edk2-gdb-server: Open Source EDK2 GDB Server

For a long time Intel has offered a “freeware” (not open source) solution to debug UEFI with a 2-system solution, one running either Linux/GDB or Windows/Windbg:

https://firmware.intel.com/develop/intel-uefi-tools-and-utilities/intel-uefi-development-kit-debugger-tool

Last updated in 2017, it used to work on the old TunnelMountain desktop systems, I’ve been meaning to see if it works on MinnowBoard2 systems. And this is Intel-centric (and I presume it may also work on AMD), but, I’m not aware of ARM — nor UEFI Forum’s Tianocore — having a similar offering, which I’d like to be able to use on a UEFI-based Rasberry Pi. HOWEVER… I just noticed this, which came out LAST YEAR, somehow I missed it, an open source solution!!

This is a open code replacement for Intel’s binary only GDB server that comes as part of the ‘Intel UEFI Development Kit Debugger Tool’. Since that tool is Intel x86/64 Linux/Windows only this allows more flexibility. E.g. you can run this on any ARM based SoC with python3 and a USB OTG port connected directly to your target via a USB2.0 EHCI Debug port using the Linux USB OTG Debug Port gadget. You can then connect to that target remotely from your build box, etc. This also allows you to tweak the debugger itself. I’ve already added some additional functionality here to assist when using SourceLevelDebugPkg on non-EDK2 (i.e. no source available) firmwares such as AMI Aptio IV.

https://github.com/night199uk/edk2-gdb-server

Now it just needs also add LLDB support (especially for the Clang-centric HBFA branch)… 🙂 Given this is open source, unlike the Intel solution, this is a possiblity!

11 new security advisories from Intel

A few interesting things in this batch, SGX, rowhammer, OpenAttestation, etc.

In recent months US-CERT is getting a bit faster at noticing HW/FW issues, which is nice. It seems Intel manages to update their security announcements page right after I look at it for the day… 😦

Intel® NUC Firmware Advisory
INTEL-SA-00264
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00264.html

Intel® RAID Web Console 3 for Windows* Advisory
INTEL-SA-00259
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00259.html

Intel® Omni-Path Fabric Manager GUI Advisory
INTEL-SA-00257
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00257.html

Open Cloud Integrity Technology and OpenAttestation Advisory
INTEL-SA-00248
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00248.html

Partial Physical Address Leakage Advisory
INTEL-SA-00247
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00247.html

Intel® Turbo Boost Max Technology 3.0 Advisory
INTEL-SA-00243
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00243.html

Intel® SGX for Linux Advisory
INTEL-SA-00235
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00235.html

Intel® PROSet/Wireless WiFi Software Advisory
INTEL-SA-00232
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00232.html

Intel® Accelerated Storage Manager in Intel® Rapid Storage Technology Enterprise Advisory
INTEL-SA-00226
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00226.html

Intel® Chipset Device Software (INF Update Utility) Advisory
INTEL-SA-00224
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00224.html

ITE Tech* Consumer Infrared Driver for Windows 10 Advisory
INTEL-SA-00206
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00206.html

Intel AMT security best practices

Instead of the ‘disable it and presume everything is fine’ approach, I’ve been looking around for something like an Intel AMT/ME Security Best Practices document, to help sysadmins (and end users) secure that processor as much as possible. A friend at Intel found this, closest-fit document, with AMT configuration information, that is interesting to read. First released in 2015, last updated Janurary 2019.

Deployment GUIDE
Intel® Setup and Configuration Software (Intel® SCS)

This deployment guide is an instructional document providing simple steps to enable the discovery, configuration and maintenance of Intel® Active Management Technology (Intel® AMT) platforms using Intel® Setup and Configuration Software (Intel® SCS). Intel® AMT operates independently of the CPU and the firmware is delivered in an un-configured state. Intel® SCS is provided by Intel to support the setup and configuration of the firmware for the target environment and enable remote, out-of-band access to Intel® AMT features. Guidance is provided to enable a baseline implementation of Intel® AMT and identifies common configuration settings to support an enterprise deployment that take advantage of the manageability and security features available on platforms that support Intel® AMT and Intel® Standard Manageability. After configuration, Intel® AMT systems can be remotely managed by products, toolsets and solutions including Microsoft System Center Configuration Manager, Microsoft PowerShell, and Intel® Manageability Commander.

Click to access Intel_SCS_Deployment_Guide.pdf

Intel releases Host-based Firmware Analyzer (HBFA)

https://software.intel.com/en-us/blogs/2019/02/25/using-host-based-analysis-to-improve-firmware-resiliency
https://github.com/tianocore/edk2-staging/tree/HBFA
https://firmware.intel.com/sites/default/files/Intel_UsingHBFAtoImprovePlatformResiliency.pdf

Exciting!

[…]Computer platform firmware is a critical element in the root-of-trust. Firmware developers need a robust tool set to analyze and test firmware components, enabling detection of security issues prior to platform integration and helping to reduce validation costs. HBFA allows developers to run open source advanced tools, such as fuzz testing, symbolic execution, and address sanitizers in a system environment. Supported Features:
* GUI and command-line interfaces
* Execute common fuzzing frameworks (AFL, libFuzzer, Peach)
* Supports symbolic execution (KLEE/STP)
* Incorporates Address Sanitizer
* Unit test execution via Cunit/Cmocka/Host directly
* Generate code coverage report (GCOV/LCOV in Linux, DynamoRIO in Windows)
* Instrumentation methods for fault injection and trace
* Database of unit test cases
* Test reports with extended stack trace information
* Windows support

Intel seeks Security Researcher

[Reminder: I occasionally post interesting-sounding job postings for firmware security researchers and/or developers, using a tag of ‘job-posting’.]

Intel Security Center of Excellence’s goal is to be a prominent leader in the industry to assure security in computing platforms by conducting advanced security research. If you are a seasoned threat, vulnerability and exploit research expert who craves for tons of fun and pride in raising the security bar for ubiquitous computing systems, we would like you to join us as a proud member of Intel’s Advanced Security Research Team. Through your deep vulnerability analysis and mitigation development expertise, you will influence the security of a variety of Hardware, Firmware, Software & Systems spanning a range of products including Devices, Cloud, Auto, IOT, AI, VR, Drones, and Networks. Intel’s Product Assurance & Security team is chartered with building & maintaining customer trust through unparalleled security, privacy & assurance of Intel products. This team drives security & assurance governance, identifies emerging threats, secures existing products through mitigations and defines & initiates future security innovations for Intel products.

https://jobs.intel.com/ShowJob/Id/1658098/Security%20Researcher

Formally verified big step semantics out of x86-64 binaries

This paper presents a methodology for generating formally proven equivalence theorems between decompiled x86-64 machine code and big step semantics. These proofs are built on top of two additional contributions. First, a robust and tested formal x86-64 machine model containing small step semantics for 1625 instructions. Second, a decompilation-into-logic methodology supporting both x86-64 assembly and machine code at large scale. This work enables black-box binary verification, i.e., formal verification of a binary where source code is unavailable. As such, it can be applied to safety-critical systems that consist of legacy components, or components whose source code is unavailable due to proprietary reasons. The methodology minimizes the trusted code base by leveraging machine-learned semantics to build a formal machine model. We apply the methodology to several case studies, including binaries that heavily rely on the SSE2 floating-point instruction set, and binaries that are obtained by compiling code that is obtained by inlining assembly into C code.

https://dl.acm.org/citation.cfm?doid=3293880.3294102

6 Intel security advisories

INTEL-SA-00212
Intel® System Support Utility for Windows Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00212.html

INTEL-SA-00207
Intel® SSD Data Center Tool Vulnerability Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00207.html

INTEL-SA-00203
Intel® SGX Platform Software and Intel® SGX SDK Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00203.html

INTEL-SA-00182
Intel® PROSet/Wireless WiFi Software Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00182.html

INTEL-SA-00175
Intel® Optane™ SSD DC P4800X Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00175.html

INTEL-SA-00144
Intel® NUC Firmware Security Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00144.html

Alternatives for SMM usage in Intel Platforms

2019 OCP Global Summit:
Case Study: Alternatives for SMM usage in Intel Platforms
Sarathy Jayakumar, Principal Engineer – Firmware, Intel Corporation

The broadcast System Management Mode (SMM) model has been used for many years to manage priority system events but has a number of disadvantages. Overuse of System Management Interrupts (SMI) results in performance degradation, increases latency with higher core counts, and introduces potential race conditions. SMM is also difficult to debug and has access to system resources outside of the OS environment, which makes it target for firmware exploits. This session expands on Intel’s initiative to reduce SMM footprint and provide alternatives for handling runtime platform events. Intel described SMI reduction methods based on Protected Runtime Mechanism (PRM), UEFI Capsule, and the Baseboard Management Controller (BMC) at the 2018 OCP Regional Summit. The presentation features a case study and demonstration using Intel® Xeon® Scalable Processors with EDK II firmware.

https://2019ocpglobalsummit.sched.com/event/Jin2/case-study-alternatives-for-smm-usage-in-intel-platforms

https://www.opencompute.org/summit/global-summit

 

Intel: An update on SGX 3rd Party Attestation

https://software.intel.com/en-us/blogs/2018/12/09/an-update-on-3rd-party-attestation?spredfast-trk-id=sf204602974

INTEL-SA-00131: Intel Power Management Controller (PMC) EoP

Power Management Controller (PMC) Security Advisory
Intel ID: INTEL-SA-00131
Advisory Category: Firmware
Impact of vulnerability: Escalation of Privilege, Information Disclosure
Severity rating: HIGH
Original release: 09/11/2018
Last revised: 12/18/2018

A potential security vulnerability in power management controller firmware may allow escalation of privilege and/ or information disclosure. Intel is releasing firmware updates to mitigate this potential vulnerability.

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00131.html

 

Intel to open-source FSP??

https://www.phoronix.com/scan.php?page=news_item&px=Intel-Open-Source-FSP-Likely

Please leave a Comment on this post if you have more info, other than above.

https://github.com/IntelFsp/FSP

https://firmware.intel.com/learn/fsp/about-intel-fsp

Intel releases 5 new security advisories

Intel® QuickAssist Technology for Linux Advisory
INTEL-SA-00211
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00211.html

Intel® System Defense Utility Vulnerability Advisory
INTEL-SA-00209
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00209.html

Intel® Parallel Studio Vulnerability Advisory
INTEL-SA-00208
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00208.html

Intel® Solid State Drive Toolbox File Permissions Advisory
INTEL-SA-00205
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00205.html

Intel® VTune Amplifier 2018 Update 3 Advisoy
INTEL-SA-00194
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00194.html

CVE-2018-12155, INTEL-SA-00202: Intel Integrated Performance Primitives advisory

Advisory Category: Software
Impact of vulnerability: Information Disclosure
Severity rating: MEDIUM
Original release: 12/05/2018

A potential security vulnerability in Intel® IPP may allow information disclosure. Intel is releasing software updates to mitigate this potential vulnerability. Data leakage in cryptographic libraries for Intel(R) IPP before 2019 update1 release may allow an authenticated user to potentially enable information disclosure via local access. Intel recommends that users of Intel® IPP update to 2019 update1 or later. Updates are available for download […]  Intel would like to thank an Wichelmann (Universität zu Lübeck), Ahmad Moghimi (Worcester Polytechnic Institute), Thomas Eisenbarth (Universität zu Lübeck) and Berk Sunar (Worcester Polytechnic Institute) for reporting this issue and working with us on coordinated disclosure.

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00202.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12155

https://software.intel.com/en-us/intel-ipp

https://software.intel.com/en-us/ipp-dev-reference

MinnowBoard Max/Turbot firmware 1.00 released

SUPPORTED (NEW) FEATURES AND CHANGES IN RELEASE:
1. The 64bit BIOS is now functional with Linux and Windows 8.1 Embedded/Windows 10.
2. The 32bit BIOS is now functional with Windows 8.1 Embedded/Windows 10.
3. Supports booting from "SD card", "USB drive" and "SATA".
4. Supports S3 resume for Linux, Windows 8.1 Embedded and Windows 10.
5. Supports S4 resume for Windows 8.1 Embedded and Windows 10.
6. Supports 64bit image GCC build (32bit image GCC build is not supported).
7. Update EDK II core from UDK2015 release to UDK2017.
8. Signed Capsule Update is supported.
9. Supports HTTP and HTTPS boot.
10. Add board UUID support.
11. Fixed the issue that USB device may not be detected at system power-on.
12. Main changes in this release
   1) Add microcode M0130679906 for D1 stepping.
   2) Produce SMBIOS type 1.
   3) Changed manufacture name.
   4) Fixed some open bugs. Please visit the following link for details.
      https://wiki.yoctoproject.org/wiki/Minnow_Bug_Triage

https://firmware.intel.com/projects/minnowboard-max
https://firmware.intel.com/sites/default/files/minnowboard_max-rel_1_00-releasenotes.txt

 

CHIPSEC v1.3.6 released

New or Updated Modules:
Updated memconfig to only check registers that are defined by the platform

Updated common.bios_smi to check controls not registers
Added me_mfg_mode module
Added support for LoJax detection
Updated common.spi_lock test support
Added sgx_check module and register definitions
Updates to DCI support in debugenabled module

New or Updated Functionality:
Added ability for is_supported to signal a module is not applicable
Added 300 Series PCH support
Added support for building Windows driver with VS2017
Added fixed I/O bar support
Updated XML and JSON log rewrite
Updated logger to use python logging support
Added JEDEC ID command
Added DAL helper support
Added 8th Generation Core Processor support
Updated UEFI variable fuzzing code
Added C600 and C610 configuration
Added C620 PCH configuration
Updated ACPI table parsing support
Updated UEFI system table support
Added Denverton (DNV) support
Added result delta functionality
Added ability to override PCH from detected version

See release notes for list of Fixes.

https://github.com/chipsec/chipsec/commits/master

https://github.com/chipsec/chipsec/releases/tag/v1.3.6

Intel security guidance: Host Firmware Speculative Execution Side Channel Mitigation

[…]This provides specific guidance for firmware based upon the EFI Developer Kit II (EDKII) and coreboot. Because this document deals with host firmware internal requirements, it is not intended to provide side channel mitigation guidance for general application developers.

Scope: This addresses bare-metal firmware runtime risks and mitigation suggestions for the bounds check bypass, branch target injection, rogue data cache load, rogue system register read, and speculative store bypass side channel methods. Our examples and context are primarily focused on ring 0 firmware runtimes (for example: EFI Developer Kit II, PI SMM, and coreboot SMM). Other firmware execution environments are out of scope.[…]

https://software.intel.com/security-software-guidance/api-app/insights/host-firmware-speculative-execution-side-channel-mitigation

more info:

https://software.intel.com/security-software-guidance/software-guidance

Intel ‘patch Tuesday’: 8 new security advisories

INTEL-SA-00199
Intel® RAID Web Console 3 Cross-site Scripting Vulnerability Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00199.html

INTEL-SA-00198
Intel® Ready Mode Technology File Permissions Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00198.html

INTEL-SA-00197
Intel® Media Server Studio for Windows® Vulnerability Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00197.html

INTEL-SA-00196
Intel® RAID Web Console 3 for Windows Authentication Bypass Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00196.html

INTEL-SA-00188
Intel® PROSet/Wireless WiFi Software Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00188.html

INTEL-SA-00187
Intel® Driver & Support Assistant Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00187.html

INTEL-SA-00180
Intel® Trace Analyzer 2018 Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00180.html

INTEL-SA-00153
Intel® Rapid Store Technology Installer Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00153.html

Intel: Protection at the Hardware Level [using SGX]

Intel has a new document about hardware security and SGX:

There is tremendous opportunity for application and solution developers to take charge of their data security using new hardware-based controls for cloud and enterprise environments. Intel® Software Guard Extensions (Intel® SGX), available in its second-generation on the new Intel® Xeon® E-2100 processor, offers hardware-based memory encryption that isolates specific application code and data in memory. Intel® SGX allows user-level code to allocate private regions of memory, called enclaves, which are designed to be protected from processes running at higher privilege levels. We believe only Intel offers such a granular level of control and protection. Think about it like a lockbox in your home. Even though you have locks on your doors and a home security system, you may still secure your most sensitive data in a private lockbox with a separate key to provide extra layers of protection even if someone gained unwanted access to your home. Essentially, Intel® SGX is a lockbox inside a system’s memory, helping protect the data while it’s in-use during runtime.[…]

https://itpeernetwork.intel.com/hardware-security-sgx

upos.info: Latency, Throughput, and Port Usage Information For Instructions on Recent Intel Microarchitectures

This website provides more than 200,000 pages with detailed latency, throughput, and port usage data for most x86 instructions on all generations of Intel’s Core architecture (i.e., from Nehalem to Coffee Lake). While such data is important for understanding, predicting, and optimizing the performance of software running on these microarchitectures, most of it is not documented in Intel’s official processor manuals.

http://uops.info/