reminder: July24th: UEFI Forum’s first security webinar

Michael Krau, Industry Communications Working Group Chair
Eric Johnson, American Megatrends, Inc.
Tim Lewis, Insyde Software
Dick Wilkins, Phoenix Technologies
Vincent Zimmer, Intel

The panelists will outline the major challenges currently facing platform security, how the UEFI Forum and UEFI specification address these challenges and finally, how you can join us in the battle to protect firmware from outside threats. The webinar is open to the public and attendees will get the chance to participate in a live Q&A session.

http://www.uefi.org/node/3877
https://register.gotowebinar.com/register/3708207810278601474
https://www.gotomeeting.com/webinar/join-webinar

UEFI Forum: Firmware Security 101 Webinar

The UEFI Forum is doing a webinar on Firmware Security! I don’t know if GoToMeeting supports this with webinars, but it’d be nice if you could make the audio archive available for those who can’t dial in, or need time to listen to audio to translate to their native language.

http://www.uefi.org/node/3877

Tuesday, July 24 at 9:00 am PT

FIRMWARE SECURITY 101 WEBINAR

The Firmware Security 101 Webinar will feature a panel of firmware security experts representing the Forum, including:

Moderator:
Michael Krau, Industry Communications Working Group Chair

Panelists:
Eric Johnson, American Megatrends, Inc.
Tim Lewis, Insyde Software
Vincent Zimmer, Intel

The panelists will outline the major challenges currently facing platform security, how the UEFI Forum and UEFI specification address these challenges and finally, how you can join us in the battle to protect firmware from outside threats. The webinar is open to the public and attendees will get the chance to participate in a live Q&A session.

Registration for this free, one-hour webcast will open in the next couple of weeks.

Spring 2018 UEFI Forum plugfest presentations uploaded

* State of the UEFI – Mark Doran (UEFI Forum President)
* An Introduction to Platform Security – Brent Holtsclaw and John Loucaides (Intel)
* Firmware Security: Hot Topics to Watch – Dick Wilkins (Phoenix Technologies, Ltd.)
* UEFI Updates, Secure firmware and Secure Services on Arm – Dong Wei and Matteo Carlini (Arm)
* The State of ACPI Source Language (ASL) Programming – Erik Schmauss (Intel)
* Implementing MicroPython as a UEFI Test Framework – Chris McFarland (Intel)
* UEFI and the Security Development Lifecycle – Tim Lewis (Insyde)
* Attacking and Defending the Platform – Erik Bjorge and Maggie Jauregui (Intel)
* Microsoft Security Features and Firmware Configurations – Scott Anderson, Jeremiah Cox and Michael Anderson (Microsoft)
* Dynamic Tables Framework: A Step Towards Automatic Generation of Advanced Configuration and Power Interface (ACPI) & System Management BIOS (SMBIOS) Tables – Sami Mujawar (Arm)
* Microsoft Sample Code on GitHub and Walkthrough on Firmware Updates to Windows Update (WU) – Bret Barkelew, Keith Kepler, and Michael Anderson (Microsoft)
* Embedded Development Kit 2 (EDK2): Platforms Overview – Leif Lindholm (Linaro)
* Enabling Advanced NVMe Features Through UEFI – Zachary Bobroff (AMI)

https://uefi.blogspot.com/2018/04/spring-2018-uefi-plugfest-presentations.html

http://www.uefi.org/learning_center/presentationsandvideos

I expect videos on Youtube shortly after PDFs have become available.

Tianocore releases UDK2018

Tianocore, not the UEFI Forum, has released UDK2018, the latest UEFI Dev Kit, a snapshot of the EDK-II, tied to particular revision of the specs.

https://github.com/tianocore/tianocore.github.io/wiki/UDK2018-Core-Update-Notes

https://github.com/tianocore/tianocore.github.io/wiki/UDK2018-Key-Features

https://github.com/tianocore/tianocore.github.io/wiki/UDK2018

https://github.com/tianocore/edk2/releases/tag/vUDK2018

https://github.com/tianocore-docs/Docs/blob/master/UDK/UDK2018/SecurityPkgNotes.md

 

Richard Wilkins of Phoenix on UEFI-based IoT security (and rant on firmware diversity)

Richard Wilkins  of Phoenix Technologies has an article in Embedded Computing about UEFI-based IoT security:

[…]This article is focused on system startup/firmware and the potential security problems for IoT devices in that space. And most important, what to do about them.[…]

http://www.embedded-computing.com/articles/firmware-security-for-iot-devices

PS: RANT… for some reason, one sentence jumped out at me:

“So why isn’t everyone using UEFI firmware? If the UEFI architecture provides the “solution” to these security threats, why isn’t everyone using it?”

I think the answer: UEFI is *A* solution, there are other solutions. Coreboot with Heads is another solution. Coreboot with Verified Boot is another solution. Using TXT and TPM measurements are other layers. Hypervisors/TEEs/SEEs are another layer. Separate security processors are another way. What is the right way, why isn’t everyone using one way? While I am a UEFI Forum member, I don’t think UEFI everyone should be using it. I welcome firmware diversity. 🙂 IMO, there are multiple implementations of signed code, signed updates, and a signed boot-up process, controlled by multiple (not a single) organization. I’m still hoping to see some professor gets a grad student to write a report doing a proper comparision of the various modern firmware security implementations’ strengths, so someone can start to make a reasonale decision as to which firmware security architecture is the solution for them.

UEFI Forum Spring 2018 plugfest agenda

The UEFI Plugfest is in Seattle later this month.

I guess I missed the CFP, as the agenda is now available… 😦

* Intel: An Introduction to Platform Security
* Phoenix: TBD
* Arm:UEFI Updates, Secure Firmware and Secure Services on Arm
* Intel: The State of ASL Programming
* Intel: Implementing MicroPython in UEFI
* Insyde Software: UEFI and the Security Development Lifecycle
* Intel: Attacking and Defending the Platform
* Microsoft: Microsoft Security Features and Firmware Configurations
* Arm: Dynamic Tables Framework: A Step Towards Automatic Generation of ACPI & SMBIOS Tables
* Microsoft: Microsoft Sample Code on GitHub and Walkthrough on Firmware Updates and WU
* Linaro: Edk2-Platforms Overview
* AMI: Enabling Advanced NVMe Features Through UEFI

http://uefi.org/SpringPlugfest2018

New ACPI IDs for November: Nexstgo and Insyde

Here’s the list of new ACPI specs for 2017 (so far), 2 new entries in November, first update since Summer:

Company ACPI ID Approved on Date
VR Technology Holdings Limited 3GVR 01/19/2017
Exar Corporation EXAR 02/28/2017
Coreboot Project BOOT 02/28/2017
Marvell Technology Group Ltd. MRVL 05/25/2017
IHSE GmbH IHSE 06/22/2017
Insyde Software INSY 11/10/2017
Nexstgo Company Limited NXGO 11/13/2017

http://www.uefi.org/acpi_id_list

http://www.uefi.org/uefi-acpi-export (XLS download)

For the 2 new entries, I can’t find any data on what their ACPI tables do, nor where their specs are:

http://www.nexstgo.com/
http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=1724ebc5-cbbf-407f-a4da-c3b769f88690

https://www.insyde.com/

It is a shame that the spreadsheet doesn’t have a column with more useful info, eg: URL to the vendor’s spec, perhaps which HW/OS it is valid for, which version of ACPI it requires, flag if table has FWTS test, license of vendor’s spec (eg, click-through EULA required for some ARM/MSFT/TCG docs), etc.

Fall UEFI plugfest presentations uploaded

Fall 2017 UEFI Plugfest – October 30-November 3, 2017

State of the UEFI – Mark Doran (UEFI Forum President)
UEFI Security Response Team (USRT) – Dick Wilkins (UEFI Forum)
“Last Mile” Barriers to Removing Legacy BIOS – Brian Richardson (Intel)
UEFI Firmware Security Concerns and Best Practices – Dick Wilkins (Phoenix)
Strategies for Stronger Software SMI Security in UEFI Firmware – Tim Lewis (Insyde)
UEFI in Arm Platform Architecture – Dong Wei (ARM)
Self-Certification Tests (SCTs) in UEFI World – Eric Jin (Intel) and Alex Hung (Canonical)
Firmware Test Suite -Uses, Development, Contribution and GPL – Alex Hung (Canonical)
Near Field Communication (NFC) and UEFI – Tony Lo (AMI)
EDK2 Platforms Overview – Leif Lindholm (Linaro)
UEFI Manageability and REST Services – Abner Chang (HPE) and Ting Ye (Intel)

http://www.uefi.org/learning_center/presentationsandvideos

ACPI 6.2 errata A released

FWTS is the recommended ACPI test tool by the UEFI Forum!

Here’s the info from the changelog:
Missing space in title of ACPI RAS Feature Table (RASF)
Typos in Extended PCC subspaces (types 3 and 4)
Add a new NFIT Platform Capabilities Structure
PPTT ID Type Structure offsets
Remove bits 2-4 in the Platform RAS Capabilities Bitmaptable
Region Format Interface Code description
Remove support for multiple GICD structures
PDTT typos and PPTT reference Revision History
Minor correction to Trigger Action Table
General Purpose Event Handling flow

http://uefi.org/specifications

If you really want to understand what has changed in the ACPI and UEFI specs, you need to join the UEFI Forum, so you can access the Mantis bug database and understand what the Mantis numbers in the ACPI and UEFI spec revision history refer to…

 

UEFI Forum recommends FWTS for it’s ACPI tests

FWTS has had ACPI tests for a while, and it’s basically the best public set of ACPI tests available. Better than anything the UEFI Forum has, like the SCTs. They’ve been using FWTS in the UEFI plugfests for a while, for ACPI purposes. Now the UEFI Forum is more formally recommending FWTS. Alex Hung of Canonical announces a new milestone for FWTS, the FirmWare Test Suite:

FWTS 17.03.00 is recommended as the ACPI 6.1 SCT

We have achieved another important milestone! The UEFI Board of Directors recommends Firmware Test Suite (FWTS) release 17.03.00 as the ACPI v6.1 Self-Certification Test (SCT), More information is available at:
http://www.uefi.org/testtools
Thank you all for who contributed patches, reported bugs, provided feedbacks and used FWTS in your work.

Thanks, FWTS, for having the best ACPI tests available!

 

Full announcement:
https://lists.ubuntu.com/mailman/listinfo/fwts-announce

 

ARM joins UEFI Forum Board

The UEFI Forum issued a press release today, about ARM joining the board.

UEFI Forum Appoints ARM to Board of Directors Fortifying Its Commitment to Firmware Innovation

ARM Strengthens Its Long-Standing Presence and Contributions to the UEFI Ecosystem
June 06, 2017 11:00 AM Eastern Daylight Time

BEAVERTON, Ore.–(BUSINESS WIRE)–The UEFI Forum, a non-profit industry standards body that champions firmware advancement through industry collaboration and advocacy of firmware technology standards, announced today that ARM has been appointed to the UEFI Forum Board of Directors.[…]

http://www.businesswire.com/news/home/20170606005502/en/UEFI-Forum-Appoints-ARM-Board-Directors-Fortifying

http://www.uefi.org/node/3715

 

 

 

UEFI updates specs

The UEFI Forum has updated their specs.

UEFI Spec v2.7
http://www.uefi.org/sites/default/files/resources/UEFI_Spec_2_7.pdf

PI v1.6
http://www.uefi.org/sites/default/files/resources/PI_Spec_1_6.pdf

ACPI v6.2
http://www.uefi.org/sites/default/files/resources/ACPI_6_2.pdf

SCT v2.5A
http://www.uefi.org/testtools

http://uefi.org/specsandtesttools
http://uefi.org/specifications

UEFI UDK2017 pre-release available

Brian Richardson of Intel announced a pre-release of UDK2017, a snapshot of the Tianocore.org EDK2 trunk code matching a set of UEFI.org specs.

Information on UDK2017, the next stable snapshot release of EDK II, is available on the TianoCore wiki.

From the release page on the wiki, here’s the list of

UDK2017 Key Features
    Industry Standards & Public Specifications
        UEFI 2.6
        UEFI PI 1.4a
        UEFI Shell 2.2
        SMBIOS 3.1.1
        Intel® 64 and IA-32 Architectures Software Developer Manuals
    Storage Technologies
        NVMe
        RAM Disk (UEFI 2.6, Section 12.17, RAM Disk Protocol)
    Compilers
        GCC 5.x
        CLANG/LLVM
        NASM
    OpenSSL 1.1.0
    UEFI HTTP/HTTPS Boot
    Adapter Information Protocol
    Regular Expression Protocol
    Signed Capsule Update
    Signed Recovery Images
    SMM Communication Buffer Protections
    STM Launch
    Memory Allocation/Free Profiler
    NX Page Protection in DXE
    LZMA Compression 16.04
    Brotli Compression
    MP Init Library

https://github.com/tianocore/tianocore.github.io/wiki/UDK2017

More info:
https://lists.01.org/mailman/listinfo/edk2-devel

20+ China-based companies join UEFI Forum

They could have at least included the list of the 20+ companies in the press release. ;-(

In anticipation of the first China-based UEFI event in ten years, over 20 new members in China joined the UEFI Forum—indicating significant interest in UEFI technology in the greater China region. Additionally, in attendance from the region were prominent member companies including H3C and Inspur, Lenovo, Loongson Technology Corporation Limited, and Sugon.

http://finance.yahoo.com/news/20-china-based-companies-join-020000847.html

http://uefi.org/members

UEFI Plugfest slides uploaded

https://uefi.blogspot.com/2017/03/uefi-plugfest-2017-in-nanjing.html

Tim Lewis of Insyde has a blog post with an update for the UEFI plugfest. *Multiple* presentations on security!!

 State of UEFI – Mark Doran (Intel)
 Keynote: China Information Technology Ecosystem – Guangnan Ni (Chinese Academy of Engineering).
 The Role of UEFI Technologies Play in ARM Platform Architecture – Dong Wei (ARM)
 ARM Server’s Firmware Security – Zhixiong (Jonathan) Zhang, Cavium
 SMM Protection in EDK II – Jiewen Yao (Intel)
 Server RAS and UEFI CPER – Mao Lucia and Spike Yuan (Intel)
 A More Secure and Better User Experience for OS-based Firmware Update – David Liu (Phoenix)
 UEFI and IoT: Best Practices in Developing IoT Firmware Solutions – Hawk Chen (Byosoft)
 Establishing and Protecting a Chain of Trust with UEFI – David Chen (Insyde)
 Implementation of Hypervisor in UEFI Firmware – Kangkang Shen (Huawei)
 Lessons Learned from Implementing a Wi-Fi and BT Stack – Tony Lo (AMI)
  UEFI Development Anti-Patterns – Chris Stewart (HP)

http://www.uefi.org/learning_center/presentationsandvideos