UEFI lab at Cascadia IT Conference in Seattle March 10th

[DISCLAIMER: FirmwareSecurity is my personal blog. I work at PreOS Security.]

PreOs Security is offering a half-day training lab for System Administrators, SRE/DevOps in the Seattle area at Cascadia IT Conference, for those interested in learning about UEFI/ACPI/BIOS/SMM/etc security. Here’s the text for the training:

Defending System Firmware

Target audience: System administrators, SRE, DevOps who work with Intel UEFI-based server hardware

Most enterprises only defend operating system and application software; system and peripheral firmware (eg., BIOS, UEFI, PCIe, Thunderbolt, USB, etc) has many attack vectors. This workshop targets enterprise system administrators responsible for maintaining the security of their systems. The workshop is: an introduction to UEFI system firmware, an overview of the NIST secure BIOS platform lifecycle model of SP-(147,147b,155) and how to integrate that into normal enterprise hardware lifecycle management, and an introduction to the available open source firmware security tools created by security researchers and others, and how to integrate UEFI-based systems into the NIST lifecycle using available tools, to help protect your enterprise. It will be a 3.5 hour presentation, and at the end, you can optionally can run some tests on your laptop: Intel CHIPSEC, Linux UEFI Validation distribution (LUV-live), FirmWare Test Suite live boot distribution (FWTS-live), and a few other tools. Attendees trying to participate in the lab will need to have a modern Intel x86 or x64-based (not AMD), UEFI-based firmware, running Windows or Linux OS software. That means no AMD systems, no Apple Macbooks, no ARM systems. Any system used in the lab must have all data backed up, in case some tool bricks the device. Attendees should understand the basics of system hardware/firmware, be able to use a shell (eg, bash, cmd.exe, UEFI Shell), and able to use Python-based scripts.



LUV-live 2.0-RC4 released

Ricardo Neri of Intel announced Linux UEFI Validation (LUV) v2.0-rc4 release, with lots of changes, new versions of CHIPSEC, BITS, FWTS, and multiple UEFI improvements in LUV. IMO, one of the most important features it that LUV-live’s CHIPSEC should properly log results now! Excerpts from Ricardo’s announcement:

This release touches many areas. Here are some highlights:

Naresh Bhat implemented changes to build from Linus’ tree when building LUV for ARM. While doing this, he got rid of the leg-kernel recipe. Now the kernel is built from linux-yocto-efi-test for all architectures. Also, he took the opportunity to remove some of the LUV-specific changes we had in the meta layer (i.e., our genericarmv8 machine). It always good to restrict ourselves to the meta-luv layer, unless we plan to upstream to the Yocto Project. Now LUV for aarch64 is built using qemuarm64.

It was reported that CHIPSEC was not running correctly in LUV due to missing configuration files and Python modules. This release includes a major rework of CHIPSEC integration into LUV. It ran correctly on all the systems in which we tested. Also, we bumped to v1.2.2; the CHIPSEC latest release.

This release includes new functionality to build BITS from its source rather than just deploying its binaries. BITS is a challenging piece of software when it comes to integration into a bitbake recipe. The build process was broken into several steps. This work help for future work to customize BITS for other CPU architectures and netboot.

The UEFI specification v2.5 includes a Properties Table for the memory map. Under this feature, it is possible to split into separate memory sections the code and data regions of the PE/COFF image. Unfortunately, kernels previous to v4.3 crash if this features is enabled. We have backported a fix pushed to Linux v4.3. We will be bumping the kernel for x86 to 4.3 in our next release.

The EFI stub feature in the kernel allows to run the kernel as an EFI application. Also, it allows the kernel to parse the memory map directly from the firmware rather than taking the map from the bootloader. This is clearly advantageous in case of bugs in the bootloader.

Now that LUV support storing the results of multiple bots, it may happen that disk runs out of space. Gayatri Kammela made updates to increase the size of the results partition and issue a warning when available space runs below 2MB.

Finally, keeping up with the latest changes in the Yocto Project has paid off handsomely. This release is based on Jethro, the latest version of the Yocto Project. Rebasing to this new version as done with very little effort. In the LUV tree you can find the jethro and jethro-next branches; the bases of this release. The fido and fido-next branches are still maintained.

We have bumped the following test suite versions:

 *FTWS is now V15.12.00
 *CHIPSEC is now v1.2.2
 *BITS is 2005

Time to update your LUV-live images! It is a Release Candidate, so please help the LUV team by testing it out and pointing out any issues on the LUV mailing list. This version of CHIPSEC includes VMM tests, so time to test LUV-luv in your virtual machines, not just on bare-metal boxes.

Many people contributed to this release, including: Ricardo Neri, Naresh Bhat, Darren Bilby, Megha Dey, Gayatri Kammela, John Loucaides, Sai Praneeth Prakhya, and Thiebaud Weksteen. It was nice to see the LUV and CHIPSEC teams work together in this release!

More information:



CHIPSEC 1.2.2 released!

After nearly a quarter without an update, CHIPSEC 1.2.2 has been released!!

This release includes multiple new VMM tests — including new fuzzers — hinted at DEF CON and elsewhere, a VENOM test, some S3 tests, support for more Intel CPUs,  as well as a bunch of new/updated features:

NEW modules:
 * tools.vmm.cpuid_fuzz to test CPUID instruction emulation by VMMs
 * tools.vmm.iofuzz to test port I/O emulation by VMMs
 * tools.vmm.msr_fuzz to test CPU Model Specific Registers (MSR) emulation by VMMs
 * tools.vmm.pcie_fuzz to test PCIe device memory-mapped I/O (MMIO) and I/O ranges emulation by VMMs
 * tools.vmm.pcie_overlap_fuzz to test handling of overlapping PCIe device MMIO ranges by VMMs
 * tools.vmm.venom to test for VENOM vulnerability

Updated modules:
 * tools.smm.smm_ptr to perform exhaustive fuzzing of SMI handler for insufficient input validation pointer vulnerabilities
 * smm_dma to remove TSEGMB 8MB alignment check and to use XML “controls”. Please recheck failures in smm_dma.py with the new version.
 * common.bios_smi, common.spi_lock, and common.bios_wp to use XML “controls”
 * common.uefi.s3bootscript which automatically tests protections of UEFI S3 Resume Boot Script table
 * tools.uefi.s3script_modify which allows further manual testing of protections of UEFI S3 Resume Boot Script table

NEW functionality:
 * hal.cpu component to access x86 CPU functionality. Removed hal.cr which merged to hal.cpu
 * hipsec_util cpu utility, removed chipsec_util cr
 * S3 boot script opcodes encoding functionality in hal.uefi_platform
 * hal.iommu, cfg/iommu.xml and chipsec_util iommu to access IOMMU/VT-d hardware
 * chipsec_util io list to list predefined I/O BARs
 * support for Broadwell, Skylake, IvyTown, Jaketown and Haswell Server CPU families
 * ability to define I/O BARs in XML configuration using register attriute similarly to MMIO BARs
 * UEFI firmware volume assembling functionality in hal.uefi
 * Implemented alloc_phys_mem in EFI helper

See the full readme on the github page, which also includes short lists of bugfixes and known-issues:


If you haven’t been following current security research by Intel’s ATR team, who produces CHIPSEC, watch this video to see why you need to run this new version of CHIPSEC on any machine — after reading CHIPSEC’s warning.txt first — that runs a VMM:

[Hopefully we’ll see Intel LUV team add this release to their project, including LUV-live, soon. There has been a recent patch to LUV that may fix CHIPSEC’s usage in LUV-live, a second important reason to update your LUV-live images.]


FWTS 15.08.00 released

Today Canonical has released version 15.08.00 of FWTS (FirmWare Test Suite), a set of firmware-related tests for Linux-based systems. The tests can be run via command line, or via a curses front-end, the latter of which is used by the FWS-live distribution. FWTS is also included in Intel’s LUV-live (Linux UEFI Validation) distribution, but it’ll take LUV a bit of time to update to new FWTS release. FWTS is also available as packages on Ubuntu-based distributions.

It appears that most new features are ACPI-related. New ACPI TPM2 and IORT tests, new tables for: FPDT, MCHI, STAO, ASF!, WDAT, and a few other things. There were a lot of bugfixes as well. For more information, see the full announcement, the changelog, and sources:


I wish ALL Linux/FreeBSD distributions would ship FWTS, not just Ubuntu-based ones: FTWS is very useful to detect if system has anomalies which’ll make it difficult to install/use the OS. Granted, those distro uses can just use FWTS-live, but they have to reboot into FWTS-live to use FWTS, with no native packaging.


Firmware Test Suite 15.06.00 released

Today Alex Hung of Canonical announced the availability of FWTS (FirmWare TestSuite) version 15.06.00. FTWS is useful to determine if your system has operational hardware/firmware. Besides command line tests, it has a curses front-end UI, and a FTWS-live distribution; FWTS tests are also included in LUVos, though I’m not sure if LUV is synced to the latest FWTS yet.

New Features:
  * lib: acpi: add an acpi category
  * live-image/fwts-frontend-text: add selections of acpi and uefi tests
  * acpi: add tests to acpi category
  * acpi: fwts-tests: Remove redundant tailing space and update fwts-tests
  * auto-packager: mkpackage.sh: remove lucid
  * auto-packager: mkpackage.sh: add wily
  * acpi: Add SPCR ACPI table check (LP: #1433604)
  * dmi: dmicheck: add 4 new DMI chassis types

More Information:



Linaro makes LUVos-live available for ARM64

LUVos (Linux UEFI Validation — aka luvOS or LUVos, is a Yocto-based Linux distro that helps diagnose UEFI firmware. LUV-live is a liveimage boot version of LUVos. LUV-live also includes other hardware/firmware tools, such as BITS, FWTS, and CHIPSEC.

Intel-based LUV was initially only targeting Intel platforms. But LUV is an open source project, with a healthy community of contributors.

Recently Linaro has been porting LUV to ARM64. Thanks, Linaro! This is great news for ARM64 Linux enterprise hardware. Once Linaro ports CHIPSEC to ARM, it’ll be a very good day for ARM64 firmware defensive security tools.

It would be nice to consider an ARM32 port, as well as ARM64. All devices need bootkit detection tools, not just enterprise-class systems. 🙂

[Someone please wake up AMD. Right now, AFAICT, their platform now has the worst defensive tools. They need a LUV-live with a CHIPSEC that works on ARM systems.]