnerability in Intel® IPP may allow information disclosure. Intel is releasing software updates to mitigate this potential vulnerability. Data leakage in cryptographic libraries for Intel(R) IPP before 2019 update1 release may allow an authenticated user to potentially enable information disclosure via local access. Intel recommends that users of Intel® IPP update to 2019 update1 or later. Updates are available for download […] Intel would like to thank an Wichelmann (Universität zu Lübeck), Ahmad Moghimi (Worcester Polytechnic Institute), Thomas Eisenbarth (Universität zu Lübeck) and Berk Sunar (Worcester Polytechnic Institute) for reporting this issue and working with us on coordinated disclosure.
SUPPORTED (NEW) FEATURES AND CHANGES IN RELEASE:
1. The 64bit BIOS is now functional with Linux and Windows 8.1 Embedded/Windows 10.
2. The 32bit BIOS is now functional with Windows 8.1 Embedded/Windows 10.
3. Supports booting from "SD card", "USB drive" and "SATA".
4. Supports S3 resume for Linux, Windows 8.1 Embedded and Windows 10.
5. Supports S4 resume for Windows 8.1 Embedded and Windows 10.
6. Supports 64bit image GCC build (32bit image GCC build is not supported).
7. Update EDK II core from UDK2015 release to UDK2017.
8. Signed Capsule Update is supported.
9. Supports HTTP and HTTPS boot.
10. Add board UUID support.
11. Fixed the issue that USB device may not be detected at system power-on.
12. Main changes in this release
1) Add microcode M0130679906 for D1 stepping.
2) Produce SMBIOS type 1.
3) Changed manufacture name.
4) Fixed some open bugs. Please visit the following link for details.
New or Updated Modules:
Updated memconfig to only check registers that are defined by the platform
Updated common.bios_smi to check controls not registers
Added me_mfg_mode module
Added support for LoJax detection
Updated common.spi_lock test support
Added sgx_check module and register definitions
Updates to DCI support in debugenabled module
New or Updated Functionality:
Added ability for is_supported to signal a module is not applicable
Added 300 Series PCH support
Added support for building Windows driver with VS2017
Added fixed I/O bar support
Updated XML and JSON log rewrite
Updated logger to use python logging support
Added JEDEC ID command
Added DAL helper support
Added 8th Generation Core Processor support
Updated UEFI variable fuzzing code
Added C600 and C610 configuration
Added C620 PCH configuration
Updated ACPI table parsing support
Updated UEFI system table support
Added Denverton (DNV) support
Added result delta functionality
Added ability to override PCH from detected version
See release notes for list of Fixes.
[…]This provides specific guidance for firmware based upon the EFI Developer Kit II (EDKII) and coreboot. Because this document deals with host firmware internal requirements, it is not intended to provide side channel mitigation guidance for general application developers.
Scope: This addresses bare-metal firmware runtime risks and mitigation suggestions for the bounds check bypass, branch target injection, rogue data cache load, rogue system register read, and speculative store bypass side channel methods. Our examples and context are primarily focused on ring 0 firmware runtimes (for example: EFI Developer Kit II, PI SMM, and coreboot SMM). Other firmware execution environments are out of scope.[…]
Intel has a new document about hardware security and SGX:
There is tremendous opportunity for application and solution developers to take charge of their data security using new hardware-based controls for cloud and enterprise environments. Intel® Software Guard Extensions (Intel® SGX), available in its second-generation on the new Intel® Xeon® E-2100 processor, offers hardware-based memory encryption that isolates specific application code and data in memory. Intel® SGX allows user-level code to allocate private regions of memory, called enclaves, which are designed to be protected from processes running at higher privilege levels. We believe only Intel offers such a granular level of control and protection. Think about it like a lockbox in your home. Even though you have locks on your doors and a home security system, you may still secure your most sensitive data in a private lockbox with a separate key to provide extra layers of protection even if someone gained unwanted access to your home. Essentially, Intel® SGX is a lockbox inside a system’s memory, helping protect the data while it’s in-use during runtime.[…]
This website provides more than 200,000 pages with detailed latency, throughput, and port usage data for most x86 instructions on all generations of Intel’s Core architecture (i.e., from Nehalem to Coffee Lake). While such data is important for understanding, predicting, and optimizing the performance of software running on these microarchitectures, most of it is not documented in Intel’s official processor manuals.