Tag: Intel

Android IoT: Google Brillo and Weave

~ hucktech ~ Leave a comment

Google has began an invite program for their Brillo/Weave IoT project, which they announced earlier this year at Google I/O:

Brillo:

“Since May, we’ve opened up the Brillo operating system (OS) and Weave communication platform to early access partners. Today, we’re extending this to the broader developer community as part of our invite program. Read on to find out how you can receive an invitation. Brillo brings the simplicity and speed of software development to hardware by offering you a lightweight embedded OS based on Android, core services, a developer kit, and a developer console. You can choose from a variety of hardware capabilities and customization options, quickly move from prototype to production, and manage at scale with over the air (OTA) updates, metrics, and crash reporting.”

Weave:

“Once you’ve built your connected device, you’ll need to find a way for it to communicate with other devices and allow users to interact with it. That’s where Weave comes in. With Weave, you can build interoperable communications directly into your devices. Weave provides a messaging service that enables phones and devices to talk to each other locally and remotely through the cloud. The Weave cloud server handles remote communication and access to your web-connected device, safely and at scale. With Weave you also get a set of services to securely set up the device and provide controlled access. Additionally, Weave works seamlessly with, and is actually built right into, Brillo; but, you can also use Weave libraries with your existing Linux-based OS.”

Intel already has their Edison board ready for Brillo:

http://newsroom.intel.com/community/intel_newsroom/blog/2015/10/27/intel-edison-module-offers-brillo-support-at-launch
https://software.intel.com/en-us/blogs/2015/10/27/intel-edison-board-and-brillo

“The Intel Edison compute module is one of the first platforms to support Brillo, which Google released source code for today via an invitation program. Newegg will be offering a Brillo-compliant solution built upon the Intel Edison kit for Arduino. Intel expects to support Brillo on additional SoCs (system-on-chip) and IoT maker boards in the future.”

More Information:

http://www.forbes.com/sites/janakirammsv/2015/10/29/google-brillo-vs-apple-homekit-the-battleground-shifts-to-iot/
http://liliputing.com/2015/10/google-launches-android-based-brillo-os-for-internet-of-things.html
http://www.androidauthority.com/imaginations-new-ci40-creator-iot-board-will-run-brillo-from-google-651920/

Android-based "Brillo" IoT OS arrives with hacker SBC support

Google invites developers to its Brillo IoT platform

The Platform on Intel 3D Xpoint memory

~ hucktech ~ Leave a comment

http://www.theplatform.net/2015/10/28/intel-shows-off-3d-xpoint-memory-performance/

ThePlatform is a really nice news site, they generally have very well written articles.

This new 3D Xpoint memory technology was announced at Intel SDR this Summer. I’ll admit, I still haven’t internalized what this new memory means for the future of computing, nor firmware (eg, how it impacts UEFI), nor firmware security.. 😦 I don’t recall seeing any Tiancore.org checkins for this, I’ll check for that next time I study the next code update.

New ITL research on x86 security!!

~ hucktech ~ Leave a comment

Joanna of Invisible Things Lab has a new blog post on Intel x86 security!!

http://blog.invisiblethings.org/2015/10/27/x86_harmful.html

Click to access x86_harmful.pdf

http://blog.invisiblethings.org/papers/2015/x86_harmful.epub

https://github.com/rootkovska/x86_harmful

And there’s a second paper in the works, as well!

VZ on Secure Boot, Intel TXT, Linux, and UEFI

~ hucktech ~ Leave a comment

Earlier today, Matthew Garret posted a problem on Twitter about Intel Linux and Intel TXT mode:

MJG on Secure Boot, Intel TXT, Linux, and security

Later that day, Vincent Zimmer of Intel is apparently helping to get that Intel project working with UEFI:

A few weeks ago, a similar thing happened with Intel SGX. Intel is lucky to have Vincent Zimmer, who is very engaged with Linux security/development community, in helping to fix Intel projects to properly support UEFI. Many large companies do not have this kind of public individual involvement.

MJG on Secure Boot, Intel TXT, Linux, and security

~ hucktech ~ Leave a comment

A short security lesson from Matthew (click on Twitter link for follow-up post):

[BTW, sorry WordPress doesn’t seem to render Twitter’s HTML table when scrolling through the site If you ever see multiple blank lines in the post it is probably a Twitter URL that WordPress didn’t render, refresh to fix. You have to refresh on new pages, often, or view the post on a separate page (which generates a refresh). I post messages while online and finding news, but don’t spend a huge amount of extra time formatting the posting, simple ASCII text plus a few URLs. The interactive WordPress HTML UI to add a hyperlink triples the time to post each message, and WordPress won’t accept HTML <A> links. WordPress renders some URLs differently, like showing the image of a JPEG/PNG/etc, and showing the Youtube video link and hiding the rest of a web page which contains a Youtube URL — like Kickstart funding pages.]

Arduino 101, an Intel Curie-based device

~ hucktech ~ Leave a comment

Quoting the Intel blog post:

The Verge reports some big news was announced at Maker Faire Rome today: The Arduino 101, a low-cost, low-energy Arduino-branded device based on Intel’s Curie module, the first such product to hit the market. The Arduino 101 is reported to sell for around $30 and includes Bluetooth Low Energy, a gyroscope and accelerometer.

I do not know what firmware it uses, yet…

http://www.theverge.com/2015/10/16/9548177/intel-curie-arduino-maker-board

http://blogs.intel.com/evangelists/2015/10/16/meet-the-arduino-101-the-first-intel-curie-based-product/

UP, Intel x5 IoT prototype board on Kickstarter

~ hucktech ~ Leave a comment

Excerpting the Intel blog:

This is the UP, a new IoT prototyping board built on Intel’s x5-Z8300 QuadCore 1.44Ghz (1.84GHz) 64 bit 2W CPU: “The 40 Pin I/O connector, the USB 3.0 OTG, the Gigabit Ethernet, the HDMI and more other features make it a perfect solution for different domains and products like Robotics, Drone, Machine Vision, Smart Home, Education, Digital Signage, Intelligent Cars, Internet Of Things.” UP’s Kickstarter is now live with 44 days left to go. Produced by Aaeon, industrial embedded company part of ASUS group, the UP board makes a wonderful (high powered) addition to the growing line-up of powerful Intel-based IoT platforms. According to up-board.org, UP store will be available starting Dec. 17th, check it out on Kickstarter today.

Regarding the next link (the video image), WordPress apparently converts Kickstarter.com-based URLs to only show the video on the page, like next link. For full Kickstarter web page, use link from Intel blog:

http://blogs.intel.com/evangelists/2015/10/16/up-a-new-quadcore-1-44ghz-iot-platform-on-kickstarter-now/

Homepage

AMI announces support for Intel Innovation Engine

~ hucktech ~ Leave a comment

Since IDF this Summer, a few UEFI Forum vendors have announced support for Intel’s “Innovation Engine”, which was announced at IDF. Recently, AMI just announced more support for it:

http://ami.com/news/press-releases/?PressReleaseID=335&/American%20Megatrends%20to%20Support%20New%20Intel%C2%AE%20Innovation%20Engine%20Platform%20in%20MegaRAC%C2%AE%20PMX%20Platform%20Management%20Solution/

The problem is, Intel has yet to provide ANY information on this Innovation Engine vaporware. These “we also support Intel IE” press releases, with no information on what Intel IE is, are getting tiresome. Intel, please produce some information on IE, not just get partners to ship vague vaporware press releases!

LinuxCon Europe UEFI Mini-Summit presentations available

~ hucktech ~ Leave a comment

Earlier this month, the UEFI Forum recently had a “Mini-Summit” at LinuxCon Europe. The presentations are now available online (so far just the slides, unclear if A/V will show up on Youtube later):

UEFI Mini-Summit at LinuxCon Europe: October 7, 2015

* UEFI Forum Update and Open Source Community Benefits – Mark Doran (Intel)
* What Linux Developers Need to Know About Recent UEFI Spec Advances – Jeff Bobzin (Insyde Software)
* LUV Shack: An Automated Linux Kernel and UEFI Firmware Testing Infrastructure – Matt Fleming (Intel)
* Goodbye PXE, Hello HTTP Boot – Dong Wei (HP)
* UEFI Development in an Open Source Ecosystem – Michael Krau (Intel)

More information (about halfway down the page, past the Youtube section):

http://www.uefi.org/learning_center/presentationsandvideos

 

LegbaCore adds BIOS/SMM training to OpenSecurityTraining.Info!

~ hucktech ~ Leave a comment

They’ve added a 2-day training course on BIOS/SMM, “Advanced x86: Introduction to BIOS & SMM”! The BIOS researchers at MITRE — and half of them now at LebaCore — are one of the main pioneers of BIOS research, and this is one of ther main training sessions. Wow!

“Around 2011, the trustworthy system measurement research project that Xeno Kovah was running at MITRE decided to start digging deeper than the Windows kernel and rootkit detection, to try and detect malicious software at the BIOS level. Xeno & Corey Kallenberg continued to work on Kernel, while team member John Butterworth was tasked with starting to learn about BIOS in parallel. John’s work led to the “BIOS Chronomancy” work (published at both BlackHat and ACM CCS), porting the team’s existing Timing-Based Attestation system from the kernel level down to the BIOS. Xeno then asked John to start making an open source training class to capture his knowledge, the same way that Xeno & Corey had captured their past knowledge on the project and uploaded it to OST. John created a 2 day Intro BIOS class and got it public released from MITRE. The intention originally was that it would cover all basics of BIOS which would be applicable to both legacy BIOS, CoreBoot, or UEFI-based systems. And then it was expected there would be a follow on class digging deeper into the specifics of UEFI. Unfortunately time prohibited the creation of that 2nd 2 days of classes focusing on UEFI, so you can see that some minimal UEFI content was eventually shoehorned into this class, though frequently there isn’t enough time to get to it within 2 days. It is our hope that this Introductory BIOS & SMM class will help demystify how x86 systems work at the low levels, so that people can better understand the BIOS/SMM/SecureBoot vulnerabilities described in the team’s work while at MITRE, and later after Xeno & Corey founded LegbaCore. With this knowledge in hand, hopefully students can fully appreciate and explain to others why it is so critical that BIOS patch management be performed by organizations, to eliminate the vulnerabilities that lurk at this level.

http://opensecuritytraining.info/IntroBIOS.html

Nikolaj on UEFI Security, part 7!

~ hucktech ~ Leave a comment

Nikolaj has written a 7th part to his 6-part series on UEFI security!

It covers AMD security processors, Intel STM, Intel SGX, TPM 2.0, and other current technologies.

There is mention at the end of an upcoming article on taming Secure Boot, generating your own keys, looking forward to that!

http://habrahabr.ru/post/268423/

https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fhabrahabr.ru%2Fpost%2F268423%2F&edit-text=

NCCGroup Intel SGX primer

~ hucktech ~ Leave a comment

Back in January, Ollie Whitehouse wrote a very nice introduction to Intel SGX, with MANY links to related materials.

Intel SGX is a trusted execution environment which provides a reverse sandbox. It’s not yet available but those who have had access to the technology have shown some powerful applications in cloud use cases that on the face of it dramatically enhance security without the performance constraints of homomorphic encryption. However, there is enough small print to warrant both validation and defensive assessment activities when the technology becomes more generally available. There is a new set of features coming to Intel CPUs that have massive potential for cloud security and other applications such as DRM. However, as with all things that can be used for good there is also the potential for misuse. These features come in the guise of Software Guard Extensions (SGX). In this post we’ve collated what we know about the technology, what others have said about it and how it is being applied in real-world applications.

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/january/intel-software-guard-extensions-sgx-a-researchers-primer/

Breaking Bad BIOS at Intel Security’s FOCUS conference

~ hucktech ~ Leave a comment

Intel Security has their annual FOCUS conference, in Las Vegas in a few weeks.

I may have missed others, but there is at least ONE interesting presentation at this event:

Breaking Bad BIOS — The Art of BIOS Attacks
Oleksandr Bazhaniuk, Security Researcher, Intel Security

Recent attacks against Basic Input/Output Systems (BIOSs) attracted attention due to their ability to enable stealthy and highly persistent malware capable of compromising software applications, operating systems, and hypervisors. Some can bypass secure OS boots, enable attacks on encrypted disks, and even allow additional malware installs.
 * Understand current BIOS attacks and attack surfaces
 * Understand platform level tools and mitigations
 * Observe an actual attack demo

http://focus.intelsecurity.com/Focus2015/SessionsSessionSchedule.aspx

Intel on UDK2015

~ hucktech ~ Leave a comment

UDK2015 was released the other day. There is a new blog post from Briand Richardson of Intel on usage of the UDK, and the main download page on the wiki has been updated to support it:

https://twitter.com/Intel_UEFI/status/652253984225394688

https://twitter.com/Intel_UEFI/status/652212808961138688

http://blogs.intel.com/evangelists/2015/10/08/using-udk2015-for-uefi-2-5-development/

http://www.tianocore.org/udk/udk2015/

http://sourceforge.net/projects/edk2/files/UDK2015_Releases/UDK2015/UDK2015-ReleaseNotes-MyWorkSpace.txt/download

EFI Mixed Mode patchset for Android-IA

~ hucktech ~ Leave a comment

Christopher Price posted availability of a patchset to restore EFI Mixed Mode to the latest Android-IA release. Excerpt of announcement:

Enclosed you will find 19 patches that restore EFI Mixed Mode to the latest Android-IA release. We are still running through a BFD linker bug in KernelFlinger that is preventing activation – but it has tested well with GMIN64 and does not appear to block the kernel. Testing and review appreciated. We’d like it committed upstream because it would be very difficult without trunk access to maintain these patches going forward. While we’d like to take credit, Mark Gross and Intel UK really did an excellent job reviving this work – we’ve been incubating and testing for the past few months. This will allow Android-IA to run on the millions of BayTrail-T production tablets that depend on EFI Mixed Mode. Without these patches, Android-IA cannot run on virtually any Bay Trail tablet today, except for maybe IRDA, which isn’t available in many countries currently. These patches should no longer be necessary once Kernel 3.15 is integrated, at which point Mixed Mode will hit mainline… or at least, should hit mainline.

http://console.com.co/wp-content/uploads/mixed-mode.zip

https://lists.01.org/pipermail/android-ia/2015-October/001003.html
http://www.phoronix.com/scan.php?page=news_item&px=MTY0OTI
https://lwn.net/Articles/589193/

 

UEFI HTTP Boot whitepaper available

~ hucktech ~ Leave a comment

A few weeks ago the Tianocore project added a whitepaper on UEFI 2.5’s HTTP Boot:

http://www.tianocore.org/news/2015/09/17/HTTP-BOOT.html
https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-white-papers
http://sourceforge.net/projects/edk2/files/General%20Documentation/
http://www.tianocore.org/news/feed.xml

If you were looking for instructions on how to setup Tianocore’s HTTP boot feature, on Windows-based systems, this document is for you!

I could be wrong, but I don’t think the TLS API has been added to Tianocore yet, so there is no HTTPS, only HTTP.

(Looking at the above SourceForge URL, it appears the Packaging Tool document was also recently updated, but not sure of the details.)

new efi_capsule_loader Linux kernel interface from Intel

~ hucktech ~ Leave a comment

Hock Leong Kweh of Intel posted a patch to the Linux kernel which exposes a new UEFI capsule update interface. Some excerpts from the patch:

efi: a misc char interface for user to update efi firmware

Introducing a kernel module to expose capsule loader interface (misc char device file note) for user to upload capsule binaries. This option exposes a loader interface “/dev/efi_capsule_loader” for user to load EFI capsule binary and update the EFI firmware through system reboot. It expose a misc char interface for user to upload the capsule binary and calling efi_capsule_update() API to pass the binary to EFI firmware. The steps to update efi firmware are:

1) cat firmware.cap > /dev/efi_capsule_loader
2) reboot

Any failed upload error message will be returned while doing “cat” through Write() function call. Tested the code with Intel Quark Galileo platform. This patchset is created on top of Matt’s patchset:
1.)https://lkml.org/lkml/2014/10/7/390 “[PATCH 1/2] efi: Move efi_status_to_err() to efi.h”
2.)https://lkml.org/lkml/2014/10/7/391 “[PATCH 2/2] efi: Capsule update support”

See the linux-kernel/linux-efi/linux-fsdevel list archives for the patch (gmane.org is down for me currently, hope it returns…):
http://dir.gmane.org/gmane.linux.kernel.efi
http://vger.kernel.org/majordomo-info.html

QubesOS 3.0 released

~ hucktech ~ Leave a comment

Qubes released 3.0 today! Joanna Rutkowska posted a blog entry on it today. This release is dedicated to the memory of Caspar Bowden, a pioneer in privacy. Excerting Joanna’s anouncement of some of 3.0’s features:

Qubes is now based on what we call Hypervisor Abstraction Layer (HAL), which decouples Qubes logic from the underlying hypervisor. This will allow us to easily switch the underlying hypervisors in the near future, perhaps even during the installation time, depending on the user needs (think tradeoffs between hardware compatibility and performance vs. security properties desired, such as e.g. reduction of covert channels between VMs, which might be of importance to some users). More philosophically-wise, this is a nice manifestation of how Qubes OS is really “not yet another virtualization system”, but rather: a user of a virtualization system (such as Xen).

We upgraded from Xen 4.1 to Xen 4.4 (now that was really easy thanks to HAL), which allowed for: 1) better hardware compatibility (e.g. UEFI coming soon in 3.1), 2) better performance (e.g. via Xen’s libvchan that replaced our vchan). Also, new Qubes qrexec framework that has optimized performance for inter-VM services.

We introduced officially supported Debian templates.

We integrated Whonix templates, which optimize Tor workflows for Qubes.

The work on 3.1 is underway, with some features planned, including UEFI support, Live USV edition, and a management/pre-configuration stack.

Full announcement:
http://blog.invisiblethings.org/2015/10/01/qubes-30.html

EFI support ticket:
https://github.com/QubesOS/qubes-issues/issues/794