AMD clarifies firmware strategy

August 10, 2015 ~ hucktech ~ 1 Comment

A while ago, I asked on the UEFI development list for someone to clarify AMD’s UEFI strategy. I’m unfortunately, not that strong on AMD64 technology, and was a bit confused by the available documentation as to a few things. Gary Simpson, Firmware Architect at AMD, was kind enough to reply to my questions, with verbose reponses. I’ve slightly edited the message, cleaning up the email intro and simplifying my questions, but did not alter any text responses from AMD. Below, lines beginning with “Q:” are questions from me to AMD, and the bold lines with “A:” are Gary’s replies.

Q: Can anyone explain AMD’s strategy w/r/t UEFI and BIOS, UEFI and coreboot?
A: Here’s some quick background: AMD is a founding Board member (i.e. Promoter) of the UEFI Forum and an active member in most of the work groups. We are proponents of the UEFI and ACPI interfaces (because they provide standardized firmware API’s, allowing shrink-wrapped OS distributions, without customized drivers, enabling end-user OS flexibility and choice). Also, despite some birthing pains with individual implementations, UEFI is enormously more secure than legacy BIOS was. AMD’s evolution from legacy BIOS to UEFI has happened over the last ten years in sync with the schedules of our industry partners (IBV’s, OEM’s) and their code bases. We’re not seeing any demand for legacy BIOS enablement anymore, so we no longer focus any effort there. Coreboot is the only remaining legacy code base we enable. Coreboot enablement is provided by AMD’s embedded group for a market-appropriate subset of our chips.
By the way, you may be assuming that the traditional competitiveness between companies persists in the UEFI Forum and the spec work groups that it oversees. But there is actually very little of that (especially compared with a lot of other industry-standards bodies). The general attitude within UEFI is that the firmware layer should be unified, interoperable, well-specified and secure. There is no room for competition or company-specific advantage in the firmware layer. (Then, of course, we all go home to our individual companies and work to create competitive advantage at other layers, such as hardware or higher-level software.) I just want to make sure you understand the atmosphere of cooperation and common-cause that exists between the various OEM’s, Silicon Vendors, OS Vendors, IBV’s, and others that make up the UEFI Forum. That cooperative atmosphere pervades the UEFI work groups, as well as the UEFI Board of Directors.

Q: What AMD X64 models use UEFI, what models use BIOS, what models use coreboot?
A: We don’t specify or control this. Our customers can implement whatever platform firmware solution they choose. However, the firmware components AMD provides focus primarily on UEFI solutions. As mentioned, our embedded group also enables coreboot for a selected subset of our chips. Coreboot is the only legacy code base we still target. For coreboot, we maintain wrappers and a centralized function dispatcher, but our core code is natively targeted at the various UEFI-style code bases used by our IBV partners, our OEM customers, and Tianocore (e.g. EDKII).

Q: I’m unclear if current/upcoming AMD X64 models are still using BIOS on most or only some of their systems, as well as coreboot -vs- UEFI usage and future plans.
A: Internally, we create Customer Reference Boards (CRB’s) and build platform firmware in-house to support them. These in-house BIOS’s, which we use to bring-up and validate our new silicon designs, are all UEFI-based. These are almost always based on our AGESA firmware (see below) combined with a platform code base from one of the IBV’s. Additionally, AMD’s embedded team ports coreboot to their versions of the CRB’s.

Q: Are there different goals for UEFI/BIOS/coreboot for consumer desktop/laptop models -vs- server models? I’ve heard one person speculate that servers are focusing on BIOS, laptops are focusing on GPUs/DirectX [and perhaps UEFI].
A: AMD’s goal is simply to provide what our customers want and need. Server manufacturers were, in general, slower to transition from legacy to UEFI, but we are no longer seeing any demand from them for legacy BIOS.

Q: I’m really unclear how they can get Win8 logos if they’re using BIOS. If they’re getting logos for those systems. Do AMD systems have less Win8 technical restrictions than Intel systems in this regard?
A: In combination with the BIOS Vendors and/or the OEM’s, AMD makes UEFI solutions (supporting Secure Boot, etc.) available for all our chips. We qualify for our Win8 and Win10 logo certifications the old fashioned way – by passing the tests. We make sure that all of our CRB’s pass the certifications tests, and we assist our OEM customers as needed to make sure that their production systems pass as well.

Q: What is AMD equivalent of Intel FSP, for closed-source blobs need alongside Tianocore open source?
A: Our deliverable is called AGESA (AMD Generic Encapsulated SW Architecture). It plugs into the IBV and OEM code bases and does initialization and configuration of the AMD silicon (CPU, GPU, FCH (southbridge), GNB (Graphics North Bridge), etc.). We private-license AGESA source (for free) to our IBV and OEM partners. For coreboot, AGESA is currently provided as a binary module. We did previously publish AGESA open-source in the coreboot repository for a few of our chips over the last several years. You can have a look at those if you’re interested.

Q: How do I debug UEFI on AMD systems, like I can use Intel WinDbg/GDB-based solution for debugging Tianocore with Tunnel Mountain box?
A: AMD does not have an equivalent to Tunnel Mountain. There aren’t any motherboard manufacturers willing to produce and sell such a board, since our volumes would be smaller than Tunnel Mountain. We do design and build Customer Reference Boards for each new chip. The CRB volumes are small and the cost is high, so they mostly go to larger customers. Even inside AMD, these are usually in short supply.

Q: Are you going to port LUVos (and LUV-live) — including it’s new and bundled various tests, especially CHIPSEC — to your systems? CHIPSEC won’t work on AMD64 systems, only Intel systems, implementations are different.
A: We don’t have any current plans to do this, but your question may cause us to do more investigation in this area.

Q: For AMD’s new ARM Ltd.-based systems, are they going to use UEFI on all of them, or just some? What will be used on others, U-Boot or something else?
A: This is an area where we are feeling our way forward. Different customers will want different things. We will try to accommodate them all as well as we can. We plan to offer AGESA for UEFI code bases only, so we won’t support U-Boot directly, but we will enable a UEFI solution that creates a Flattened Device Tree, which should boot any OS’s that normally sit on top of U-Boot.

Q: Are you using Linaro for UEFI bits and making your own ARM firmware, our outsourcing to IBV, if so which?
A: We are working with IBV’s, replicating the traditional firmware-development process from the x86 PC world, but we recognize that traditional ARM-embedded customers may be looking for a free-source stack from us, so we are working to prepare for that possibility as well.

Q: Are you going to help Linaro with their AArch64 port of LUV-live and CHIPSEC, especially including AMD-specific AArch64 implementation issues?
A: No plans yet, but we will investigate.

—- [End of ‘interview’.]

Thanks, Gary, for the detailed answers to my many ignorant questions! For more information, see the email thread on the edk2-devel mailing list, mainly see Gary’s response on July 31st:
https://lists.01.org/mailman/listinfo/edk2-devel

It is especially good to hear about AGESA being open source! I hope Intel can match that bar, with FSP…

Since the responses from Gary, I’ve done two AMD64-centric blog posts, one on the most recent (?) vulnerability, and one on ASESA.

Recapping Marek’s Jan2015 AMD security vulnerability

AMD AGESA

Some additional questions I should’ve asked but didn’t think of until now:

Q: Has AMD or any AGESA licensee (IBV, OEM) ever hired an security audit of the AGESA sources, and published the results?

Q: Does the AMD’s SimNow, either Public or Partner release, support OVMF (the public release appears to not), or is there any other emulator/simulator accurate enough to facilitate porting of CHIPSEC to AMD64 systems?

Q: Can you clarify use of TrustZone on AMD64 — not ARM Ltd.-based AArch32/AArch64 systems? Does TrustZone even work on non-ARM systems as-is, or was this a new port? Are there any more technical details you can point us to for this?

Again, thanks Gary! For the sake of enterprise security, I hope AMD helps with and AMD64 port of CHIPSEC, or at least helps document the issues that need to be removed and added to and AMD64 port, so the open source community can help with the port.

Survey of Boot security technologies

July 29, 2015 ~ hucktech ~ Leave a comment

Wow, there’s a lot of “Boot” buzzwords out there: U-Boot verified boot, Solaris Verified Boot, Chrome Verified Boot, Android Verified Boot (Class A and Class B), UEFI Secure Boot (sometimes called Windows Secure Boot), ARM TrustZone, UEFI Secure Boot, ARM TZ Secure Boot, Measured Boot (sometimes called TCG Measured Boot), Trusted Boot (Windows and Linux concepts) and most likely half a dozen others I don’t even know about… 🙂

UEFI Secure Boot aside, I’m still learning some of these other boot technologies, and how they overlap. I still have a LOT of questions about many of them. I think Verified Boot in Chrome and Android share the same Linux linux kernel technology, but have implemented things differently between Chrome and Android. UEFI’s Secure Boot doesn’t use a TPM, yet Microsoft requires OEMs to have a TPM. 😦 There’s the Trusted Boot that Windows has, and there’s also the tboot (Trusted Boot) loader that is Linux-centric. ARM’s TZ Secure Boot appears to be a different Secure Boot than the UEFI one. Solaris had their Verified Boot, but recently added UEFI support, so what is going to happen with UEFI Secure Boot, and will that mix with existing Solaris Verified Boot? Ditto on Android-IA, which only uses UEFI, will UEFI Secure Boot ever mix with Android Verified Boot?

None of these are full security solutions. For example, Intel has Boot Guard to help protect the system before UEFI Secure Boot’s protections kick in.

Below is a bit more information for each one. This is the first blog post on this topic, I’ll be doing further posts with more details about most of these in the future.

=================

U-Boot verified boot

“U-Boot 2013.07 introduces a feature allowing for the verification of a kernel and other images. U-Boot’s new verified boot feature provides a mechanism for verifying images while still allowing them to be field-upgraded. It fits in seamlessly with the existing image loading infrastructure in U-Boot. U-Boot verified boot relies on two familiar technologies: cryptographic hashing (e.g. SHA-1) and public key cryptography (e.g. RSA). Using these technologies it is possible to distribute images and have them verified on a device. Specifically we can create a key, hash an image, sign that hash, and publish the public key. On the device we can obtain an image and verify it was signed by the private key. Images can be chained one after the other and signed in reverse order either using the same keys or sub-keys (keys derived from other keys). For example, U-Boot may load an image containing a new U-Boot, then boot that. That U-Boot in turn may load an image containing a kernel. Doing that would allow U-Boot itself to be updated with the firmware without risking having an unbootable device due to a bad update. In principle this chain can be any length, but there must be an initial trusted image (“root of trust”) that can start the process. This can be stored in read-only media during manufacture or perhaps protected by on-chip crypto using its own signing scheme. The “root of trust” U-Boot must include the initial public key, held in U-Boot’s device tree (often called the flattened device tree or FDT). A more sophisticated scheme would allow the public keys to be provided by the user, perhaps by inserting an SD card containing the key. This could be implemented using a U-Boot script or with a more sophisticated user interface. A TPM can be used to hold rollback counters, to protect against rolling back to an older, compromised firmware. U-Boot also provides TPM support for trusted boot and remote attestation.”

http://git.denx.de/?p=u-boot.git;a=blob;f=doc/uImage.FIT/verified-boot.txt;
http://git.denx.de/?p=u-boot.git;a=blob;f=doc/uImage.FIT/signature.txt;
http://git.denx.de/?p=u-boot.git;a=blob;f=test/vboot/sign-images.its
https://lwn.net/Articles/571031/

=================

Solaris Verified Boot

“Solaris Verified Boot is a solution for Oracle’s version of Solaris. Solaris Verified Boot refers to verification of object modules before execution using digital signatures. If enabled, Solaris Verified Boot checks the factory-signed signature in a kernel module before loading and executing the module. This is to detect accidental or malicious modification of a module. The action taken is configurable and, when enabled, will either print a warning message and continue loading and executing the module or will fail and not load and execute the module. Solaris Verified Boot checks kernel modules before execution and reports if the module is modified. Optionally on failures, the module is not loaded. For Solaris, Solaris Verified Boot will verify kernel modules before execution, beginning with the initial bootstrap SPARC ‘bootblk’ sectors and initial ‘unix’ module. Both of these are verified by SPARC OpenBoot (because Solaris is not running yet). The Solaris kernel loader (krtld) then takes over and verifies the main (generic) “genunix” module and all subsequent modules loaded by the Solaris kernel. The policy to use on failures is configurable with three policy settings: none, warning, and enforce. The default policy is none (that is, Verified Boot is disabled); None is the default behavior — no verification before execution. Re: TPMs, Solaris Verified Boot has no impact on the TPM chip or TPM software (TrouSerS). However, the TPM still serves complementary functions such as providing a secure keystore or taking measurements of firmware executibles. Verified Boot settings are maintained by Oracle ILOM. Anyone with ILOM spsh shell access can modify these settings. Solaris Verified Boot is available with Solaris 11.2 for Sun SPARC T5/M5/M6 hardware platforms for host domains (with Sun Firmware FW 9.1.0 or better) and Fujitsu M10 systems (with Firmware XCP2250 firmware). Verified Boot is supported for the host domain in the Global Zone. Non-global, non-kernel zones do not have their own copy of the Solaris kernel and do not load kernel modules. Verified Boot is not supported initially for Solaris on X86, T4 or older SPARC platforms, LDoms guest domains, or Kernel Zones. We plan to support more hardware.”

https://blogs.oracle.com/DanX/entry/verified_boot
https://blogs.oracle.com/DanX/entry/solaris_kernel_zones_verified_boot
http://docs.oracle.com/cd/E36784_01/html/E37121/gmwce.html#OSSADgmwce

=================

Chrome Verified Boot

“Chrome Verified Boot is a solution for Google’s Chromium OS. The Chromium OS team is implementing a verified boot solution that strives to ensure that users feel secure when logging into a Chromium OS device. Verified boot starts with a read-only portion of firmware, which only executes the next chunk of boot code after verification. Verified boot strives to ensure that all executed code comes from the Chromium OS source tree, rather than from an attacker or corruption. Verified boot is focused on stopping the opportunistic attacker. While verified boot is not expected to detect every attack, the goal is to be a significant deterrent which will be improved upon iteratively. Verification during boot is performed on-the-fly to avoid delaying system start up. It uses stored cryptographic hashes and may be compatible with any trusted kernel. This feature is not expected to provide 100% detection of attacks. Instead, it is meant to raise the attack bar significantly and in a way that can be improved upon iteratively.”

https://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot
https://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot-crypto
https://sites.google.com/site/chromeoswikisite/home/what-s-new-in-dev-and-beta/shell-acess-with-verified-boot

Click to access chromeos.pdf

http://research.google.com/pubs/pub42038.html
http://chrome.blogspot.com/2011/07/chromebook-security-browsing-more.html

=================

Android Verified Boot

“Android Verified Boot is a solution for Google’s Android OS. Android’s Verified boot guarantees the integrity of the device software starting from a hardware root of trust up to the system partition. During boot, each stage verifies the integrity and authenticity of the next stage before executing it. This capability can be used to warn users of unexpected changes to the software when they acquire a used device, for example. It will also provide an additional signal of device integrity for remote attestation, and together with encryption and Trusted Execution Environment (TEE) root of trust binding, adds another layer of protection for user data against malicious system software. We define two implementation classes for verified boot depending on how fully the device implements this specification. Class A implements verified boot with full chain of trust up to verified partitions. This implementation must support the LOCKED device state, and GREEN and RED boot states. Class B implements Class A and additionally supports the UNLOCKED device state and the ORANGE boot state.”

https://source.android.com/devices/tech/security/verifiedboot/verified-boot.html
https://source.android.com/devices/tech/security/verifiedboot/index.html
https://source.android.com/devices/tech/security/dm-verity.html
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/device-mapper/verity.txt
http://nelenkov.blogspot.com/2014/05/using-kitkat-verified-boot.html
https://lwn.net/Articles/638627/

=================

UEFI Secure Boot

“UEFI Secure Boot, sometimes called Windows Secure Boot, is an optional security feature of UEFI that can be enabled by a PC OEM to enhance the security by helping to make sure that your PC boots using only software that is trusted by the PC manufacturer. When the PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs) and the operating system. If the signatures are good, the PC boots, and the firmware gives control to the operating system. Secure Boot does not require a TPM.”

https://technet.microsoft.com/en-us/library/Hh824987.aspx
http://go.microsoft.com/fwlink/?LinkId=278911

Click to access lf_uefi_secure_boot_open_platforms.pdf

https://fedoraproject.org/wiki/Secureboot
https://wiki.ubuntu.com/SecurityTeam/SecureBoot
https://wiki.freebsd.org/SecureBoot
https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_boot
http://en.community.dell.com/techcenter/os-applications/w/wiki/7568.secure-boot-overview
http://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO
https://en.opensuse.org/openSUSE:UEFI

=================

Measured Boot

“I think some refer to Measured Boot as TCG Measured Boot. Windows supports Measured Boot, Trusted Boot, and Secure Boot. Windows 8 introduces a new feature called Measured Boot, which measures each component, from firmware up through the boot start drivers, stores those measurements in the TPM on the machine, and then makes available a log that can be tested remotely to verify the boot state of the client. The Measured Boot feature provides AM software with a trusted (resistant to spoofing and tampering) log of all boot components that started before AM software. AM software can use the log to determine whether components that ran before it are trustworthy or if they are infected with malware. The AM software on the local machine can send the log to a remote sever for evaluation. The remote server may initiate remediation actions either by interacting with software on the client or through out-of-band mechanisms, as appropriate. Working with the TPM and non-Microsoft software, Measured Boot in Windows 8.1 allows a trusted server on the network to verify the integrity of the Windows startup process.”

https://msdn.microsoft.com/en-us/library/windows/desktop/Hh848050%28v=VS.85%29.aspx
https://msdn.microsoft.com/en-us/library/windows/hardware/Dn653311%28v=VS.85%29.aspx
https://technet.microsoft.com/en-us/windows/dn168167.aspx
http://www.jwsecure.com/2011/10/18/secure-measured-boot-in-windows-8/
https://mbt.codeplex.com/
http://blogs.msdn.com/b/olivnie/archive/2013/01/09/windows-8-trusted-boot-secure-boot-measured-boot.aspx
https://msdn.microsoft.com/en-us/library/windows/desktop/Hh848050%28v=VS.85%29.aspx
https://www.ibm.com/developerworks/community/blogs/smartersecurity/entry/uefi_secure_boot_and_the_tpm_implementing_secure_boot_with_a_tpm27?lang=en
https://technet.microsoft.com/en-us/windows/dn168169.aspx
http://mjg59.dreamwidth.org/10971.html

UEFI Secure Boot aside, it appears that ARM TrustZone also uses Secure Boot as a non-UEFI-based concept:

http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.prd29-genc-009492c/CACGCHFE.html

=================

Trusted Boot

“Windows supports Measured Boot, Trusted Boot, and Secure Boot. With Trusted Boot, Windows checks the integrity of every component of the startup process before loading it. Trusted Boot takes over where Secure Boot leaves off. The bootloader verifies the digital signature of the Windows 8.1 kernel before loading it. The Windows 8.1 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows 8.1 can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.”

https://technet.microsoft.com/en-us/windows/dn168167.aspx
http://blogs.msdn.com/b/olivnie/archive/2013/01/09/windows-8-trusted-boot-secure-boot-measured-boot.aspx

“Trusted Boot (boot) is ALSO the name of an open source, pre-kernel/VMM module for Linux, that uses Intel TXT to perform a measured and verified launch of an OS kernel/VMM. Intel TXT provides a hardware- based root of trust to ensure that a platform boots with a known good configuration of firmware, BIOS, virtual machine monitor, and operating system.”

http://hg.code.sf.net/p/tboot/code
http://www.trustedcomputinggroup.org/resources/trusted_boot
https://software.intel.com/en-us/articles/intel-trusted-execution-technology
http://www-01.ibm.com/support/knowledgecenter/SSTQK9_1.1.3/com.ibm.powersc113.se/trusted_boot_concepts.htm

=================

Enterprises which are responsible for user/data security usually like these kinds of technologies. Citizens who like to control their own devices, including installing their preferred operating system, instead of using the pre-installed OEM OS, often find these security technologies a hindrance to their normal usage. OEMs — except Google, with the Developer Mode of their ChromeBook — ignore this latter, smaller consumer demographic, and focus strictly on the security-focused market, creating opportunities for “micro-OEMs” like Purism and Bunnie Studios.

http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/statement
https://en.wikipedia.org/wiki/Hardware_restriction

Windows 10 and Secure Boot

July 29, 2015 ~ hucktech ~ Leave a comment

Microsoft made Windows 10 available today, free upgrade for v7 and v8 users. The spec says:

“Secure boot requires firmware that supports UEFI v2.3.1 Errata B and has the Microsoft Windows Certification Authority in the UEFI signature database.”

For more information on Window 10’s firmware/hardware security requirements, look at Microsoft’s talk from the last UEFI Forum plugfest, from May: “Overview of Windows 10 Requirements for TPM, HVCI and SecureBoot“, by Gabe Stocco, Scott Anderson and Suhas Manangi (Microsoft):

More Information:

http://www.microsoft.com/en-us/windows/windows-10-specifications

Click to access UEFI_Plugfest_May_2015%20Windows%2010%20Requirements%20for%20TPM%2C%20HVCI%20and%20SecureBoot.pdf

http://blogs.windows.com/bloggingwindows/2015/07/28/windows-10-free-upgrade-available-in-190-countries-today/

What is the safest firmware solution?

July 25, 2015July 25, 2015 ~ hucktech ~ Leave a comment

Stephan of the coreboot project is currently having a Twitter conversation with some others. It includes this post:

@runasand @arminhausf Some folks from Mitre mentioned to me a while back, Chrome OS firmware is the most secure firmware stack out there.

— Stefan Reinauer (@StefanReinauer) July 24, 2015

This makes me wonder, has anyone compared Chrome’s Verified Boot with UEFI’s Secure Boot. With and w/o TPM chip on Intel or TrustZone on ARM. It would be nice if some cyypto-savvy researchers could analyze the crypto used in both implementations and give a comparison, including how these solutions meet the NIST and NSA/CC criteria for securing BIOS.

In terms of code size, coreboot has a much smaller codebase than tianocore, even with the all the additional size that Chrome brings to it’s coreboot dialect. But both Secure Boot and Verified Boot are nearly the same in terms of PKI.

On a related not, I’ll do a future blog post looking into the various boot flavors: Trusted Boot, Secure Boot, Measured Boot, Verified Boot, etc.

Secure Boot strength varies by Linux implementation

July 17, 2015July 17, 2015 ~ hucktech ~ Leave a comment

[UPDATE, with input from readers, see EOM. Thanks!]

UEFI Secure Boot is a build-time feature of UEFI that helps secure the boot process from some boot-time attacks, optionally using TPM hardware if available. Secure Boot became widespread on Windows hardware during Windows 8 timeframe. Windows aside, other operating systems have to support UEFI Secure Boot. Linux supports UEFI and UEFI Secure Boot (as does FreeBSD). Different Linux distributions have different Linux kernels, with different versions, different patchsets, and different build-time directives enabled. So, Fedora’s Linux kernel is different than SuSE’s Linux kernel, etc.

I saw a recent comment from a UEFI security researcher who had been building a Linux liveboot CD and running CHIPSEC — which includes a native Linux kernel driver, and running it on UEFI systems with Secure Boot enabled.

“Ubuntu appears to have shim and do secure boot but not enforce kernel module signing.”

This Ubuntu behaviour was a change in behaviour from the Fedora-based systems the researcher was used to using. I was curious about the difference in distros w/r/t enforcing kernel module signing. So I asked on the FirmWare TestSuite (FWTS) list if there was a test for this. Roderick W. Smith of Canonical — and author of rEFInd boot manager and the definitive Linux boot loader/manager reference on RodsBooks.com — replied clarifying the situation:

“Yes, that’s correct. Ubuntu’s kernel doesn’t attempt to enforce Secure Boot policy beyond the main kernel file; once the kernel’s loaded, it’s possible to load an unsigned kernel module. Fedora, as you inferred, does require signing of kernel modules. Fedora’s approach is arguably more secure, since an attacker can’t load a malicious kernel module once the system has booted, but leads to problems with third-party kernel modules, like the in-kernel portions of nVidia and ATI/AMD video drivers. FWIW, the decision to do it this way was made before I joined Canonical, so I’m not sure who made the decision.”

Ivan of Canonical replied with more information:

“On Linux, two stage booting has implemented for secureboot. First stage is firmware boot to shim and then shim will take care to check signature and boot with grub and kernel. Booting with/without kernel signed is under shim and grub implementation, Ubuntu provides the singed kernel in official releases, and would like to keep the flexibility for user to build their kernel, so Ubuntu doesn’t block booting when user uses unsigned kernel.”

The security researcher who reported this speculated that Canonical’s policy may be due to them not wanting to put their distro signature (or perhaps worry about license issues in doing so) on some 3rd party (non open) binary.

As I understand things, this is beyond the strict “UEFI Secure Boot” definition, and on to what OS-centric post-UEFI Secure Boot security techniques it will implement. I guess some call it “OS Secure Boot” to differentiate it from “UEFI Secure Boot”, but I don’t see any formal definition for that term.

I wish there was more precise information about Secure Boot implementation from each Linux distro. System administrators and technical support engineers will need to know these nuances, as will security researchers. Pehaps Linux Foundation or UEFI Forum — or some Wikipedian(s) — could help with a comparison of Secure Boot on different OSes? Perhaps FWTS or CHIPSEC could have a test to check? Perhaps the UEFI Forum could note these nuances at their next plugfest, and setup test cases combinining Linux OSVs with a test case that loads dynamically load native OS drivers: perhaps using CHIPSEC as the test case may suffice, it loads a native helper driver.

So, don’t just look at if Secure Boot is enabled or not, look at what Linux OS you’re using, and how it implements Secure Boot. And remember attackers are also making this choice, and looking for your softer Linux targets, so be more careful when using those systems.

——-

Updated information:

The reason this issue came up is that the researcher was using Intel CHIPSEC, which when run on Linux it uses a Linux kernel module. Unlike most drivers, which get loaded when OS initializes, then stay loaded, the CHIPSEC driver behaves differently. The CHIPSEC userland Python app compiles the kernel module, and loads the module when it starts, then unloads the driver when it finishes (because the driver enables risky things, see it’s warning.txt). On Fedora, this kind of CHIPSEC driver loading behavior will not work, with Secure Boot enabled, until you setup moklist and sign the module. By contrast with Fedora, on Ubuntu, CHIPSEC is able to load the unsigned driver without the user having to change anything (convenience). Here’s more information on how Fedora does it’s module signing process:
http://docs.fedoraproject.org/en-US/Fedora/22/html/System_Administrators_Guide/sect-kernel-module-authentication.html

LinuxCon North America this August in Seattle

July 12, 2015 ~ hucktech ~ Leave a comment

LinuxCon North America is happening this August, in Seattle for the first time (I think). A quick look at their schedule shows a variety of interesting presentations related to firmware security:

* Extending the Secure Boot Certificate and Signature Chain of Trust in the OS – Fionnuala Gunter, Hypori
* Resurrecting Internet Booting – Boot Boot, Booting Over the Internet – John Hawley, Intel
* Demystifying ACPI and EFI via Python and BITS – Josh Triplett
* ACPI for Network Switches – Dustin Byford, Cumulus Networks
* Tying TPMs Throughout The Stack – Matthew Garrett, CoreOS
* Turtles All The Way: Running Linux on Open Hardware – Rob Landley
* ACPI 6 and Linux – Rafael J. Wysocki, Intel
* The Bare-Metal Hypervisor as a Platform for Innovation – Russell Pavlicek, Citrix
* Suspend/Resume at the Speed of Light – Len Brown, Intel

Josh Triplett on BIOS BITS sounds especially interesting. It’ll be interesting to see if the boot boot reboot will get integrated with UEFI HTTP Boot support.

More information:
http://events.linuxfoundation.org/events/linuxcon-north-america
http://events.linuxfoundation.org/events/linuxcon-north-america/program/schedule

CHIPSEC v1.2.0 Released

June 10, 2015 ~ hucktech ~ 3 Comments

The Intel CHIPSEC team just posted the latest version of CHIPSEC, 1.2.0. Release notes excerpt below, see the full text on the github site, with known issues:

New/updates modules:
* Merged common.secureboot.keys module into common.secureboot.variables module
* Updated tools.secureboot.te module to be able to test PE/TE issue on Linux or UEFI shell
* Updated tools.smm.smm_ptr module

Updates:
* Added the *controls* abstraction. Modules are encouraged to use “get_control“ and “set_control“ when interacting with platform registers. This permits greater flexibility in case the register that controls a given feature or configuration changes between platform generations. The controls are defined in the platform XML file. At this time, only a small number of controls are defined. We plan to move existing modules over to this new mechanism.
* Added XML Schema for the XML configuration files
* Support for reading, writing, and listing UEFI variables from the UEFI Shell environment has been added.
* Added support for decompression while SPI flash parsing via “decode“ or “uefi decode“ commands in Linux
* Added basic ACPI table parsing to HAL (RSDP, RSDT/XSDT, APIC, DMAR)
* Added UEFI tables searching and parsing to HAL (EFI system table, runtime services table, boot services table, DXE services table, EFI configuration table)
* Added DIMM Serial Presence Detect (SPD) ROM dumping and parsing to HAL
* Added “uefi s3bootscript“ command parsing the S3 boot script to chipsec_util.py
* Added virtual-to-physical address translation function to Linux/EFI/Windows helpers
* Added support of server platforms (Haswell server and Ivy Town) to chipset.py

More Information:

https://github.com/chipsec/chipsec

VZ recent blog posts

June 8, 2015 ~ hucktech ~ Leave a comment

Vincent Zimmer of Intel has been busy blogging the last few days… 🙂

His personal blog has a few topics related to UEFI. He talks about evolving EFI-based procotols, using hardware interrupts in the polled driver model-based UEFI OS, and MdePkg library design, and Intel TXT along with Secure Boot and Measured Boot, and member of a recently former Intel employee, George Cox, who recently passed on.

At work, Vincent wrote a blog for the Intel Firmware blog. In this blog post, he covers some background on the “Beyond BIOS” white paper series that they’ve been doing for a decade.

(These are both blogs I follow, and I’ll list on the blogroll once I figure out how to use WordPress to expose the blogroll.)

There are MANY links in these two blog posts, a few of them are new. Worth reading, if you care about UEFI on Intel.

More Information:

http://vzimmer.blogspot.com/2015/06/guids-revisions-interrupts.html
http://vzimmer.blogspot.com
http://firmware.intel.com/blog/beyond-bios
http://firmware.intel.com/blog

Microsoft increases use of Secure Boot as marketing tool

June 7, 2015 ~ hucktech ~ Leave a comment

Earlier this week, Sam Varghese wrote an article in iTWire about Windows 10 and UEFI. According to the article, Window 10 will not enable Secure Boot unless the system has a Windows 8-compliant logo. It appears from the article Microsoft is hesitant to answer further questions from the author.

“System BIOS detected a non-Windows 8 logo graphic card. There is no Graphic Output Protocol support detected in this card. Windows 8 feature settings in BIOS will be changed to disabled.”

This will likely not impact users of new systems, as OEMs will ensure their logos are complaint and pominently displayed.

This appears to imply that users upgrading to Windows 10 from Windows 8 may lose the ability to use Secure Boot, unless they buy a new video card or have a recent one.

It also may mean an attacker can simply swap video cards and bypass SecureBoot; so much for tamper resistance in TPM chips…

It seems very strange for an OS vendor to be enabling or disabling firmware features. It is worse to see security features being disabled in the name of marketing. If Microsoft disables Secure Boot on a system, this may mean that Secure Boot is also disabled for any other OS installed on that system, like Linux, via the Micorosoft-signed Shim. So this Windows marketing technique likely impacts non-Windows system security. I am not sure, maybe their change only impacts their own OS, and other OSes on that system will still continue to Securely Boot.

It is also bad that this vendor is default Certificate Authority representing the UEFI Forum. It is also disconcerting to see Microsoft adding additional restrictions to all UEFI pre-OS applications. The UEFI Forum and Intel is letting Microsoft bully Intel-based Windows OEMs. I was reading some ARM slides recently, sorry I don’t have the URL handy for exact quote, but it said something like “no bully in our playground telling us what to run”. I wish Intel had the ability to stand up to the bully in their playground.

Ironically, Microsoft appears to have just learned to play Apple’s game better. Before Microsoft was playing UEFI-based games with systems, Apple was already using EFI to prevent non-Apple OSes on some of their systems. Since APPL and MSFT are OEMs as well as OS vendors, I expect their own systems would use UEFI as a form of “DRM” to keep their OS on their hardware. But Microsoft is now impacting all Windows OEMs, in addition to their own systems, each release of Windows makes more use of UEFI to restrict what OEMs and users can do and let Microsoft have more control over these systems. Chrome OEMs are looking better and better… 😦

More information:

http://www.itwire.com/opinion-and-analysis/open-sauce/68262-windows-10-no-secure-boot-unless-microsoft-tax-is-paid
https://msdn.microsoft.com/en-us/library/dn917885%28v=vs.85%29.aspx
https://msdn.microsoft.com/en-us/library/dn756793%28v=vs.85%29.aspx

Spring UEFI Forum agenda announced

May 17, 2015 ~ hucktech ~ Leave a comment

The UEFI Forum Spring event is happening in Tacoma.WA.US this coming week. They just announced the presentations for the event:

* Zachary Bobroff, AMI – PreBoot Provisioning solution with UEFI
* Kevin Davis, Insyde – System Prep Applications, A Powerful New Feature in UEFI 2.5
* Olivier Martin, ARM – Porting a PCI driver to ARM AArch64 platforms
* Lief Lindholm, ARM – Demonstrating a common EDK2 pltforms & drivers tree
* Dick Wilkins, Phoenix – UEFI FIrmware – Securing SMM
* Gabe Stocco and Scott Anderson, Microsoft – Windows Requirements for TPM, HVCI and Secure Boot
* Jeremiah Cox
* Vincent Zimmer, Intel – Filling UEFI/FW Gaps in the Cloud
* David Box, Intel – An overview of ACPICA userspace tools
* Samer El-Haj-Mahmoud, HP – Firmware in the Datacenter: Goodbye PXE and IPMI. Welcome Http

Typically, the UEFI Forum makes slides for these presentations available on their web site a few weeks later…

More information:
http://www.uefi.org/node/887

Windows 10 UEFI Secure Boot policy welcomed by Linux users

May 7, 2015 ~ hucktech ~ Leave a comment

In an article by Sam Varghese in iTWire, Linux users will find Microsoft’s current advice to Windows 10 OEMs regarding UEFI Secure Boot welcome news. More information here:

http://www.itwire.com/opinion-and-analysis/open-sauce/67959-microsofts-new-secure-boot-strategy-will-suit-linux-firms

[iTWire article aside, more welcome news would be if OEMs would build consumer Linux devices with Secure Boot working directly with them, without Microsoft PKI/CA/keys, in some of their models. Intel and SuSE demonstrated this at IDF2013, yet no consumer devices are available, AFAIK.
Even more welcome news would be offering Coreboot as an option, including new Coreboot support in UEFI as PI component.
Even more news would be providing systems where owners could build and update their own firmware, from tianocore.org and coreboot.org code, along with any new drivers from the OEM, and have a firmware update mechanism for local owner-users, not only beg for updates from vendors.
But I guess I should simply be happy that Microsoft is permitting Windows OEMs to still let users install software on the HW/FW/SW that we don’t actually own/control. 🙂 –ed]