Uncategorized

DIY Root of Trust using ARM Trusted Firmware on the 96Boards Hikey

This is a series of notes designed to be a walkthrough on how to configure the HiKey Kirin 620 to boot securely with ARM Trusted Firmware’s Trusted Board Boot. This does not use any proprietary settings or vendor-specific details about the SoC. Instead, the secure boot path relies on the SoC’s BOOT_SEL configured to boot solely from the eMMC. With this configuration there should be no way to interrupt or bypass the root of trust via runtime changes.[…]

https://casualhacking.io/blog/2018/7/8/diy-root-of-trust-using-arm-trusted-firmware-on-the-96boards-hikey

https://www.96boards.org/documentation/consumer/hikey/getting-started/

Standard
Uncategorized

CVE-2018-1000205: U-Boot, Verified Boot input validation

Re: https://firmwaresecurity.com/2018/06/26/cve-2018-1000205-u-boot/

and https://firmwaresecurity.com/2018/06/07/teddy-reed-on-u-boots-verified-boot/

There is now a description for the CVE. Ah, this makes sense, the Verified Boot issues that Teddy Reed brought up earlier:

U-Boot contains a CWE-20: Improper Input Validation vulnerability in Verified boot signature validation that can result in Bypass verified boot. This attack appear to be exploitable via Specially crafted FIT image and special device memory functionality.

https://nvd.nist.gov/vuln/detail/CVE-2018-1000205

https://lists.denx.de/pipermail/u-boot/2018-June/330454.html

https://lists.denx.de/pipermail/u-boot/2018-June/330898.html

Standard
Uncategorized

Teddy Reed on U-Boot’s Verified Boot

Teddy Reed, author of UEFI Firmware Parser, among other things, has some U-Boot Verified Boot issues:

Verified boot production uses question

Hi all, question, is anyone using the U-Boot verified-boot in production? I am using configuration verification for several OpenCompute/OpenBMC boards. After a deep-dive review I found some edge cases that in rare circumstances could lead to a signature check bypass. I think this is low-risk at best since the scenario requires special hardware behavior to exist. Our board were susceptible in the general sense, but we had implemented some additional sanity checks on the FIT structures that
prevented this. There are some proposed changes that attempt to mitigate this [1], [2], [3]. Any one of these changes mitigates the bypass scenario. If you don’t mind reaching out to me I can share the exact situation/details.

[1] https://lists.denx.de/pipermail/u-boot/2018-June/330454.html
[2] https://lists.denx.de/pipermail/u-boot/2018-June/330487.html
[3] https://lists.denx.de/pipermail/u-boot/2018-June/330599.html

https://lists.denx.de/pipermail/u-boot/2018-June/330898.html

Standard
Uncategorized

Teddy Reed: Exploring secured boot on the Sabre Lite i.MX6S (v1.3) SBC and NXP HABv4

Exploring secured boot on the Sabre Lite i.MX6S (v1.3) SBC and NXP HABv4
February 10, 2018

This document is a linear review of my notes taken while exploring the Sabre Lite single-board-computer. It is a mildly expensive ($200 from Boundary Devices) SBC but it has a well documented secure boot implementation rooted in silicon ROM. It is a very good example of a vendor proprietary firmware verification mechanism. The goal of this article is purely an overview of notes, nothing here is novel or groundbreaking and it is not intended to be a tutorial.[…]

https://prosauce.org/blog/2018/2/10/exploring-secured-boot-on-the-sabre-lite-imx6s-v13-sbc-and-nxp-habv4

The i/MX image header, where Image Data can be U-Boot, followed by an optional CSF.

Standard
Uncategorized

more from Duo on Apple EFI security

Nice, in addition to an upcoming new EFI tool, it appears Duo has some defensive advise, using OSQuery, Puppet, and Chef. Click on the first tweet below for an image from their upcoming presentation.

 

Note that Teddy Reed is giving a presentation on OSQuery in November at Usenix LISA:

Pepjin’s Apple EFI version spreadsheet:

https://docs.google.com/spreadsheets/d/1qGRVF1aRokQgm_LuTsFUN2Knrh0Sd3Gp0ziC_VIWqoM/edit#gid=0

Standard
Uncategorized

Team Security on UEFI malware

Team Security has an article on firmware malware, focusing on UEFI-centric malware, with many references to VirusTotal.com-based images.

[…]”We would like to specially thank Teddy Reed, developer of the UEFI firmware python parser, he has been instrumental in helping us overcome our ignorance about BIOS, UEFI, and its ecosystem.”

https://tsecurity.de/de/109335/IT-Security/Malware-Trojaner-Viren/Putting-the-spotlight-on-firmware-malware/

Standard
Uncategorized

Teddy Reed’s intro to ARM-TF, OP-TEE, and ARM UEFI

“This is a walkthrough for flashing custom ARM Trusted Firmware, OP-TEE, and the ARM UEFI Platform code on the Hikey board. Custom means code we’ve built it on our development machine, we’re not making any changes to these reference implementations just yet.[…]

https://prosauce.org/blog/2016/11/25/hands-on-introduction-to-arm-firmware-using-the-hikey

Standard