Update on Intel SMM vulnerability

September 10, 2016 ~ hucktech ~ Leave a comment

Intel SMM EoP mitigations due Sep-19

The SMM Rootkit Revisited: Fun with USB (from ARES’15)

August 30, 2016 ~ hucktech ~ Leave a comment

The SMM Rootkit Revisited: Fun with USB (paper published at ARES 2014): https://t.co/lWIJ2mdXT8

— Yuriy Bulygin (@c7zero) August 30, 2016

Wish I had known about this when trying to make a CSW 2015 POC of the same. Better link: https://t.co/pL7212lxuR https://t.co/rzLZR0fIYg

— Xeno Kovah (@XenoKovah) August 30, 2016

http://ieeexplore.ieee.org/document/6980293/?reload=true&arnumber=6980293

System Management Mode (SMM) in x86 has enabled a new class of malware with incredible power to control physical hardware that is virtually impossible to detect by the host operating system. Previous SMM root kits have only scratched the surface by modifying kernel data structures and trapping on I/O registers to implement PS/2 key loggers. In this paper, we present new SMM-based malware that hijacks Universal Serial Bus (USB) host controllers to intercept USB events. This enables SMM root kits to control USB devices directly without ever permitting the OS kernel to receive USB-related hardware interrupts. Using this approach, we created a proof-of-concept USB key logger that is also more difficult to detect than prior SMM-based key loggers that are triggered on OS actions like port I/O. We also propose additional extensions to this technique and methods to prevent and mitigate such attacks.

ThinkPwn updated

August 16, 2016 ~ hucktech ~ Leave a comment

I made ThinkPwn exploit more reliable, now it works on EFI 2.x firmwares with new versions of SMM related protocols https://t.co/8F6EtxQgX2

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) August 16, 2016

Also, on EFI 2.x you don’t need to bruteforce callback handle value to trigger the vuln during RT phase from OS, constant GUID is enough

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) August 16, 2016

Oh, and btw, now you can build ThinkPwn for 32-bit firmwares (not sure that there’s any vulnerable 32-bit boards itw except Intel Galileo)

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) August 16, 2016

https://github.com/Cr4sh/ThinkPwn/commit/d496e7d9a4bbb1e2903a94802760d52c1e46c037
https://github.com/Cr4sh/ThinkPwn/

Multiple Intel systems have SMM runtime EoP

August 8, 2016 ~ hucktech ~ Leave a comment

See the full announcement for the list of vulnerable products. Regardless of model, it sounds like no fix until early September.

SmmRuntime Escalation of Privilege
Intel ID:     INTEL-SA-00056
Product family:     Intel® Server Board S1200/1400/1600/2400/2600/4600 series
Impact of vulnerability:     Elevation of Privilege
Severity rating:     Important
Original release:     Aug 08, 2016

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00056&languageid=en-fr

AMI_SMI_Dump

July 18, 2016 ~ hucktech ~ Leave a comment

New tool: ami_smi_dump.py:
Extract SW SMI handlers information from SMRAM dump of Skylake based AMI Aptio V firmware.

I made a small tool that extracts SMI handlers information from SMRAM + flash image dumps of AMI Aptio V firmware: https://t.co/2V5Y6k3mhD

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) July 17, 2016

Updated ami_smi_dump.py, now it can show even more info from SMRAM dump: https://t.co/qTn23vVjtw https://t.co/2V5Y6k3mhD

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) July 17, 2016

Hmm, WordPress renders Github gist pages to be unviewable. Remove the SPACE character after the TLD in the below URL to make it work. Or click on the links in the Twitter links.

https://gist.github.com /Cr4sh/db43cc6687e737d982d3d1c56472c6b9

exploiting Lenovo firmware, part 2D

July 10, 2016 ~ hucktech ~ Leave a comment

A bit more on this:

exploiting Lenovo firmware, part 2C

Lenovo has updated their support document. The initial version had no technical details. The update now has a huge list of models which are affected or not. The researcher also mentions that an update from the vendor is expected next month. I’m still waiting to see the IBV’s and other OEMs responses to this.

https://support.lenovo.com/us/en/solutions/LEN-8324

Lenovo customers will see their ThinkPwn patches this August (not so bad for such vuln). Full disclosure: make the world a better place 🙂

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) July 9, 2016

Lenovo updated #ThinkPwn advisory with information about vulnerable models https://t.co/31rpPiHKNR

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) July 9, 2016

exploiting Lenovo firmware, part 2C

July 5, 2016July 5, 2016 ~ hucktech ~ Leave a comment

A bit more on this:

exploiting Lenovo firmware, part 2B

For non Windows it means flash write protection bypass: attacker can install firmware rootkit from running OS

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) July 5, 2016

, to be deadly honest, SMM security is not relevant at all on non-Dell/HP/Lenovo desktops, just because of no BIOS security at all.

— Nikolaj Schlej (@NikolajSchlej) July 5, 2016

Intel provided reference code with this vulnerability to IBV, IBV provided it’s SDK to OEM

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) July 5, 2016

UEFI exploit readme was updated: https://t.co/8pZgtuFVVs ThinkPwn comes to desktops 😈

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) July 5, 2016

https://twitter.com/al3xtjames/status/750183816266940417
https://twitter.com/al3xtjames/status/750163415159582720

exploiting Lenovo firmware, part 2B

July 1, 2016 ~ hucktech ~ Leave a comment

exploiting Lenovo firmware, part 2A

July 1, 2016 ~ hucktech ~ Leave a comment

A few bits of news to add to this:

exploiting Lenovo firmware, part 2

https://t.co/fMOvXwBOgD — I updated Lenovo firmware 0day exploit readme with important information about vulnerability history

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) June 30, 2016

Great news: it’s is not a Lenovo backdoor, it’s Intel reference code vuln from 2014 that was copy-pasted by OEM/IBV https://t.co/BF7JJOr63J

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) June 29, 2016

Old EDK2 code from Intel vs code from ThinkPad firmware pic.twitter.com/GK9QgIzSnN

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) June 29, 2016

These days, it is nice to know that a firmware bug is probably an accidental defect, rather than some backdoor. 🙂

In 2015, UEFI Forum used to do Security Advisories, with 2 PDFs each containing more than a dozen potential exploits. I wonder how many of those are in today’s vendors codebases? No more advisories from UEFI Forum since 2015, so who knows what other cut-and-paste OEM/IBV bugs are being propogated? I wish UEFI Forum would issue more Security Advisories, multiple bugfixes on the EDK2-devel project appear to merit this kind of attention.

exploiting Lenovo firmware, part 2

June 29, 2016June 29, 2016 ~ hucktech ~ Leave a comment

New article, “Exploring and exploiting Lenovo firmware secrets”: https://t.co/6ZYlifCNAC Code: https://t.co/lrSUKodQTP #ThinkPwn

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) June 29, 2016

Cr4sh has written the second article in his series on Lenovo firmware security research:

Exploring and exploiting Lenovo firmware secrets
Hi, everyone! In this article I will continue to publish my research of Lenovo ThinkPad’s firmware. Previously I shown how to discover and exploit SMM callout vulnerabilities on example of SystemSmmAhciAspiLegacyRt UEFI driver 1day vulnerability. Also, I introduced a small toolkit called fwexpl that provides API for comfortable development of firmware exploits for Windows platform. My previous Lenovo exploit was able to execute custom code in SMM, such conditions allow relatively easy bypass of BIOS_CNTL security mechanism which protect firmware code stored inside SPI flash chip on motherboard from unauthorized modifications by operating system (BIOS_CNTL bypass also was discussed in my another article “Breaking UEFI security with software DMA attacks”). In addition to BIOS_CNTL, modern Lenovo computers also use SPI Protected Ranges (aka PRx) flash write protection, so, in this article I will present my generic exploitation technique that allows to bypass PRx and turn arbitrary SMM code execution vulnerability into the flash write protection bypass exploit. This technique also can be applied to UEFI compatible computers of other manufacturers — they all use similar design of specific firmware features that responsible for platform security. In second part of the article I will present a new 0day vulnerability in Lenovo firmware that allows arbitrary SMM code execution on a wide range of Lenovo models and firmware versions including the most recent ones. Exploitation of this vulnerability may lead to the flash write protection bypass, disabling of UEFI Secure Boot, Virtual Secure Mode and Credential Guard bypass in Windows 10 Enterprise and other evil things. […]

http://blog.cr4.sh/2016/06/exploring-and-exploiting-lenovo.html
https://github.com/Cr4sh/ThinkPwn
See-also:

fwexpl – PC Firmware Exploitation Tool and Library

Cr4sh on SMM exploits in Lenovo firmware!

new Thinkpad SMM 0day

June 1, 2016 ~ hucktech ~ Leave a comment

Dmytro Oleksiuk has apparently found a new Lenovo/SMM exploit, not much details yet:

I found very interesting 0day vulnerability (looks rather like backdoor) in ThinnkPads, arbitrary SMM code execution pic.twitter.com/MxLHU1ciIB

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) June 1, 2016

It also leads to flash write protection bypass, SecureBoot bypass, Windows VSM bypass and other bad things. Details soon 🙂

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) June 1, 2016

Sogeti ESEC: SMM unchecked pointer vulnerability

May 30, 2016May 31, 2016 ~ hucktech ~ Leave a comment

[Update: SMM driver dev advice for this from issue is here:

Note #1 to SMM driver devs: use a pre-allocated mailbox with static address to communicate with SMM to prevent this:https://t.co/SjGcMgM0BY

— Nikolaj Schlej (@NikolajSchlej) May 30, 2016

]

Just published my article: "SMM unchecked pointer vulnerability" https://t.co/TvLiYnVkzc

— Bruno (@BrunoPujos) May 30, 2016

Bruno of Sogeti ESEC Lab has published an interesting paper with an SMM exploit, well-written with lots of background on UEFI and SMM exploits, lots of images/figures and links, definately worth reading:

SMM unchecked pointer vulnerability
Mon 30 May 2016 by Bruno

This article explains the exploitation of an SMM unchecked pointer vulnerability present in several firmwares. As this vulnerability is a memory corruption, it only applies to firmwares including the unpatched vulnerable DXE driver. It first explains the SMM mode and some of its mechanisms, then the reversing of the UEFI driver in which the vulnerability is present, then the exploitation of the vulnerability in it-self and finally a little conclusion about the impact of the vulnerability. […]

This vulnerability was initially found on two different firmwares of different OEM, both of them seem to have a lot in common. Their firmware were based on one version of the EDK implementation by Intel with several new features added. After some research it appears that both were using code provided by American Megatrends Inc. (AMI) . We contacted AMI and the OEM and got quick responses from them. We would like to thank them for working with us, especially Lenovo for coordinating with us. […]

This vulnerability allows to gain code execution in SMM. In the case of both studied firmwares the flash was not protected by the Protected Range (PR) registers, code execution in SMM allows rewriting the flash and potentially the setup of a persistent bootkit.

On January 2016 VirusTotal (VT) began to provide information on firmware images as described in their blog post . We used this for finding firmware which includes the SMIFlash driver. In total we found approximately 900 different firmwares (type:rom) which contains it, 468 of those had different versions, however it is likely that a lot of these firmwares are just different versions of one another. We have gathered the Vendor identification provided by VT for each of those firmware and got approximately 10 different constructors however 84% of the firmwares have AMI as vendor. […]

http://esec-lab.sogeti.com/posts/2016/05/30/smm-unchecked-pointer-vulnerability.html

fwexpl – PC Firmware Exploitation Tool and Library

May 16, 2016 ~ hucktech ~ Leave a comment

My ThinkPad SMM exploit can bypass Virtualisation Based Code Integrity now, thx to kernel driver from RWEverything https://t.co/3PpdAGD7Ja

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) May 16, 2016

Dmytro Oleksiuk (aka Cr4sh) has a VERY INTERESTING new firmware tool for Windows

PC firmware exploitation tool and library

Project includes the following components:
* libfwexpl — Hardware abstraction library for Windows (see include/libfwexpl.h).
* libdsebypass — Windows x64 DSE bypass exploit based on Secret Net 7.4 0day privileges escalation vulnerability (see include/libdsebypass.h).
* driver — Kernel mode part of libfwexpl.
* application — Application that implements System Management Mode code execution exploit for 1day vulnerability in SystemSmmAhciAspiLegacyRt UEFI SMM driver of Lenovo firmware.

Options:
–target <N> — Select known target where <N> is a target number. If –target and –target-addr options are not specified — exploit will use heuristics to find EFI_BOOT_SERVICES structure address that neccessary for SystemSmmAhciAspiLegacyRt driver vulnerability exploitation.
–target-list — Print all known targets information.
–target-addr – Use manual address of EFI_BOOT_SERVICES.LocateProtocol field for SystemSmmAhciAspiLegacyRt exploit. This option will be ignored if –target was specified.
–target-smi – Use manual SMI handler number for SystemSmmAhciAspiLegacyRt exploit. This option will be ignored if –target was specified. If –target-addr was specified without –target-smi — SystemSmmAhciAspiLegacyRt exploit will check all of the possible SMI handlers from 0 to 255.
–smram-dump — Determinate current SMRAM address and dump it’s contents to file specified by –file option.
–phys-mem-dump — Full raw physical memory dump into the file specified by –file option.
–phys-mem-read <addr> — Read physical memory starting from specified address.
–phys-mem-write <addr> — Write physical memory starting from specified address.
–length <bytes> — Number of bytes to read or write for –phys-mem-read and –phys-mem-write.
–file <path> — Memory dump path to read or write, in case of –phys-mem-read this parameter is optional and when it’s not specified — application will print a hex dump of physical memory to stdout. In case of –smram-dump this parameter is mandatory.
–exec <addr> — Execute SMM code at specified physical memory address.
–dse-bypass — Install and exploit Secret Net 7.4 driver to bypass Windows x64 DSE.
–test — Run some basic libfwexpl tests.

To learn more about this project please read his blog post, “Exploiting SMM callout vulnerabilities in Lenovo firmware”:
http://blog.cr4.sh/2016/02/exploiting-smm-callout-vulnerabilities.html

https://github.com/Cr4sh/fwexpl

Intel opens up SGX enclaves

May 6, 2016 ~ hucktech ~ Leave a comment

Intel opens SGX, allows everyone launch SGX enclaves, not just Intel-blessed vendors. Thank you, @Intel! https://t.co/g5inV3DRyL

— Joanna Rutkowska (@rootkovska) May 6, 2016

https://twitter.com/aionescu/status/728301303244292096

Read the above twitter link for some more background (including Intel PDF link) and security ramifications of this.

new Microsoft ACPI table: WSMT

April 22, 2016 ~ hucktech ~ Leave a comment

As mentioned earlier this week, Microsoft just released a spec for their new ACPI table WSMT (Windows SMM Security Mitigations Table):

Windows SMM Security Mitigations Table

The Windows SMM Security Mitigations Table specification contains details of an ACPI table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features. This information applies for Windows Server Technical Preview 2016, and Windows 10, version 1607. […]

Full spec:
http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx

The UEFI Forum maintains ACPI specs. AFAICT, their ACPI spec list does not yet list this new WSMT table.
http://www.uefi.org/acpi

Also, there’s a strange copyright in this spec:

Portions of this software may be based on NCSA Mosaic. NCSA Mosaic was developed by the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign. Distributed under a licensing agreement with Spyglass, Inc.

Maybe I am just noticing this paragraph, and Microsoft always uses that on copyright pages, and does not mention other old software, only NCSA Mosaic. But why NCSA Mosaic-centric copyrights in an WSMT ACPI table?? Microsoft IE 1.0 was based on NCSA Mosaic source code, via Spyglass purchase, but that was long before EFI or ACPI. I didn’t notice anything Win9x/BIOS/ISA-PNP-centric about WSMT. :-).

In related news, Jiewen Yao of Intel has submitted the WSMT definition into the tianocore EDK-II project:

MdePkg: Add WSMT definition. This patch adds Windows SMM Security Mitigation Table @ http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx

…/WindowsSmmSecurityMitigationTable.h | 39 ++++++++++++++++++++++
1 file changed, 39 insertions(+)

+#define EFI_ACPI_WINDOWS_SMM_SECURITY_MITIGATION_TABLE_SIGNATURE SIGNATURE_32(‘W’, ‘S’, ‘M’, ‘T’)

Jiewen also submitted a 12-part patch, enhancing SMM to deal with this new table:

[PATCH 00/12] Enhance SMM Communication by using fixed comm buffer. This series patches are generate to meet Microsoft WSMT table definition on FIXED_COMM_BUFFERS requirement. Before this series patches, the DXE or OS module can use any non-SMM memory as communication buffer to exchange data with SMM agent. Microsoft WSMT table has requirement to support fixed communication buffer – so that SMM agent can only support communication buffer with type EfiReservedMemoryType/EfiRuntimeServicesCode/EfiRuntimeServicesData/EfiACPIMemoryNVS, which will not be used by OS during runtime. So we clean up all SMM handler to only use these memory regions for SMM communication, and enhance check in SmmMemLib to catch the violation. This series patches are validated on real platforms with SMM enabled. This series patches are validated on OVMF ia32-x64 with SMM enabled.

For full patch, see list archives:
https://lists.01.org/mailman/listinfo/edk2-devel

Windows SMM Security Mitigations Table

April 20, 2016 ~ hucktech ~ Leave a comment

Windows SMM Security Mitigations Table v1.0 – https://t.co/nEcdNCiPan

— Giuseppe `N3mes1s` (@gN3mes1s) April 20, 2016

https://twitter.com/rootkovska/status/72268142072921292
Windows SMM Security Mitigations Table v1.0
http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx

Cr4sh on SMM exploits in Lenovo firmware!

February 24, 2016 ~ hucktech ~ Leave a comment

Dmytro Oleksiuk aka Cr4sh has a new blog post on SMM exploits on Lenovo firmware! Very well written and detailed, with source code!

Exploiting SMM callout vulnerabilities in Lenovo firmware
Hi, everyone. In this article I’ll continue to publish my research in PC firmware security field. In previous article, “Breaking UEFI security with software DMA attacks”, I’ve shown how to exploit UEFI boot script table vulnerability and get access to the SMRAM using software DMA attack under Linux. This time we will talk about discovering and exploitation of SMI dispatch vulnerabilities in UEFI System Management Mode drivers. For anyone who’s not familiar with architecture of SMM phase firmware code on UEFI based platforms I’ll strongly recommend to read my other article “Building reliable SMM backdoor for UEFI based platforms”, especially the part about communicating with SMM code using software SMI.

SMM vulnerabilities that I will talk about in this article aren’t new. Around one year ago LegbaCore and Intel Security published two works: “How Many Million BIOSes Would you Like to Infect?” and “A New Class of Vulnerabilities in SMI Handlers” correspondingly, they rediscovered some security issues in SMI handlers code that was actually a known problem among PC firmware developers (for example, same attacks was described in Loïc Duflot work “System Management Mode Design and Security Issues” presented six years ago). Nevertheless, researchers were able to find and report a lot of firmware vulnerabilities of this class in products like Lenovo, Dell, HP laptops and many others (CERT VU#631788). To play with these vulnerabilities I got ThinkPad T450s laptop. According to original security advisory by Lenovo (apparently, it has a lack of technical details) — some unspecified SMM callout vulnerabilities were patched in the latest version of it’s firmware and everything that we need to do is just find out and exploit one of these vulns. […]

http://blog.cr4.sh/2016/02/exploiting-smm-callout-vulnerabilities.html
https://github.com/Cr4sh/fwexpl

UEFI SMM hello world

November 23, 2015 ~ hucktech ~ Leave a comment

If you want to write UEFI SMM driver and can’t find any suitable example — here is SMM hello world from some guy https://t.co/IsrdGHYhKk

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) April 18, 2015

https://docs.google.com/file/d/0B3M7WqiAoyr_NWI2NjdhYWUtMjE1NS00Njc2LThmZjItNWExZDZkYzUzMjJk/edit?authkey=CM6a8JYE&ddrp=1&hl=en&pli=1

This is also a useful blog post on the topic of beginning SMM drivers:

http://blog.cr4.sh/2015/07/building-reliable-smm-backdoor-for-uefi.html

as is this:

http://blogs.phoenix.com/phoenix_technologies_bios/2008/12/bios-undercover-writing-a-software-smi-handler.html

Laszlo’s OVMF SMM patch status

October 24, 2015October 31, 2015 ~ hucktech ~ Leave a comment

Laszlo Ersek of Red Hat has a huge patch to Tianocore, which adds SMM to OVMF, and just posted a detailed status update to the EDK2-devel mailing list, The current test results of patch look impressive! Pretend the following table is using a fixed font:

accel bits guest OS         OS boots efibootmgr works on S3 resume
—– —- ————— ——– ——————- ———
TCG    32    Fedlet 20141209 pass[1]   BSP and AP           pass
TCG    64    F21 XFCE LiveCD pass[1]   BSP and AP           fail[2]
KVM    32    Fedlet 20141209 pass      BSP and AP           pass
KVM    64    F21 XFCE LiveCD pass      BSP and AP           fail[2]
KVM    64    Windows 8.1      pass      n/a                  fail[2]

I’ve excerpted the key items from the TODO section of the status report: 🙂

* TODO:
– celebrate a bit this weekend (look at that “OS boots” column!)
– celebrate some more?

Full status report (including most of the details, and the omitted footnotes listed above):

http://article.gmane.org/gmane.comp.bios.edk2.devel/3357

(Also note that the EDK2-devel mailing list, which recently moved from SourceForge.net to Intel’s 01.org, is now hosted on Gmane under the gmane.bios.edk2 namespace. The previous SourceForge list is listed under the gmane.bios.tianocore namespace.)

LegbaCore adds BIOS/SMM training to OpenSecurityTraining.Info!

October 19, 2015 ~ hucktech ~ Leave a comment

The 2 day class "Introduction to BIOS & SMM" has been uploaded, thanks to the @legbacore folks http://t.co/nJuNbwuaRe

— OpenSecurityTraining2 (@OpenSecTraining) October 19, 2015

They’ve added a 2-day training course on BIOS/SMM, “Advanced x86: Introduction to BIOS & SMM”! The BIOS researchers at MITRE — and half of them now at LebaCore — are one of the main pioneers of BIOS research, and this is one of ther main training sessions. Wow!

“Around 2011, the trustworthy system measurement research project that Xeno Kovah was running at MITRE decided to start digging deeper than the Windows kernel and rootkit detection, to try and detect malicious software at the BIOS level. Xeno & Corey Kallenberg continued to work on Kernel, while team member John Butterworth was tasked with starting to learn about BIOS in parallel. John’s work led to the “BIOS Chronomancy” work (published at both BlackHat and ACM CCS), porting the team’s existing Timing-Based Attestation system from the kernel level down to the BIOS. Xeno then asked John to start making an open source training class to capture his knowledge, the same way that Xeno & Corey had captured their past knowledge on the project and uploaded it to OST. John created a 2 day Intro BIOS class and got it public released from MITRE. The intention originally was that it would cover all basics of BIOS which would be applicable to both legacy BIOS, CoreBoot, or UEFI-based systems. And then it was expected there would be a follow on class digging deeper into the specifics of UEFI. Unfortunately time prohibited the creation of that 2nd 2 days of classes focusing on UEFI, so you can see that some minimal UEFI content was eventually shoehorned into this class, though frequently there isn’t enough time to get to it within 2 days. It is our hope that this Introductory BIOS & SMM class will help demystify how x86 systems work at the low levels, so that people can better understand the BIOS/SMM/SecureBoot vulnerabilities described in the team’s work while at MITRE, and later after Xeno & Corey founded LegbaCore. With this knowledge in hand, hopefully students can fully appreciate and explain to others why it is so critical that BIOS patch management be performed by organizations, to eliminate the vulnerabilities that lurk at this level.

http://opensecuritytraining.info/IntroBIOS.html