Uncategorized

Debian signed Shim

Secure Boot chain-loading bootloader (Microsoft-signed binary)

This package provides a minimalist boot loader which allows verifying signatures of other UEFI binaries against either the Secure Boot DB/DBX or against a built-in signature database. Its purpose is to allow a small, infrequently-changing binary to be signed by the UEFI CA, while allowing an OS distributor to revision their main bootloader independently of the CA. This package contains the version of the bootloader binary signed by the Microsoft UEFI CA.

https://packages.debian.org/sid/main/shim-signed

https://wiki.debian.org/SecureBoot

Standard
Uncategorized

Linux Foundation workstation security ebook

[…]Now, before you even start with your operating system installation, there are a few things you should consider to ensure your pre-boot environment is up to snuff. You will want to make sure:
* UEFI boot mode is used (not legacy BIOS) (ESSENTIAL)
* A password is required to enter UEFI configuration (ESSENTIAL)
* SecureBoot is enabled (ESSENTIAL)
* A UEFI-level password is required to boot the system (NICE-to-HAVE)

https://www.linux.com/news/linux-workstation-security/2017/3/4-security-steps-take-you-install-linux

http://go.linuxfoundation.org/workstation_security_ebook

Sounds interesting, but I don’t see any actual download link for this ebook. I guess I need some sleep.

There is also this: https://firmwaresecurity.com/2015/08/31/linux-foundation-it-security-policies-firmware-guidance/

 

Standard
Uncategorized

Microsoft updates Secure Boot and ACPI requirements

These Microsoft pages have recently (last month) been updated. No changelog, so unclear what has changed. 😦

 

https://msdn.microsoft.com/en-us/windows/hardware/drivers/bringup/secure-boot-and-device-encryption-overview

https://msdn.microsoft.com/en-us/windows/hardware/commercialize/design/device-experiences/acpi-firmware-implementation-requirements

https://msdn.microsoft.com/en-us/windows/hardware/drivers/bringup/firmware-requirements-for-d3cold

 

Standard
Uncategorized

SUSE on UEFI -vs- BIOS

I missed this blog post from SuSE from last year:

[…]One UEFI topic that I noticeably did not address in this blog is secure boot. This was actually covered extensively in three previous blogs. To read those blogs do a search for “Secure Boot” at suse.com. I also did not address the comparison of UEFI and BIOS from the operating systems perspective in this blog. That is a separate blog that was released at the same time as this one (Comparison of UEFI and BIOS – from an operating system perspective). Please read it too. Hopefully this gives you some helpful information about the transition from BIOS to UEFI, on the hardware side. You can find more information about SUSE YES Certification at https://www.suse.com/partners/ihv/yes/ or search for YES CERTIFIED hardware at https://www.suse.com/yessearch/. You can also review previous YES Certification blogs at YES Certification blog post[…]

https://www.suse.com/communities/blog/comparison-uefi-bios-hardware-perspective/

Standard
Uncategorized

FWTS 16.12.00 released

Ivan Hu of Canonical.com announced the release of FirmWare Test Suite release 16.12.00, with new features in UEFI Secure Boot, OpenPOWER Opal, and ACPI tests. See the full announcement for the list of bugfixes.

New Features:
* ACPICA: Update to version 20161117
* klog.json: Add a few more kernel errors to the database
* opal: pci_info: Add OPAL PCI Info validation
* opal: mem_info: Add OPAL MEM Info validation
* opal: cpu_info: Add OPAL CPU Info validation
* securebootcert: add variable AuditMode checking
* securebootcert: add variable DeployedMode checking

http://fwts.ubuntu.com/release/fwts-V16.12.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.12.00
https://launchpad.net/ubuntu/+source/fwts

Standard
Uncategorized

33rd CCC

The 33rd Chaos Communication Congress (CCC) takes place in December in Germany. There are MANY great presentations, and CCC is great at making video archives available. Here’s a sample of a few of the presentations, starting with Trammell’s lecture on Heads:

Bootstraping a slightly more secure laptop
Trammell Hudson
https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8314.html

What could possibly go wrong with <insert x86 instruction here>?: Side effects include side-channel attacks and bypassing kernel ASLR
Clémentine Maurice and Moritz Lipp
https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8044.html

Untrusting the CPU: A proposal for secure computing in an age where we cannot trust our CPUs anymore
jaseg
https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8014.html

Virtual Secure Boot: Secure Boot support in qemu, kvm and ovmf
Gerd Hoffmann
https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8142.html

Full schedule:
https://fahrplan.events.ccc.de/congress/2016/Fahrplan/schedule.html
https://events.ccc.de/congress/2016/wiki/Main_Page

Standard