UEFI Advanced Security Settings for Microsoft Surface devices

June 9, 2015June 11, 2015 ~ hucktech ~ Leave a comment

A while ago, Mark Morowczynski of Microsoft wrote a blog post, “How to Manage Surface Pro 3 UEFI Through PowerShell”. In the post, he describes advanced UEFI security configuration options for the Microsoft Surface, such as enable/disable cameras, WiFi, Blootooth, Network Boot. There’s also information about using PowerShell to configure UEFI settings, scaling to control “tends of thousands” of Surface devices.

IMO, this is a nice use of UEFI to configure security settings, I hope other OEMs and OS vendors enable this kind of granularity to configure their systems. I also hope malware authors don’t exploit this ability to scale to all Surface devices in an enterprise with a single PowerShell command. 🙂
More information:

http://blogs.technet.com/b/askpfeplat/archive/2015/04/20/how-to-manage-surface-pro-3-uefi-through-powershell.aspx
https://technet.microsoft.com/en-us/windows/dn965440

Microsoft increases use of Secure Boot as marketing tool

June 7, 2015 ~ hucktech ~ Leave a comment

Earlier this week, Sam Varghese wrote an article in iTWire about Windows 10 and UEFI. According to the article, Window 10 will not enable Secure Boot unless the system has a Windows 8-compliant logo. It appears from the article Microsoft is hesitant to answer further questions from the author.

“System BIOS detected a non-Windows 8 logo graphic card. There is no Graphic Output Protocol support detected in this card. Windows 8 feature settings in BIOS will be changed to disabled.”

This will likely not impact users of new systems, as OEMs will ensure their logos are complaint and pominently displayed.

This appears to imply that users upgrading to Windows 10 from Windows 8 may lose the ability to use Secure Boot, unless they buy a new video card or have a recent one.

It also may mean an attacker can simply swap video cards and bypass SecureBoot; so much for tamper resistance in TPM chips…

It seems very strange for an OS vendor to be enabling or disabling firmware features. It is worse to see security features being disabled in the name of marketing. If Microsoft disables Secure Boot on a system, this may mean that Secure Boot is also disabled for any other OS installed on that system, like Linux, via the Micorosoft-signed Shim. So this Windows marketing technique likely impacts non-Windows system security. I am not sure, maybe their change only impacts their own OS, and other OSes on that system will still continue to Securely Boot.

It is also bad that this vendor is default Certificate Authority representing the UEFI Forum. It is also disconcerting to see Microsoft adding additional restrictions to all UEFI pre-OS applications. The UEFI Forum and Intel is letting Microsoft bully Intel-based Windows OEMs. I was reading some ARM slides recently, sorry I don’t have the URL handy for exact quote, but it said something like “no bully in our playground telling us what to run”. I wish Intel had the ability to stand up to the bully in their playground.

Ironically, Microsoft appears to have just learned to play Apple’s game better. Before Microsoft was playing UEFI-based games with systems, Apple was already using EFI to prevent non-Apple OSes on some of their systems. Since APPL and MSFT are OEMs as well as OS vendors, I expect their own systems would use UEFI as a form of “DRM” to keep their OS on their hardware. But Microsoft is now impacting all Windows OEMs, in addition to their own systems, each release of Windows makes more use of UEFI to restrict what OEMs and users can do and let Microsoft have more control over these systems. Chrome OEMs are looking better and better… 😦

More information:

http://www.itwire.com/opinion-and-analysis/open-sauce/68262-windows-10-no-secure-boot-unless-microsoft-tax-is-paid
https://msdn.microsoft.com/en-us/library/dn917885%28v=vs.85%29.aspx
https://msdn.microsoft.com/en-us/library/dn756793%28v=vs.85%29.aspx

Spring Plugfest presentations uploaded

June 2, 2015June 2, 2015 ~ hucktech ~ Leave a comment

The PDFs of the presentations from last months’ UEFI Forum plugfest have been uploaded to uefi.org.

http://www.uefi.org/learning_center/presentationsandvideos
(scroll about half-way through the page, after the Youtube videos…)

* System Prep Applications – Powerful New Feature in UEFI 2.5 – Kevin Davis (Insyde Software)
* Filling UEFI/FW Gaps in the Cloud – Mallik Bulusu (Microsoft) and Vincent Zimmer (Intel)
* PreBoot Provisioning Solutions with UEFI – Zachary Bobroff (AMI)
* An Overview of ACPICA Userspace Tools – David Box (Intel)
* UEFI Firmware – Securing SMM – Dick Wilkins (Phoenix Technologies)
* Overview of Windows 10 Requirements for TPM, HVCI and SecureBoot – Gabe Stocco, Scott Anderson and Suhas Manangi (Microsoft)
* Porting a PCI Driver to ARM AArch64 Platforms – Olivier Martin (ARM)
* Firmware in the Data Center: Goodbye PXE and IPMI. Welcome HTTP Boot and Redfish! – Samer El-Haj-Mahmoud (Hewlett Packard)
* A Common Platforms Tree – Leif Lindholm (Linaro)

This’ll be a very short blog, as I’m busy reading 9 new PDFs… 🙂 I’ll do blogs on some these specific presentations in the coming days.

Spring UEFI Forum agenda announced

May 17, 2015 ~ hucktech ~ Leave a comment

The UEFI Forum Spring event is happening in Tacoma.WA.US this coming week. They just announced the presentations for the event:

* Zachary Bobroff, AMI – PreBoot Provisioning solution with UEFI
* Kevin Davis, Insyde – System Prep Applications, A Powerful New Feature in UEFI 2.5
* Olivier Martin, ARM – Porting a PCI driver to ARM AArch64 platforms
* Lief Lindholm, ARM – Demonstrating a common EDK2 pltforms & drivers tree
* Dick Wilkins, Phoenix – UEFI FIrmware – Securing SMM
* Gabe Stocco and Scott Anderson, Microsoft – Windows Requirements for TPM, HVCI and Secure Boot
* Jeremiah Cox
* Vincent Zimmer, Intel – Filling UEFI/FW Gaps in the Cloud
* David Box, Intel – An overview of ACPICA userspace tools
* Samer El-Haj-Mahmoud, HP – Firmware in the Datacenter: Goodbye PXE and IPMI. Welcome Http

Typically, the UEFI Forum makes slides for these presentations available on their web site a few weeks later…

More information:
http://www.uefi.org/node/887

Windows 10 UEFI Secure Boot policy welcomed by Linux users

May 7, 2015 ~ hucktech ~ Leave a comment

In an article by Sam Varghese in iTWire, Linux users will find Microsoft’s current advice to Windows 10 OEMs regarding UEFI Secure Boot welcome news. More information here:

http://www.itwire.com/opinion-and-analysis/open-sauce/67959-microsofts-new-secure-boot-strategy-will-suit-linux-firms

[iTWire article aside, more welcome news would be if OEMs would build consumer Linux devices with Secure Boot working directly with them, without Microsoft PKI/CA/keys, in some of their models. Intel and SuSE demonstrated this at IDF2013, yet no consumer devices are available, AFAIK.
Even more welcome news would be offering Coreboot as an option, including new Coreboot support in UEFI as PI component.
Even more news would be providing systems where owners could build and update their own firmware, from tianocore.org and coreboot.org code, along with any new drivers from the OEM, and have a firmware update mechanism for local owner-users, not only beg for updates from vendors.
But I guess I should simply be happy that Microsoft is permitting Windows OEMs to still let users install software on the HW/FW/SW that we don’t actually own/control. 🙂 –ed]