Uncategorized

Tianocore gets Brotli compression support

BinX Song of Intel has submitted a patch to EDK2 with support for Google’s Brotli compression algorithm.

[PATCH 0/4] MdeModulePkg/BaseTools: Add Brotli algorithm support

Brotli algorithm has a little less compress ratio than Lzma, but has better decompress performance than it.  Add Brotli algorithm support, include Brotli decompression library and tool set.

Brotli is a generic-purpose lossless compression algorithm that compresses data using a combination of a modern variant of the LZ77 algorithm, Huffman coding and 2nd order context modeling, with a compression ratio comparable to the best currently available general-purpose compression methods. It is similar in speed with deflate but offers more dense compression.

More info:
https://lists.01.org/mailman/listinfo/edk2-devel
https://github.com/google/brotli
https://www.ietf.org/rfc/rfc7932.txt
https://groups.google.com/forum/#!forum/brotli

Standard
Uncategorized

Tianocore patch to increase memory protection

Ard Biesheuvel of Linaro submitted a V2 5-part patch to the EDK2 project, to harden UEFI more!

This is a proof of concept implementation that removes all executable permissions from writable memory regions, which greatly enhances security. It is based on Jiewen’s recent work, which is a step in the right direction, but still leaves most of memory exploitable due to the default R+W+X permissions. The idea is that the implementation of the CPU arch protocol goes over the memory map and removes exec permissions from all regions that are not already marked as ‘code. This requires some preparatory work to ensure that the DxeCore itself is covered by a BootServicesCode region, not a BootServicesData region. Exec permissions are re-granted selectively, when the PE/COFF loader allocates the space for it. Combined with Jiewen’s code/data split, this removes all RWX mapped regions.

Changes since v1:
– allocate code pages for PE/COFF images in PeiCore, so that DxeCore pages have the expected memory type (as suggested by Jiewen)
– add patch to inhibit page table updates while syncing the GCD memory space map with the page tables
– add PCD to set memory protection policy, which allows the policy for reserved and ACPI/NVS memory to be configured separately
– move attribute manipulation into DxeCore page allocation code: this way, we should be able to solve the EBC case by allocating BootServicesCode pool memory explicitly.

More info:
https://lists.01.org/mailman/listinfo/edk2-devel

Standard
Uncategorized

EDK2 test harness

Michael Kinney of Intel has created an edk2-test branch, to focus on testing!

I am creating a new branch in edk2-staging called edk2-test. The purpose of this branch is to develop a test harness, test case SDK, and library of test cases that can be used as part of edk2 validation. The initial version of this test harness is compatible with binary releases of the PI SCTs and UEFI SCTs, are native edk2 packages with no dependencies on the EdkCompatibilityPkg, and the test harness runs using the latest version of the UEFI Shell. 

Additional work items:
* Update to take advantage of latest edk2 features/libraries.
* Update for all supported CPU types
* Update for all supported compilers
* Review initial test harness features and determine what features should be dropped and what new features should be added.
* Determine where the test harness, test case SDK, and test cases should live once the initial functional and quality criteria are met.  Could be packages in the edk2 repo or packages in a new edk2-test repo.  Other options???
* Resolve compatibility issues with binary releases of the PI SCTs and UEFI SCTs.
* Update test harness to support PEI tests
* Update test harness to support Runtime tests
* Update test harness to support SMM tests
* Optimize performance of the test harness and tests.

More info:
https://lists.01.org/mailman/listinfo/edk2-devel

Standard
Uncategorized

Changes in Tianocore’s UEFI HTTP[S] Boot

After UEFI HTTP Boot was added to spec, HTTP support was added to the public Tianocore EDK2 tree. But initially there was no HTTPS support. Fast forward through a bunch of other branches and work, and now it looks like there’s nearly ready to have HTTPS in the EDK2 tree, given below patch. If you are using UEFI HTTP Boot withOUT httpS support, ask your vendor for an update!

 
Subject:     [edk2] [Patch 0/2] Enable the HTTP switch
If the value of PcdHttpEnable is TRUE, HTTP is enabled. Both the “http://” and “https://” schemes are acceptable. Otherwise, HTTP is disabled. The “http://” scheme will be denied.

More info:
https://lists.01.org/mailman/listinfo/edk2-devel

Standard
Uncategorized

Tianocore TLS library updated

Jiaxin Wu of Intel submitted a v2 update to the TLS library of Tianocore:

CryptoPkg: Add new TlsLib library

v2:
* Code refine and Typo fix:
TlsHandeAlert -> TlsHandleAlert

This patch is used to add new TlsLib library, which is wrapped over OpenSSL. The implementation provides TLS library functions for EFI TLS protocol and EFI TLS Configuration Protocol.

More info:
https://lists.01.org/mailman/listinfo/edk2-devel

Standard
Uncategorized

Tianocore updates Security Advisories

Previously, the advisories were in PDF format. There were 2 advisories, each PDF contained a number (19?, I forget) of issues. Now, they’ve moved to Github-hosted content using Gitbooks.

I’ve not yet checked if there are any NEW advisories in the new content.

https://www.gitbook.com/book/edk2-docs/security-advisory/details

Standard
Uncategorized

UEFI Capsule-Update and Recovery

On the EDK2-Devel mailing list, Michael Kinney of Intel has started a new EDK2 wiki page on UEFI Capsule-Based-Firmware Update/Recovery. Capsule Updates are how UEFI-based firmware updates itself.

Draft of documentation for Signed Capsule Feature:
I have started a draft of Wiki pages that describe how to use and verify the Signed Capsule feature from Jiewen Yao. I have focused this first draft on the system firmware update use case for signed capsules. Please review this content and provide feedback. I will work on the remaining 3 signed capsule use cases while the content for this fist use case is reviewed. I plan to add this content to the edk2 Wiki once the reviews are completed.

https://github.com/mdkinney/edk2/wiki/Capsule-Based-Firmware-Update-and-Firmware-Recovery

https://github.com/mdkinney/edk2/wiki/Capsule-Based-System-Firmware-Update

https://lists.01.org/mailman/listinfo/edk2-devel

Standard