FWTS 18.11.00 is released

November 20, 2018November 20, 2018 ~ hucktech ~ Leave a comment

* ACPICA: Update to version 20181031
* olog:olog.json: Update OPAL skiboot errors to check on olog scan
* acpi: button: check fixed hardware & control method power buttons
* kernelscan: add -k option to specify klog json filename
* README: update package dependency notes for RHEL
* acpica: fix linker issues when building with ACPI disabled
* src/lib: add module probing helper functions
* lib: fwts_efi_module: use the new module loading helper functions
* lib/fwts_cpu: use new use the new module loading helper functions
* snapcraft: update confinement and plugs
* lib: fwts_coreboot_cbmem: don’t use void * pointer arithmetic
* lib: fwts_coreboot_cbmem: shift UL values rather than signed int values
* lib: fwts_log: shift UL values rather than signed int values
* acpi: syntaxcheck: rename syntaxcheck_table to syntaxcheck_single_table
* dmicheck: fix Maximum Capacity checking range
* mcfg: fix MMIO config space checking
* madt: fix the Local APIC NMI processor UID checking
* auto-packager: mkpackage.sh: add disco

https://launchpad.net/ubuntu/+source/fwts
http://fwts.ubuntu.com/release/fwts-V18.11.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/18.11.00

AMI announces TCG Pyrite support

March 13, 2017 ~ hucktech ~ Leave a comment

AMI adds support for Pyrite Password Protected Drives: https://t.co/rKddsrW7jW

— American Megatrends (@AMI_PR) March 8, 2017

AMI has announced support for Pyrite Password Protected Drives.
[…]The Trusted Computing Group (TCG) releases a specification called the “Opal SED Specification” that governs hard drive protection and encryption standards. AMI previously announced support for Opal and Opalite and now AMI has added password support for Pyrite. With the support for Pyrite, AMI enables drives that have a hardware mechanism to protect access without the need to carry out encryption of user data. AMI has worked with several industry partners to develop and validate the support for Pyrite. By introducing this support, OEMs can create solutions at lower costs than Opal or Opalite while maintaining the security of the data.[…]

Full PR:
https://ami.com/news/press-releases/?PressReleaseID=381

See-also:
https://firmwaresecurity.com/2015/08/14/tcg-and-nvme-release-opal-for-seds/
https://trustedcomputinggroup.org/tcg-storage-security-subsystem-class-pyrite/
https://trustedcomputinggroup.org/tcg-storage-opal-nvme/
https://trustedcomputinggroup.org/tag/pyrite/

FWTS 16.12.00 released

December 31, 2016 ~ hucktech ~ Leave a comment

Ivan Hu of Canonical.com announced the release of FirmWare Test Suite release 16.12.00, with new features in UEFI Secure Boot, OpenPOWER Opal, and ACPI tests. See the full announcement for the list of bugfixes.

New Features:
* ACPICA: Update to version 20161117
* klog.json: Add a few more kernel errors to the database
* opal: pci_info: Add OPAL PCI Info validation
* opal: mem_info: Add OPAL MEM Info validation
* opal: cpu_info: Add OPAL CPU Info validation
* securebootcert: add variable AuditMode checking
* securebootcert: add variable DeployedMode checking

http://fwts.ubuntu.com/release/fwts-V16.12.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.12.00
https://launchpad.net/ubuntu/+source/fwts

FWTS 16.09.00 released

September 12, 2016 ~ hucktech ~ Leave a comment

Alex Hung of Canonical announced the latest release of FWTS, the FirmWare Test Suite, on the fwts-announce and other lists.

New Features include:
* lib: acpi: add supports for WPBT
* acpi: wpbt: add ACPI WPBT test
* lib: acpi: add supports for DRTM
* acpi: drtm: add ACPI DRTM test
* lib: fwts_guid: add a compare function
* acpi: nfit: check fields equals 0 for Virtual CD and Disk
* opal: mtd: Add OPAL MTD Validation
* acpi: ACPI Platform check updates
* acpi: fadt: Remove HEADLESS check on reduced hardware
* pci: aspm: Add segment support
* ACPICA: Update to version 20160831

See the full announcement for list of bugfixes.

http://fwts.ubuntu.com/release/fwts-V16.09.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.09.00
https://launchpad.net/ubuntu/+source/fwts

FWTS 16.07.00 released

July 27, 2016 ~ hucktech ~ Leave a comment

Ivan Hu of Canonical announced the release of FirmWare Test Suite 16.07.00:

New Features:
   * acpi: method: add _FIT test
   * acpi: pcct: add ACPI PCCT test
   * opal/prd_info: Add OPAL Processor Recovery Diagnostics
   * olog: olog.json: Add OPAL skiboot errors for olog scan
   * Add klog checking for errors from drivers/acpi/tables.c
   * klog: data.json: Add klog checking for kernel NUMA errors from drivers/acpi/numa.c
   * klog: data.json: Add klog checking for kernel EC errors from drivers/acpi/ec.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/acpi_cmos_rtc.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/nfit.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/pci_root.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/pci_mcfg.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/cppc_acpi.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/battery.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/processor_idle.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/sleep.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/acpica/rsmisc.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/evged.c
   * efi: enable module loading to load legacy or new efi driver
   * acpi: madt: Add support for ACPI 6.0a
   * acpi: madt: Add support for ACPI 6.1
   * uefi: update reset type to uefi 2.6
   * acpi: dbg2: Add missing debug port types

See the full release notes for list of bugfixes.

http://fwts.ubuntu.com/release/fwts-V16.07.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.07.00
https://launchpad.net/ubuntu/+source/fwts

TCG updated multiple specs

June 17, 2016 ~ hucktech ~ Leave a comment

The Trusted Computing Group (TCG) has released revisions to multiple specifications:
I wish I knew why WordPress inserts the additional whitespace in these posts…. 😦

PC Client Specific Platform Firmware Profile Specification, Family 2.0, Level 00 Revision 00.21 and Errata
The PC Client Platform Specific Profile for TPM 2.0 systems defines the requirements for platform firmware to initialize and interact with a TPM 2.0 device in a PC Client platform. This specification should be used in conjunction with the TCG UEFI Protocol Specification Family 2.0, the TCG Physical Presence Interface Specification, and the TCG ACPI Specification to design and implement a PC Client TPM 2.0-enabled platform. This specification replaces the requirements defined in the PC Client Implementation Specification for Conventional BIOS and the PC Client UEFI Platform Specification for systems with TPM 2.0 devices.
http://www.trustedcomputinggroup.org/pc-client-specific-platform-firmware-profile-specification/

PC Client Work Group EFI Protocol Specification, Family 2.0, Level 00, Revision 00.13
The purpose of this document is to define a standard interface to the TPM on an UEFI platform. It defines data structures and APIs that allow an OS to interact with UEFI firmware to query information important in an early OS boot stage. Such information include: is a TPM present, which PCR banks are active, change active PCR banks, obtain the TCG boot log, extend hashes to PCRs, and append events to the TCG boot log.The latest revision of this specification is written with platforms with TPM 2.0 devices in mind, but nothing in this specification prevents the use with platforms with TPM 1.2 devices.
http://www.trustedcomputinggroup.org/tcg-efi-protocol-specification/

TCG Storage Opal Test Cases Specification, Version 2.00 Errata Version 1.00, Revision 1.00
The Opal Test Cases Specification contains a set of tests that are intended to verify the correct behavior of a storage device implementing the Opal SSC Specification. These test cases are intended to be used as a basis for the compliance component of the projected Storage certification program, which would seek to ensure a high level of interoperability of storage devices from multiple vendors.
http://www.trustedcomputinggroup.org/tcg-storage-opal-test-cases/

Multiple Stakeholder Model , Revision 3.40
The Multiple Stakeholder Model (MSM) is an informative reference document that describes use cases, recommended capabilities, and various implementation alternatives to allow multiple stakeholders to coexist safely on a mobile platform. This document includes guidance on how to leverage TCG specifications to realize each alternative. In particular, this document emphasizes the role of the Trusted Platform Module (TPM), the Mobile Common Profile, and the Mobile Reference Architecture specifications to support these capabilities for multiple stakeholders. The goal of the MSM is to provide trusted services, for example, TPM and Trusted Network Communications (TNC), in a secure and efficient manner to all interested stakeholders (both local and remote) for a given mobile device. This guidance is applicable to all mobile devices (smartphones, feature phones, basic phones, etc.) and may be useful for other computing devices. The target audience for this document includes designers, manufacturers, system integrators, application developers, and implementers of Trusted Computing technologies in mobile platforms.
http://www.trustedcomputinggroup.org/multiple-stakeholder-model/
http://www.trustedcomputinggroup.org/tpm-library-specification/
http://www.trustedcomputinggroup.org/tcg-tpm-2-0-mobile-common-profile/
http://www.trustedcomputinggroup.org/tpm-2-0-mobile-reference-architecture-specification/

TNC IF-M Segmentation Specification Version 1.0, Revision 5
The Trusted Network Communications (TNC) Work Group defines an open solution architecture that enables network operators to evaluate and enforce policies regarding endpoint integrity when granting access to a network infrastructure. As TCG’s Trusted Network Communications (TNC)-enabled technology is deployed in real-world environments, we’re learning that deplorer’s have the need to collect robust posture information to support endpoint compliance, security automation, and continuous monitoring. IF-M is the communication layer of the TNC architecture used to connect the endpoint components that collect information about the endpoint, and the corresponding components on a policy server that receive that information and act on it. IF-M is designed to be flexible to support communication of virtually any type of information about the endpoint that the enterprise might wish to know.
http://www.trustedcomputinggroup.org/tcg-updates-m-segmentation-enable-efficient-information-exchange/
http://www.trustedcomputinggroup.org/tnc-ifm-segmentation-specification/
http://www.trustedcomputinggroup.org/work-groups/trusted-network-communications/

new Intel patch adding TCG OPAL unlock to Linux NVMe

April 23, 2016 ~ hucktech ~ Leave a comment

Rafael Antognolli of Intel posted a patch to the Linux-(NVMe,Block,Kernel) mailing lists, adding TCG OPAL unlock support to NVMe:

Add Opal unlock support to NVMe. This patch series implement a small set of the Opal protocol for self encrypting devices. It’s implemented only what is needed for saving a password and unlocking a given “locking range”. The password is saved on the driver and replayed back to the device on resume from suspend to RAM. It is specifically supporting the single user mode. It is not planned to implement the full Opal protocol (at least not for now).

Add optane OPAL unlocking code. This code is used to unlock a device during resume from “suspend to RAM”. It allows the userspace to set a key for a locking range. This key is stored in the module memory, and will be replayed later (using the OPAL protocol, through the NVMe driver) to unlock the locking range. The nvme_opal_unlock() will search through the list of saved devices + locking_range + namespaces + keys and check if it is a match for this namespace. For every match, it adds an “unlocking job” to a list, and after this, these jobs are “consumed” by running the respective OPAL “unlock range” commands (from the OPAL spec):
* STARTSESSION
* SET(locking range, readwrite)
* ENDSESSION

NVMe: Add ioctls to save and unlock an Opal locking range. Two ioctls are added to the NVMe namespace: NVME_IOCTL_SAVE_OPAL_KEY and NVME_IOCTL_UNLOCK_OPAL. These ioctls map directly to the respective nvme_opal_register() and nvme_opal_unlock() functions. Additionally, nvme_opal_unlock() is called upon nvme_revalidate_disk, so it will try to unlock a locking range (if a password for it is saved) during PM resume.

For more information, see the post on the list archives:
http://lists.infradead.org/mailman/listinfo/linux-nvme

TCG releases specs for public review

August 22, 2015 ~ hucktech ~ Leave a comment

For public review: @TrustedComputin new spec, server discovery & validation, part of Trusted Network Communications http://t.co/giwoYFCAk7

— Trusted Computing (@TrustedComputin) August 20, 2015

There are Opal specs, and UEFI/TPMv2 specs in public review, amongst a few others:
http://www.trustedcomputinggroup.org/resources/specifications_in_public_review

Also see some TCG talks at the Flash Summit, proceedings are now available (free, but email required). There are hundreds of PDFs, a few security and firmware related, in addition to TCG stuff.

http://www.flashmemorysummit.com/cgi-bin/start.cgi/HTMLOS_Pages/Entrance_Proceedings.html

TCG and NVMe release Opal for SEDs

August 14, 2015 ~ hucktech ~ Leave a comment

This week at the Flash Memory Summit, the Trusted Computing Group (TCG) and NVM Express (NVMe), put out a new joint white paper called “TCG Storage, Opal, and NVMe“. Opal is a set of specs from the TCG, designed to add TCG-style security to NVMe-based storage devices (‘self-encrypting drives’ (SED’), by adding new technology layers to manage encryption of user data, to enable features beyond ‘data at rest protection’. The ‘family’ of Opal specs include 3 levels: Opal, Opalite, and Pyrite, which provides a range of capabilities for vendors to choose from.

From their whitepaper’s summary, Oval offers these values to NVMe:
* Avoids the need to add security to NVM Express standard, or rely on proprietary functionality
* Leverages the existing storage security industry standard for a consistent set of requirements
* Commonly associated features enable a more consistent and secure overall solution
* Simplifies ecosystem enabling, validation, product identification, SKU management
* Reduces standardization to a more streamlined process
* Provides an extensible interface for additional value-adds to Opal/Opalite/Pyrite functionality, as well as other storage security features

I’m not sure if UEFI 2.5 has this ability or not. UEFI 2.5 did add some new NVMe and crypto storage interfaces, though.

https://www.trustedcomputinggroup.org/resources/tcg_data_security_architects_guide
https://www.trustedcomputinggroup.org/developers/storage
http://www.trustedcomputinggroup.org/media_room/events/190
http://www.trustedcomputinggroup.org/resources/tcg_storage_opal_and_nvme
http://www.trustedcomputinggroup.org/media_room/news/400
http://www.flashmemorysummit.com/
http://nvmexpress.org/

Learn more about NVMe & @TrustedComputin #SED Opal specs Aug 11 @FlashMem http://t.co/6WQmd4EeZC

— Trusted Computing (@TrustedComputin) July 31, 2015

Short new video on #SEDs from @FlashMem conf this week – protect data at rest, crypto erase, more http://t.co/HM8xCATvgT

— Trusted Computing (@TrustedComputin) August 13, 2015

New NVMe-TCG joint white paper on Self-Encrypting Drives and Opal SSC-based solutions for scalable security mngmnt. http://t.co/CcVqbr5RMI

— NVM Express, Inc. (@NVMexpress) August 11, 2015

PS: Going off-topic(?) a bit, but for NVMe and Linux, check out this doc from June:
https://communities.intel.com/community/itpeernetwork/blog/2015/06/09/nvm-express-linux-driver-support-decoded

Linux Driver Support Decoded! Learn the details on kernel support and the Linux distributions in this overview: http://t.co/PpRfHAiaPW

— NVM Express, Inc. (@NVMexpress) June 16, 2015