Purism Librem15 fails CHIPSEC security tests

Current Purism Librem15 systems — based on Intel x64/coreboot/SeaBIOS tech — results in 3 FAILs and 1 WARNING from CHIPSEC:

The UEFI Forum recommends that OEMs pass CHIPSEC’s tests before shipping units to customers. I wish modern BIOS-based OEMs would also heed that advice… The default install is to use an MBR-based partition, so also be wary of all of the existing BIOS-centric, MBR-based rootkits. Adhere all ‘evil maid’ warning signs with this laptop. If you have corporate policies that require NIST 800-147/155/193 requirements, you might have to work hard to justify this device. I wish it were not true: configurable or secure, choose one.

In other computer review news: the trackpad did not work during initial install, had to be rebooted. I’m guessing trackpad drivers aren’t integrated? You’ll have to use external mouse if you need to click on something during install of Linux. Same with backlit key and display intensity features: only worked after OS setup. Firmware security pedantry aside, nice hardware. Fan rarely kicks in, unlike some OEMs. It is nice to see a Mac-style trackpad instead of a PC-style touchpad with 2 explicit button areas, I’ve grown to dislike those. Startup and poweroff are both very fast. Reminds me of what a modern non-UEFI system should be like. Great, except we’re no longer in a world where security can be ignored. If you want an insecure BIOS box, you’ll probably enjoy this system. If you care about security, this is a BIOS box….

SeaBIOS 1.11.0 released

New in this release:
* Initial support for NVME drives
* Support for vga emulation over a serial port in SeaBIOS (sercon)
* Support for serial debugging using MMIO based serial ports
* Support for scsi devices with multiple LUNs
* Support for boot-to-boot persistent coreboot cbmem logs
* Improved coreboot vga (cbvga) mode setting compatibility
* Several bug fixes and code cleanups

For full announcement, see Kevin O’Connor’s posting to the SeaBIOS list.

http://seabios.org/Releases
http://seabios.org/Download
https://mail.coreboot.org/mailman/listinfo/seabios

SeaBIOS 1.10.0 released!

Kevin O’Connor announced the 1.10.0 release of SeaBIOS.

New in this release:
* Initial support for Trusted Platform Module (TPM) version 2.0
* Several USB XHCI timing fixes on real hardware
* Support for “LSI MPT Fusion” scsi controllers on QEMU
* Support for virtio devices mapped above 4GB
* Several bug fixes and code cleanups

Multiple contributors: Kevin O’Connor, Stefan Berger, Gerd Hoffmann, Igor Mammedov, Dana Rubin, Marcel Apfelbaum, Alex Williamson, Cao jin, Cole Robinson, Don Slutz, Haozhong Zhang, Matt DeVillier, Paolo Bonzini, Piotr Król, Roger Pau Monne, and Zheng Bao.

More info:
https://www.coreboot.org/pipermail/seabios/2016-October/010996.html
https://www.seabios.org/Releases#SeaBIOS_1.10.0

 

SeaBIOS TPM support improved

Stefan Berger of IBM submitted a 6-part patch to the SeaBIOS project, updating it’s TPM support, his patch comment follows:

This series of patches extends the TPM2 code to extend the BIOS related PCRs 0-7 in all available banks. This prevents that these PCRs remain untouched and filled with bogus values by applications. For example, the SHA1 hash is extended into the SHA256 bank. The value that is extended into this bank is essentially a SHA1 with zero bytes used for filling it to the size of a sha256 hash. This is done for all PCR banks of the TPM2 where these PCRs are available. In v2 of this series I also extended the log functions for logging the additional hashes. So there are more patches now.

For more information, see the full patch sent to the SeaBIOS list:
https://www.coreboot.org/mailman/listinfo/seabios

Wikipedia’s BIOS security roadmap

You’d think that with a blog called ‘firmware security’, I’d know about the ‘Wikipedia BIOS feature comparison’ page. But I did not, sad. 😦  The other day I was wishing someone would create a comparision of BIOS implementations and their security features. Luckily, Kevin O’Conner of the SeaBIOS project was kind enough to point this out to me, when I was looking for a SeaBIOS security roadmap:

https://en.wikipedia.org/wiki/BIOS_features_comparison

I’ve been learning more about SeaBIOS, and am impressed with it’s features. I wonder why some Linux OEMs still ship closed-source BIOS systems from IBVs? Given their audience demographic, you’d think they’d be using Linux-based coreboot, and on x86/x64 systems using SeaBIOS. They could be using coreboot Verified Boot + SeaBIOS’s TPM support for a much more secure than they are today. If you’re buying a System76 or ThinkPenguin or other Linux-centric site, ask them what firmware solution they’re giving you.

SeaBIOS 1.9.0 released

Kevin O’Connor announced the release of SeaBIOS version 1.9.0 today, on the SeaBIOS, QEMU-devel, and coreboot mailing lists. New in this release:

* The default boot menu key is now the ESC key (instead of F12)
* Initial support for Trusted Platform Module (TPM) hardware and BIOS calls
* Initial support for chain loading SeaBIOS from Grub (via multiboot support)
* Initial support for booting from SD cards on real hardware
* virtio 1.0 device support
* The build will no longer include the build hostname or build time on “clean” builds.  This makes the build binaries more “reproducible”.
* Basic support for running SeaBIOS on Baytrail Chromebooks
* SeaVGABIOS: improved support for old versions of x86emu (the “leal” instruction is now emulated)
* Several bug fixes and code cleanups

TPM support sounds interesting! And remember, if F12 no longer works, try ESC…

More information:
http://seabios.org/Releases
http://seabios.org/Download
http://www.seabios.org/mailman/listinfo/seabios

PAE-enabled SeaBIOS

On the SeaBIOS mailing list, Kevin O’Connor recently provided a patch to SeaBIOS to enable it to run in PAE mode. SeaBIOS is the main open source implementation of 16-bit x86 BIOS, used in coreboot, tianocore, and elsewhere. Excerpting Kevin’s posting:

I was curious to see if SeaBIOS could run its 32bit code with PAE paging enabled.  So, I put together some test code, and so far it seems to work.

The reason why PAE is interesting (instead of standard i386 paging) is that it allows for 64bit mappings and because one can set it up with just a single level page directory of 2MB pages.  The single level page directory makes maintaining it much easier.

The SeaBIOS’ malloc code could also be updated to remap pages which would make it possible for it to relocate itself above 4GB and to store data above 4GB.  That’s likely not all that useful, but I think it would be a little amusing for a 16bit bios to fully support 64bit memory.

I haven’t done any performance tests.  It’s unclear what the performance impact of enabling paging on every 32bit entry point would be.

It appears that more work will be done before this patch is contributed to trunk. But it is interesting to see PAE-enabled BIOS!

More Information:
http://www.seabios.org/pipermail/seabios/2015-September/009788.html
http://www.seabios.org/

Sage Engineering updates Minnow firmware

Sage Engineering maintains a Coreboot-based, SeaBIOS payload-based firmware for the Intel MinnowBoard MAX.

Today, they’ve announced an updated release. This update allows for flashing the boot image without a hardware device.

The binary SageBIOS boot ROM image, which is flashed on the development board’s SPI Flash device, is based on the Intel Firmware Support Package (Intel FSP) and coreboot open source initialization. The SageBIOS OSP replaces UEFI firmware that comes installed on both versions of MinnowBoard MAX and will support booting a greater variety of operating systems, including FreeBSD and a variety of RTOS, as well as legacy operating systems such as older versions of Microsoft Windows and even DOS. The SageBIOS OSP will support all the operating systems supported by the native UEFI firmware, such as Windows and Linux. In addition, the SageBIOS OSP will boot both 32-bit and 64-bit operating systems with a single boot image.

The download of the “demo ROM” is free, but email registration is required.
More information:
http://lists.elinux.org/pipermail/elinux-minnowboard/Week-of-Mon-20150518/001523.html
http://www.se-eng.com/minnow/