Hastily-written news/info on the firmware security/development communities, sorry for the typos.
The UEFI Forum has a new infographic that has some information and guidance on security. The information is useful for a new audience, and most people are new to firmware security.
This WordPress-based blog embeds an URL to the JPEG.
See-also the home page: https://www.uefi.org/
Re: https://firmwaresecurity.com/2018/06/27/uefi-forum-firmware-security-101-webinar/
I just noticed that the video of this webinar is now online. Nice, you don’t have to register for it, thanks.
https://www.uefi.org/node/3877
Michael Krau, Industry Communications Working Group Chair
Eric Johnson, American Megatrends, Inc.
Tim Lewis, Insyde Software
Dick Wilkins, Phoenix Technologies
Vincent Zimmer, Intel
The panelists will outline the major challenges currently facing platform security, how the UEFI Forum and UEFI specification address these challenges and finally, how you can join us in the battle to protect firmware from outside threats. The webinar is open to the public and attendees will get the chance to participate in a live Q&A session.
http://www.uefi.org/node/3877
https://register.gotowebinar.com/register/3708207810278601474
https://www.gotomeeting.com/webinar/join-webinar
The UEFI Forum is doing a webinar on Firmware Security! I don’t know if GoToMeeting supports this with webinars, but it’d be nice if you could make the audio archive available for those who can’t dial in, or need time to listen to audio to translate to their native language.
Tuesday, July 24 at 9:00 am PT
FIRMWARE SECURITY 101 WEBINAR
The Firmware Security 101 Webinar will feature a panel of firmware security experts representing the Forum, including:
Moderator:
Michael Krau, Industry Communications Working Group Chair
Panelists:
Eric Johnson, American Megatrends, Inc.
Tim Lewis, Insyde Software
Vincent Zimmer, Intel
The panelists will outline the major challenges currently facing platform security, how the UEFI Forum and UEFI specification address these challenges and finally, how you can join us in the battle to protect firmware from outside threats. The webinar is open to the public and attendees will get the chance to participate in a live Q&A session.
Registration for this free, one-hour webcast will open in the next couple of weeks.
Looks like some of the videos from the recent plugfest are now online, there’s at least one security video online available:
https://www.youtube.com/channel/UCNB_fDQLXM9lGLu9ODPAnKw
* State of the UEFI – Mark Doran (UEFI Forum President)
* An Introduction to Platform Security – Brent Holtsclaw and John Loucaides (Intel)
* Firmware Security: Hot Topics to Watch – Dick Wilkins (Phoenix Technologies, Ltd.)
* UEFI Updates, Secure firmware and Secure Services on Arm – Dong Wei and Matteo Carlini (Arm)
* The State of ACPI Source Language (ASL) Programming – Erik Schmauss (Intel)
* Implementing MicroPython as a UEFI Test Framework – Chris McFarland (Intel)
* UEFI and the Security Development Lifecycle – Tim Lewis (Insyde)
* Attacking and Defending the Platform – Erik Bjorge and Maggie Jauregui (Intel)
* Microsoft Security Features and Firmware Configurations – Scott Anderson, Jeremiah Cox and Michael Anderson (Microsoft)
* Dynamic Tables Framework: A Step Towards Automatic Generation of Advanced Configuration and Power Interface (ACPI) & System Management BIOS (SMBIOS) Tables – Sami Mujawar (Arm)
* Microsoft Sample Code on GitHub and Walkthrough on Firmware Updates to Windows Update (WU) – Bret Barkelew, Keith Kepler, and Michael Anderson (Microsoft)
* Embedded Development Kit 2 (EDK2): Platforms Overview – Leif Lindholm (Linaro)
* Enabling Advanced NVMe Features Through UEFI – Zachary Bobroff (AMI)
https://uefi.blogspot.com/2018/04/spring-2018-uefi-plugfest-presentations.html
http://www.uefi.org/learning_center/presentationsandvideos
I expect videos on Youtube shortly after PDFs have become available.
Tianocore, not the UEFI Forum, has released UDK2018, the latest UEFI Dev Kit, a snapshot of the EDK-II, tied to particular revision of the specs.
https://github.com/tianocore/tianocore.github.io/wiki/UDK2018-Core-Update-Notes
https://github.com/tianocore/tianocore.github.io/wiki/UDK2018-Key-Features
https://github.com/tianocore/tianocore.github.io/wiki/UDK2018
https://github.com/tianocore/edk2/releases/tag/vUDK2018
https://github.com/tianocore-docs/Docs/blob/master/UDK/UDK2018/SecurityPkgNotes.md
Richard Wilkins of Phoenix Technologies has an article in Embedded Computing about UEFI-based IoT security:
[…]This article is focused on system startup/firmware and the potential security problems for IoT devices in that space. And most important, what to do about them.[…]
http://www.embedded-computing.com/articles/firmware-security-for-iot-devices
PS: RANT… for some reason, one sentence jumped out at me:
“So why isn’t everyone using UEFI firmware? If the UEFI architecture provides the “solution” to these security threats, why isn’t everyone using it?”
I think the answer: UEFI is *A* solution, there are other solutions. Coreboot with Heads is another solution. Coreboot with Verified Boot is another solution. Using TXT and TPM measurements are other layers. Hypervisors/TEEs/SEEs are another layer. Separate security processors are another way. What is the right way, why isn’t everyone using one way? While I am a UEFI Forum member, I don’t think UEFI everyone should be using it. I welcome firmware diversity. 🙂 IMO, there are multiple implementations of signed code, signed updates, and a signed boot-up process, controlled by multiple (not a single) organization. I’m still hoping to see some professor gets a grad student to write a report doing a proper comparision of the various modern firmware security implementations’ strengths, so someone can start to make a reasonale decision as to which firmware security architecture is the solution for them.
The UEFI Plugfest is in Seattle later this month.
I guess I missed the CFP, as the agenda is now available… 😦
* Intel: An Introduction to Platform Security
* Phoenix: TBD
* Arm:UEFI Updates, Secure Firmware and Secure Services on Arm
* Intel: The State of ASL Programming
* Intel: Implementing MicroPython in UEFI
* Insyde Software: UEFI and the Security Development Lifecycle
* Intel: Attacking and Defending the Platform
* Microsoft: Microsoft Security Features and Firmware Configurations
* Arm: Dynamic Tables Framework: A Step Towards Automatic Generation of ACPI & SMBIOS Tables
* Microsoft: Microsoft Sample Code on GitHub and Walkthrough on Firmware Updates and WU
* Linaro: Edk2-Platforms Overview
* AMI: Enabling Advanced NVMe Features Through UEFI
Here’s the list of new ACPI specs for 2017 (so far), 2 new entries in November, first update since Summer:
Company ACPI ID Approved on Date
VR Technology Holdings Limited 3GVR 01/19/2017
Exar Corporation EXAR 02/28/2017
Coreboot Project BOOT 02/28/2017
Marvell Technology Group Ltd. MRVL 05/25/2017
IHSE GmbH IHSE 06/22/2017
Insyde Software INSY 11/10/2017
Nexstgo Company Limited NXGO 11/13/2017
http://www.uefi.org/acpi_id_list
http://www.uefi.org/uefi-acpi-export (XLS download)
For the 2 new entries, I can’t find any data on what their ACPI tables do, nor where their specs are:
http://www.nexstgo.com/
http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=1724ebc5-cbbf-407f-a4da-c3b769f88690
It is a shame that the spreadsheet doesn’t have a column with more useful info, eg: URL to the vendor’s spec, perhaps which HW/OS it is valid for, which version of ACPI it requires, flag if table has FWTS test, license of vendor’s spec (eg, click-through EULA required for some ARM/MSFT/TCG docs), etc.
Fall 2017 UEFI Plugfest – October 30-November 3, 2017
State of the UEFI – Mark Doran (UEFI Forum President)
UEFI Security Response Team (USRT) – Dick Wilkins (UEFI Forum)
“Last Mile” Barriers to Removing Legacy BIOS – Brian Richardson (Intel)
UEFI Firmware Security Concerns and Best Practices – Dick Wilkins (Phoenix)
Strategies for Stronger Software SMI Security in UEFI Firmware – Tim Lewis (Insyde)
UEFI in Arm Platform Architecture – Dong Wei (ARM)
Self-Certification Tests (SCTs) in UEFI World – Eric Jin (Intel) and Alex Hung (Canonical)
Firmware Test Suite -Uses, Development, Contribution and GPL – Alex Hung (Canonical)
Near Field Communication (NFC) and UEFI – Tony Lo (AMI)
EDK2 Platforms Overview – Leif Lindholm (Linaro)
UEFI Manageability and REST Services – Abner Chang (HPE) and Ting Ye (Intel)
The current plugfest ended a few days ago. The UEFI Forum has announced the next plugfest will be in Seattle next Spring:
Spring 2018 UEFI Plugfest
Mar. 26-30, 2018
Embassy Suites by Hilton Seattle Bellevue, 3225 158th Ave SE, Bellevue, WA 98008
FWTS is the recommended ACPI test tool by the UEFI Forum!
Here’s the info from the changelog:
Missing space in title of ACPI RAS Feature Table (RASF)
Typos in Extended PCC subspaces (types 3 and 4)
Add a new NFIT Platform Capabilities Structure
PPTT ID Type Structure offsets
Remove bits 2-4 in the Platform RAS Capabilities Bitmaptable
Region Format Interface Code description
Remove support for multiple GICD structures
PDTT typos and PPTT reference Revision History
Minor correction to Trigger Action Table
General Purpose Event Handling flow
http://uefi.org/specifications
If you really want to understand what has changed in the ACPI and UEFI specs, you need to join the UEFI Forum, so you can access the Mantis bug database and understand what the Mantis numbers in the ACPI and UEFI spec revision history refer to…
FWTS has had ACPI tests for a while, and it’s basically the best public set of ACPI tests available. Better than anything the UEFI Forum has, like the SCTs. They’ve been using FWTS in the UEFI plugfests for a while, for ACPI purposes. Now the UEFI Forum is more formally recommending FWTS. Alex Hung of Canonical announces a new milestone for FWTS, the FirmWare Test Suite:
FWTS 17.03.00 is recommended as the ACPI 6.1 SCT
We have achieved another important milestone! The UEFI Board of Directors recommends Firmware Test Suite (FWTS) release 17.03.00 as the ACPI v6.1 Self-Certification Test (SCT), More information is available at:
http://www.uefi.org/testtools
Thank you all for who contributed patches, reported bugs, provided feedbacks and used FWTS in your work.
Thanks, FWTS, for having the best ACPI tests available!
Full announcement:
https://lists.ubuntu.com/mailman/listinfo/fwts-announce
The UEFI Forum issued a press release today, about ARM joining the board.
UEFI Forum Appoints ARM to Board of Directors Fortifying Its Commitment to Firmware Innovation
ARM Strengthens Its Long-Standing Presence and Contributions to the UEFI Ecosystem
June 06, 2017 11:00 AM Eastern Daylight Time
BEAVERTON, Ore.–(BUSINESS WIRE)–The UEFI Forum, a non-profit industry standards body that champions firmware advancement through industry collaboration and advocacy of firmware technology standards, announced today that ARM has been appointed to the UEFI Forum Board of Directors.[…]
The UEFI Forum has updated their specs.
UEFI Spec v2.7
http://www.uefi.org/sites/default/files/resources/UEFI_Spec_2_7.pdf
PI v1.6
http://www.uefi.org/sites/default/files/resources/PI_Spec_1_6.pdf
ACPI v6.2
http://www.uefi.org/sites/default/files/resources/ACPI_6_2.pdf
SCT v2.5A
http://www.uefi.org/testtools
http://uefi.org/specsandtesttools
http://uefi.org/specifications
Brian Richardson of Intel announced a pre-release of UDK2017, a snapshot of the Tianocore.org EDK2 trunk code matching a set of UEFI.org specs.
Information on UDK2017, the next stable snapshot release of EDK II, is available on the TianoCore wiki.
From the release page on the wiki, here’s the list of
UDK2017 Key Features
Industry Standards & Public Specifications
UEFI 2.6
UEFI PI 1.4a
UEFI Shell 2.2
SMBIOS 3.1.1
Intel® 64 and IA-32 Architectures Software Developer Manuals
Storage Technologies
NVMe
RAM Disk (UEFI 2.6, Section 12.17, RAM Disk Protocol)
Compilers
GCC 5.x
CLANG/LLVM
NASM
OpenSSL 1.1.0
UEFI HTTP/HTTPS Boot
Adapter Information Protocol
Regular Expression Protocol
Signed Capsule Update
Signed Recovery Images
SMM Communication Buffer Protections
STM Launch
Memory Allocation/Free Profiler
NX Page Protection in DXE
LZMA Compression 16.04
Brotli Compression
MP Init Library
https://github.com/tianocore/tianocore.github.io/wiki/UDK2017
They could have at least included the list of the 20+ companies in the press release. ;-(
In anticipation of the first China-based UEFI event in ten years, over 20 new members in China joined the UEFI Forum—indicating significant interest in UEFI technology in the greater China region. Additionally, in attendance from the region were prominent member companies including H3C and Inspur, Lenovo, Loongson Technology Corporation Limited, and Sugon.
http://finance.yahoo.com/news/20-china-based-companies-join-020000847.html
https://uefi.blogspot.com/2017/03/uefi-plugfest-2017-in-nanjing.html
Tim Lewis of Insyde has a blog post with an update for the UEFI plugfest. *Multiple* presentations on security!!
State of UEFI – Mark Doran (Intel)
Keynote: China Information Technology Ecosystem – Guangnan Ni (Chinese Academy of Engineering).
The Role of UEFI Technologies Play in ARM Platform Architecture – Dong Wei (ARM)
ARM Server’s Firmware Security – Zhixiong (Jonathan) Zhang, Cavium
SMM Protection in EDK II – Jiewen Yao (Intel)
Server RAS and UEFI CPER – Mao Lucia and Spike Yuan (Intel)
A More Secure and Better User Experience for OS-based Firmware Update – David Liu (Phoenix)
UEFI and IoT: Best Practices in Developing IoT Firmware Solutions – Hawk Chen (Byosoft)
Establishing and Protecting a Chain of Trust with UEFI – David Chen (Insyde)
Implementation of Hypervisor in UEFI Firmware – Kangkang Shen (Huawei)
Lessons Learned from Implementing a Wi-Fi and BT Stack – Tony Lo (AMI)
UEFI Development Anti-Patterns – Chris Stewart (HP)
It looks like there have been 3 new ACPI regisrations so far this year:
Coreboot Project BOOT 02/28/2017
https://www.coreboot.org/
Exar Corporation EXAR 02/28/2017
https://www.exar.com/
VR Technology Holdings Limited 3GVR 01/19/2017
http://www.3glasses.com/en/
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
In-depth discussion of security, cybersecurity and technology trends affecting trust in computing, as well as timely security news, trends, and practical security guidance
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Discover the Desktop
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
News from coreboot world
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Just another WordPress.com site
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
