Uncategorized

FWTS 16.12.00 released

Ivan Hu of Canonical.com announced the release of FirmWare Test Suite release 16.12.00, with new features in UEFI Secure Boot, OpenPOWER Opal, and ACPI tests. See the full announcement for the list of bugfixes.

New Features:
* ACPICA: Update to version 20161117
* klog.json: Add a few more kernel errors to the database
* opal: pci_info: Add OPAL PCI Info validation
* opal: mem_info: Add OPAL MEM Info validation
* opal: cpu_info: Add OPAL CPU Info validation
* securebootcert: add variable AuditMode checking
* securebootcert: add variable DeployedMode checking

http://fwts.ubuntu.com/release/fwts-V16.12.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.12.00
https://launchpad.net/ubuntu/+source/fwts

Standard
Uncategorized

FWTS 16.09.00 released

Alex Hung of Canonical announced the latest release of FWTS, the FirmWare Test Suite, on the fwts-announce  and other lists.

New Features include:
  * lib: acpi: add supports for WPBT
  * acpi: wpbt: add ACPI WPBT test
  * lib: acpi: add supports for DRTM
  * acpi: drtm: add ACPI DRTM test
  * lib: fwts_guid: add a compare function
  * acpi: nfit: check fields equals 0 for Virtual CD and Disk
  * opal: mtd: Add OPAL MTD Validation
  * acpi: ACPI Platform check updates
  * acpi: fadt: Remove HEADLESS check on reduced hardware
  * pci: aspm: Add segment support
  * ACPICA: Update to version 20160831

See the full announcement for list of bugfixes.

http://fwts.ubuntu.com/release/fwts-V16.09.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.09.00
https://launchpad.net/ubuntu/+source/fwts

Standard
Uncategorized

FWTS 16.07.00 released

Ivan Hu of Canonical announced the release of FirmWare Test Suite 16.07.00:

New Features:
   * acpi: method: add _FIT test
   * acpi: pcct: add ACPI PCCT test
   * opal/prd_info: Add OPAL Processor Recovery Diagnostics
   * olog: olog.json: Add OPAL skiboot errors for olog scan
   * Add klog checking for errors from drivers/acpi/tables.c
   * klog: data.json: Add klog checking for kernel NUMA errors from drivers/acpi/numa.c
   * klog: data.json: Add klog checking for kernel EC errors from drivers/acpi/ec.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/acpi_cmos_rtc.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/nfit.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/pci_root.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/pci_mcfg.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/cppc_acpi.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/battery.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/processor_idle.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/sleep.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/acpica/rsmisc.c
   * klog: data.json: Add klog checking for errors from drivers/acpi/evged.c
   * efi: enable module loading to load legacy or new efi driver
   * acpi: madt: Add support for ACPI 6.0a
   * acpi: madt: Add support for ACPI 6.1
   * uefi: update reset type to uefi 2.6
   * acpi: dbg2: Add missing debug port types

See the full release notes for list of bugfixes.

http://fwts.ubuntu.com/release/fwts-V16.07.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.07.00
https://launchpad.net/ubuntu/+source/fwts

Standard
Uncategorized

TCG updated multiple specs

The Trusted Computing Group (TCG) has released revisions to multiple specifications:
I wish I knew why WordPress inserts the additional whitespace in these posts…. 😦

PC Client Specific Platform Firmware Profile Specification, Family 2.0, Level 00 Revision 00.21 and Errata
The PC Client Platform Specific Profile for TPM 2.0 systems defines the requirements for platform firmware to initialize and interact with a TPM 2.0 device in a PC Client platform.  This specification should be used in conjunction with the TCG UEFI Protocol Specification Family 2.0, the TCG Physical Presence Interface Specification, and the TCG ACPI Specification to design and implement a PC Client TPM 2.0-enabled platform.  This specification replaces the requirements defined in the PC Client Implementation Specification for Conventional BIOS and the PC Client UEFI Platform Specification for systems with TPM 2.0 devices.

PC Client Specific Platform Firmware Profile Specification

PC Client Work Group EFI Protocol Specification, Family 2.0, Level 00, Revision 00.13
The purpose of this document is to define a standard interface to the TPM on an UEFI platform. It defines data structures and APIs that allow an OS to interact with UEFI firmware to query information important in an early OS boot stage. Such information include: is a TPM present, which PCR banks are active, change active PCR banks, obtain the TCG boot log, extend hashes to PCRs, and append events to the TCG boot log.The latest revision of this specification is written with platforms with TPM 2.0 devices in mind, but nothing in this specification prevents the use with platforms with TPM 1.2 devices.

TCG EFI Protocol Specification

TCG Storage Opal Test Cases Specification, Version 2.00 Errata Version 1.00, Revision 1.00
The Opal Test Cases Specification contains a set of tests that are intended to verify the correct behavior of a storage device implementing the Opal SSC Specification. These test cases are intended to be used as a basis for the compliance component of the projected Storage certification program, which would seek to ensure a high level of interoperability of storage devices from multiple vendors.

TCG Storage Opal Test Cases

Multiple Stakeholder Model , Revision 3.40
The Multiple Stakeholder Model (MSM) is an informative reference document that describes use cases, recommended capabilities, and various implementation alternatives to allow multiple stakeholders to coexist safely on a mobile platform.  This document includes guidance on how to leverage TCG specifications to realize each alternative.  In particular, this document emphasizes the role of the Trusted Platform Module (TPM), the Mobile Common Profile, and the Mobile Reference Architecture specifications to support these capabilities for multiple stakeholders.  The goal of the MSM is to provide trusted services, for example, TPM and Trusted Network Communications (TNC), in a secure and efficient manner to all interested stakeholders (both local and remote) for a given mobile device. This guidance is applicable to all mobile devices (smartphones, feature phones, basic phones, etc.) and may be useful for other computing devices.  The target audience for this document includes designers, manufacturers, system integrators, application developers, and implementers of Trusted Computing technologies in mobile platforms.

Multiple Stakeholder Model

TPM Library Specification

TCG TPM 2.0 Mobile Common Profile

TPM 2.0 Mobile Reference Architecture Specification

TNC IF-M Segmentation Specification Version 1.0, Revision 5
The Trusted Network Communications (TNC) Work Group defines an open solution architecture that enables network operators to evaluate and enforce policies regarding endpoint integrity when granting access to a network infrastructure. As TCG’s Trusted Network Communications (TNC)-enabled technology is deployed in real-world environments, we’re learning that deplorer’s have the need to collect robust posture information to support endpoint compliance, security automation, and continuous monitoring. IF-M is the communication layer of the TNC architecture used to connect the endpoint components that collect information about the endpoint, and the corresponding components on a policy server that receive that information and act on it. IF-M is designed to be flexible to support communication of virtually any type of information about the endpoint that the enterprise might wish to know.

TCG Updates IF-M Segmentation to Enable Efficient Information Exchange

TNC IF-M Segmentation Specification

Trusted Network Communications

Standard
Uncategorized

new Intel patch adding TCG OPAL unlock to Linux NVMe

Rafael Antognolli of Intel posted a patch to the Linux-(NVMe,Block,Kernel) mailing lists, adding TCG OPAL unlock support to NVMe:

Add Opal unlock support to NVMe. This patch series implement a small set of the Opal protocol for self encrypting devices. It’s implemented only what is needed for saving a password and unlocking a given “locking range”. The password is saved on the driver and replayed back to the device on resume from suspend to RAM. It is specifically supporting the single user mode. It is not planned to implement the full Opal protocol (at least not for now).

Add optane OPAL unlocking code. This code is used to unlock a device during resume from “suspend to RAM”. It allows the userspace to set a key for a locking range. This key is stored in the module memory, and will be replayed later (using the OPAL protocol, through the NVMe driver) to unlock the locking range. The nvme_opal_unlock() will search through the list of saved devices + locking_range + namespaces + keys and check if it is a match for this namespace. For every match, it adds an “unlocking job” to a list, and after this, these jobs are “consumed” by running the respective OPAL “unlock range” commands (from the OPAL spec):
  * STARTSESSION
  * SET(locking range, readwrite)
  * ENDSESSION

NVMe: Add ioctls to save and unlock an Opal locking range. Two ioctls are added to the NVMe namespace: NVME_IOCTL_SAVE_OPAL_KEY and NVME_IOCTL_UNLOCK_OPAL. These ioctls map directly to the respective nvme_opal_register() and nvme_opal_unlock() functions. Additionally, nvme_opal_unlock() is called upon nvme_revalidate_disk, so it will try to unlock a locking range (if a password for it is saved) during PM resume.

For more information, see the post on the list archives:
http://lists.infradead.org/mailman/listinfo/linux-nvme

Standard
Uncategorized

TCG releases specs for public review

There are Opal specs, and UEFI/TPMv2 specs in public review, amongst a few others:
http://www.trustedcomputinggroup.org/resources/specifications_in_public_review

Also see some TCG talks at the Flash Summit, proceedings are now available (free, but email required). There are hundreds of PDFs, a few security and firmware related, in addition to TCG stuff.

http://www.flashmemorysummit.com/cgi-bin/start.cgi/HTMLOS_Pages/Entrance_Proceedings.html

Standard
Uncategorized

TCG and NVMe release Opal for SEDs

This week at the Flash Memory Summit, the Trusted Computing Group (TCG) and NVM Express (NVMe), put out a new joint white paper called “TCG Storage, Opal, and NVMe“. Opal is a set of specs from the TCG, designed to add TCG-style security to NVMe-based storage devices (‘self-encrypting drives’ (SED’), by adding new technology layers to manage encryption of user data, to enable features beyond ‘data at rest protection’. The ‘family’ of Opal specs include 3 levels: Opal, Opalite, and Pyrite, which provides a range of capabilities for vendors to choose from.

From their whitepaper’s summary, Oval offers these values to  NVMe:
* Avoids the need to add security to NVM Express standard, or rely on proprietary functionality
* Leverages the existing storage security industry standard for a consistent set of requirements
* Commonly associated features enable a more consistent and secure overall solution
* Simplifies ecosystem enabling, validation, product identification, SKU management
* Reduces standardization to a more streamlined process
* Provides an extensible interface for additional value-adds to Opal/Opalite/Pyrite functionality, as well as other storage security features

I’m not sure if UEFI 2.5 has this ability or not. UEFI 2.5 did add some new NVMe and crypto storage interfaces, though.

https://www.trustedcomputinggroup.org/resources/tcg_data_security_architects_guide
https://www.trustedcomputinggroup.org/developers/storage
http://www.trustedcomputinggroup.org/media_room/events/190
http://www.trustedcomputinggroup.org/resources/tcg_storage_opal_and_nvme
http://www.trustedcomputinggroup.org/media_room/news/400
http://www.flashmemorysummit.com/
http://nvmexpress.org/

PS: Going off-topic(?) a bit, but for NVMe and Linux, check out this doc from June:
https://communities.intel.com/community/itpeernetwork/blog/2015/06/09/nvm-express-linux-driver-support-decoded

Standard