Oracle Solaris 11.4: UEFI Secure Boot on Intel HW

UEFI Secure Boot on Oracle Solaris x86 enables you to install and boot Oracle Solaris on platforms where UEFI Secure Boot is enabled. This feature provides more security by maintaining a chain of trust during boot: digital signatures of the firmware and software are verified before executing the next stage. No break occurs in the chain because of unsigned, corrupt, or rogue firmware or software during the boot process. This feature helps assure that the firmware and software used to boot Oracle Solaris on a hardware platform is correct, and has not been modified or corrupted.





MacAdmins Podcast: Episode 70: Secure Boot

Synopsis: Tim Perfitt joins the pod to talk about SecureBoot, the iMac Pro, the future of securing everything, and the history of BootRunner and other products at Twocanoes.

Your Hosts:
Tom Bridge, Partner at Technolutionary LLC [@tbridge]
Pepijn Bruienne, R&D Engineer at Duo Security [@bruienne], Proprietor of EnterpriseMac.Bruienne.com
Charles Edge, Director of Marketplace at Jamf, [@cedge318]

Guests: Tim Perfitt, Founder of Twocanoes Software


show notes:



Dell Sputnik systems disable Secure Boot

“Dell ship their Sputnik systems with a pre-populated MokSB variable that disables Secure Boot, so this is working as intended on the Fedora side.”



Payment card Industry: Secure Boot == Verified Boot == “Trusted Boot”

I just noticed that the PCI compliance group lumps all of the Trusted/Measured/Verified/Secure boot technologies into one, and calls it Trusted Boot, which, AFAIK, is the name for Intel TXT-based Trusted Boot. I wish they were more precise. Then again, I guess I should be glad there is *SOME* firmware security in the PCI compliance docs, I wish there was more, system should check firmware-based code for malware, not just OS-based code.

Payment Card Industry (PCI)
Software-based PIN Entry on COTS Security Requirements
Version 1.0, January 2018
The PIN CVM Application must only support platforms that, at a minimum, provide the following features:

* An enforcing mandatory access control framework
* A “trusted boot” mechanism that validates the operating system’s authenticity

Trusted Boot: A cryptographic process where the bootloader verifies the integrity of all components (e.g., kernel objects) loaded during operating system start-up process, before loading. Also known as Verified Boot and Secure Boot (e.g., Google or Apple).




Aleph Security: Firehorse: Research & Exploitation framework for Qualcomm EDL (Firehose)

Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals
By Roee Hay (@roeehay) & Noam Hadad
January 22, 2018
* QPSIIR-909, ALEPH-2017029, CVE-2017-13174, CVE-2017-5947

There are many guides across the Internet for ‘unbricking’ Qualcomm-based mobile devices. All of these guides make use of Emergency Download Mode (EDL), an alternate boot-mode of the Qualcomm Boot ROM (Primary Bootloader). To make any use of this mode, users must get hold of OEM-signed programmers, which seem to be publicly available for various such devices. While the reason of their public availability is unknown, our best guess is that these programmers are often leaked from OEM device repair labs. Some OEMs (e.g. Xiaomi) also publish them on their official forums. […] In this 5-part blog post we discuss the security implications of the leaked programmers. The first part presents some internals of the PBL, EDL, Qualcomm Sahara and programmers, focusing on Firehose. In Part 2, we discuss storage-based attacks exploiting a functionality of EDL programmers – we will see a few concrete examples such as unlocking the Xiaomi Note 5A (codename ugglite) bootloader in order to install and load a malicious boot image thus breaking the chain-of-trust. Part 3, Part 4 & Part 5 are dedicated for the main focus of our research – memory based attacks. In Part 3 we exploit a hidden functionality of Firehose programmers in order to execute code with highest privileges (EL3) in some devices, allowing us, for example, to dump the Boot ROM (PBL) of various SoCs. We then present our exploit framework, firehorse, which implements a runtime debugger for firehose programmers (Part 4). We end with a complete Secure-Boot bypass attack for Nokia 6 MSM8937, that uses our exploit framework. We achieve code execution in the PBL (or more accurately, in a PBL clone), allowing us to defeat the chain of trust, gaining code execution in every part of the bootloader chain, including TrustZone, and the High Level OS (Android) itself.

The merit of our research is as follows:
* We describe the Qualcomm EDL (Firehose) and Sahara Protocols. (Part 1)
* We created firehorse, a publicly available research framework for Firehose-based programmers, capable of debugging/tracing the programmer (and the rest of the bootloader chain, including the Boot ROM itself, on some devices). (Part 3 & Part 4)
* We obtained and reverse-engineered the PBL of various Qualcomm-based chipsets (MSM8994/MSM8917/MSM8937/MSM8953/MSM8974) using the Firehose programmers and our research framework. (Part 3)
* We obtained the RPM & Modem PBLs of Nexus 6P (MSM8994). (Part 3)
* We managed to unlock & root various Android Bootloaders, such as Xiaomi Note 5A, using a storage-based attack only. (Part 2)
* We managed to manifest an end-to-end attack against our Nokia 6 device running Snapdragon 425 (MSM8937). We believe this attack is also applicable for Nokia 5, and might be even extensible to other devices, although unverified. (Part 5)

Research & Exploitation framework for Qualcomm EDL Firehorse programmers

Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals

Exploiting Qualcomm EDL Programmers (2): Storage-based Attacks & Rooting

Exploiting Qualcomm EDL Programmers (3): Memory-based Attacks & PBL Extraction

Exploiting Qualcomm EDL Programmers (4): Runtime Debugger

Exploiting Qualcomm EDL Programmers (5): Breaking Nokia 6’s Secure Boot



FWTS added to Debian

Canonical-based FWTS obviously has Ubuntu packaging, but  it now has Debian packaging!


Looking forward to seeing an entry for Debian — and any other Linux distro which supports UEFI Secure Boot — alongiside the sole entry by Ubuntu here: