http://uefi.org/node/3443
UEFI Plugfest – Spring 2016
Event Date: March 29 – April 1
Location: Capital Hotel Taipei, Taiwan
Hosted By: Phoenix Technologies
Date(s): Tuesday, March 29, 2016 to Friday, April 1, 2016
Tag: UEFI Forum
ACPI 5.1a/6.0 GIC structure inconsistency
Mark Doron of Intel posted a message to the Linux-ACPI and Linux-Kernel lists, clarifying some spec deltas between ACPI 5.1a and 6.0, specificaly for the GIC structure. Most of Mark’s message is quoted verbatim below, see the Linux-ACPI list archives for the full post.
Watch this site for any 2016-dated specs, for an update: http://uefi.org/acpi
GIC version inconsistency in ACPI 5.1a versus 6.0 documents
Hi Everyone:
I have been asked to post here on behalf of the UEFI Forum’s ACPI Spec Work Group (ASWG) to provide some clarification regarding the ACPI Specification versions 5.1a and 6.0. For those who may not know me, I am the Chair of this work group.
In particular it turns out that there are different definitions contained in the these two versions of the document for the GIC version field contained in the GIC Distributor Structure. This structure is located in Table 5-63 in both versions of the document. I am told this inconsistency is causing some problems for implementation work.
The inconsistency arises purely from an administrative error on our part as keepers of the ACPI Specification. I want to apologize to anyone who has been inconvenienced by this issue.
The sharp-eyed may notice that the dates on the covers of the two versions are the same. The Forum’s normal practice when making a new revision is to re-publish the prior version with all known errata included so that the content that is common between the existing and new documents matches. This accounts for the two documents having the same date; in fact they were published on the exact same day at the same time.
In the case of this one particular structure definition, as shown in Table 5-63, the content was corrected to match what it should say in the 6.0 version of the document. Unfortunately we messed up and the same fix was not properly retrofitted to the ACPI 5.1 spec to be included with the 5.1a (latest errata included version of 5.1 that was released at the same time as 6.0).
Now this inconsistency has been pointed out, the UEFI Forum will publish a revised version 5.1b that will incorporate a fix for this problem. This will however take a little time to organize so it may be some days before that updated document appears on the Forum’s public web site.
Since it was felt that this issue is causing friction for implementation work going on right now, the Work Group asked that I post the above explanation and mitigation as well as the following recommendation to help move implementation work ahead without delay.
The recommendation from the UEFI Forum in this case then is:
– For implementation purposes, the definition in the ACPI 5.1a for the GIC version field that is part of the GIC Distributor Structure (Table 5-63) is incorrect and instead implementers should refer to the corresponding sections of the ACPI 6.0 Specification (the Table to refer to is numbered the same in both documents). The inconsistency will be corrected shortly with the release of a revised ACPI Spec 5.1b update.
For the avoidance of doubt, this means that implementers seeking to conform to the ACPI 5.1 specification should implement to the ACPI 5.1a in every particular except for the above referenced GIC version field which should follow the definition contained in the ACPI 6.0 version of the specification. This advice holds true until a revised ACPI 5.1b is published at which time there will be no inconsistency.
EDK II specifications updated
Laurie Jarlstrom of Intel has announced a documentation update to the UEFI Forum’s EDK II Specifications:
“Announcing the V1.25 and V1.26 updates to the EDK II Specifications. Go to the EDK II Specifications page to download the latest documentation.”
These are the specs beyond the UEFI Forum’s PI and UEFI specs, focused on development implementation details of Tianocore’s EDK-II.
https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Specifications
http://article.gmane.org/gmane.comp.bios.edk2.devel/6371
FWTS adds test for undocumented ASPT ACPI
[[
UPDATE: see-also: https://firmwaresecurity.com/2016/01/22/who-created-the-acpi-aspt-spec/
]]
Colin King of Canonical has added a new ACPI test to the FirmWare Test Suit (FWTS). The new test is for ASPT (ACPI System Performance Tuning). The problem is that ASPT is an undocumented ACPI table. As Colin says:
This table is not well described anywhere, however it is a frequently used table on AMD machines and the format is relatively simple set of 4 32 bit addresses. This table has been discussed on the ACPICA devel mailing list:
https://lists.acpica.org/pipermail/devel/2015-November/000850.html
and this description matches the various acpi dumps of this table on AMD machines that I have access too. I believe the table refers to an AMD performance monitoring feature.
Here are some scary comments from the new test code to clarify the problem:
/* ASPT Table (reverse engineered, table is common on AMD machines) */
/* Without a specification to work with there is very little we can do to validate this apart from the
implest sanity check */
/* ACPI ASPT: determined by reverse engineering */
For more information see the fwts-devel list or the fwts source code:
https://lists.ubuntu.com/archives/fwts-devel/2015-December/007107.html
http://www.uefi.org/acpi
IMO, the UEFI Forum, who has recently taken over ownership of ACPI, should be working with this vendor to provide a proper public spec, if the table is being used in modern hardware.
Tianocore moving to Github
https://twitter.com/Intel_UEFI/status/672556665288327168
“This message is to notify you that near the end of January 2016 the active repository for EDK2 development will switch from using SourceForge to GitHub. The repository found at SourceForge will continue to be a read-only mirror of the master branch on GitHub. […] As part of this change a number of process changes will be adopted to support better use of git. This includes the method for sending out patches for review and other minor changes. […] “
Full article:
http://www.tianocore.org/news/2015/12/03/Git_Transition.html
Linaro FW-Summit list migrates to UEFI Forum’s FWOS Forum
Al Stone of Red Hat announced on the Linaro Firmware Summit mailing list that the list would transition over to the new UEFI Forum’s FW/OS list. Excerpt of announcement:
Since the fw-summit mailing list was only meant as a holding place until we could set up a forum like this, we will soon be disabling the mailing list. Any and all of the discussions we would have had on fw-summit should now be held on the FW/OS Forum mailing list instead. […] I would like to thank Dong Wei of UEFI especially, but also Michael Krau and the rest of the board of the UEFI Forum for all of their hard work and effort to make this public forum possible. It was a bit of a stretch for everyone, but it got done. Thanks!
Full announcement:
https://lists.linaro.org/pipermail/fw-summit/2015-November/000184.html
http://www.uefi.org/FWOSForum
https://lists.linaro.org/pipermail/fw-summit/
https://lists.linaro.org/mailman/listinfo/fw-summit
UEFI Forum’s new FW/OS Forum
The UEFI Forum has created a new mailing list for discussion of UEFI with OS software:
https://twitter.com/Intel_UEFI/status/661623355368312832
“The FW/OS Forum is a free public forum focused on firmware and operating system (OS) integration. Developers are invited to openly discuss challenges and collaboratively identify fixes. The UEFI Forum created the FW/OS Forum in response to community input, which called for a centralized resource dedicated to troubleshooting UEFI firmware issues encountered when working with any OS. The UEFI Forum is committed to making these community discussion and feedback mechanisms effective for all users. Considering, you may see changes based on usability enhancements. FW/OS Forum members are asked to refrain from sharing any non-public information regarding specification or test tool work that is still in development, as well as any company-specific IP or UEFI Forum-specific IP. Additionally, the FW/OS Forum should not be considered a venue for bug tracking. Firmware integration issues raised within the FW/OS Forum will not be considered as formal bug fix requests; however, the information captured may be considered in future specification updates.”
LinuxCon Europe UEFI Mini-Summit presentations available
Earlier this month, the UEFI Forum recently had a “Mini-Summit” at LinuxCon Europe. The presentations are now available online (so far just the slides, unclear if A/V will show up on Youtube later):
UEFI Mini-Summit at LinuxCon Europe: October 7, 2015
* UEFI Forum Update and Open Source Community Benefits – Mark Doran (Intel)
* What Linux Developers Need to Know About Recent UEFI Spec Advances – Jeff Bobzin (Insyde Software)
* LUV Shack: An Automated Linux Kernel and UEFI Firmware Testing Infrastructure – Matt Fleming (Intel)
* Goodbye PXE, Hello HTTP Boot – Dong Wei (HP)
* UEFI Development in an Open Source Ecosystem – Michael Krau (Intel)
More information (about halfway down the page, past the Youtube section):
http://www.uefi.org/learning_center/presentationsandvideos
Clarification of Matthew Garrett’s Linux fork
Some irresponsible bloggers have been commenting about Matthew’s fork of Linux:
ZDNet has a story with comments from Matthew explaining things:
“I wouldn’t say I’m forking. I’d say that I’m doing my own development work away from LKML. Right now it’s got the securelevel work in it because that’s the only code I have that I feel is ready for public use, but it’ll pick up other bits of code that I’m working on as they become mature.”
http://www.zdnet.com/article/matthew-garrett-is-not-forking-linux/
I guess I look at Matthew’s fork is like the GRSecurity patch for Linux kernel: Matthew’s got the patchset that enables UEFI Secure Boot to be secure on Linux. I hope Tails, Qubes, and other security-minded distros use Matthew’s kernel, at least in builds for UEFI-based systems.
[One of the causes of the above issue is Linus having to deal with Microsoft as a CA. UEFI Forum could also deal with this by putting in place a CA that is not an OSV/OEM. OEMs could be making Linux-friendly sytsems, not just Windows- or Chrome boxes, where Linux is an afterthought second install, which is a lot harder to do with UEFI/Windows Secure Boot — and even Chrome Verified Boot. Linux Foundation could also be helping, by working with OEMs.]
UEFI HTTP Boot whitepaper available
A few weeks ago the Tianocore project added a whitepaper on UEFI 2.5’s HTTP Boot:
http://www.tianocore.org/news/2015/09/17/HTTP-BOOT.html
https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-white-papers
http://sourceforge.net/projects/edk2/files/General%20Documentation/
http://www.tianocore.org/news/feed.xml
If you were looking for instructions on how to setup Tianocore’s HTTP boot feature, on Windows-based systems, this document is for you!
I could be wrong, but I don’t think the TLS API has been added to Tianocore yet, so there is no HTTPS, only HTTP.
(Looking at the above SourceForge URL, it appears the Packaging Tool document was also recently updated, but not sure of the details.)
UDK2015 expected mid-October
The UDK github wiki has been updated to give information about upcoming UDK 2015 release next month. It appears to include most UEFI 2.5 features, plus a few new ones. Excerpt of changes:
Support UEFI 2.5 Updates:
+ Smart Card Reader & Smart card edge protocol (H file only)
+ Inline Cryptographic Interface Protocol (H file only)
+ UEFI USB Function I/O Protocol (H file only)
+ Add NVM Express Pass Thru Protocol
+ Add UFS stack
+ Add SD Device Path (H file only)
+ Add reconnect Browser Action
+ Ability to refresh the entire form
+ The default/options for the Ordered List question
+ Keyword Strings support
+ New CPER Memory Section (H file only)
+ New EFI_HASH2_PROTOCOL
+ Adding support for No executable data areas
+ Persistent Memory Type support
+ Add the Support for new PKCS7 Verification Services
+ System Prep Applications
+ Add SMBIOS3_TABLE_GUID in configuration table.
+ Exposing Memory Redundancy to OSPM
+ ESRT: EFI System Resource Table and component firmware updates
+ IPV6 support from UNDI
+ UEFI “Next” Feature –
* IP_CONFIG2 Protocol
* Boot from HTTP (Excluding IPV6)
* DNSv4 and DNSv6
Support PI 1.4 Updates:
+ PI SMM GPI
+ New MP Service PPI
+ Multiple CPU health info
+ PEI SetBootMode Service() clarification
+ GetMemoryMap Update for ReservedMemory
+ New Graphics PPI
+ New Capsule PPI
+ SIO PEI and UEFI-Driver Model Architecture
+ Extended File Size Errata
+ Add Reset2 PPI
Excluded from UEFI 2.5 Updates:
+ Match2 Opcode and EFI_REGULAR_EXPRESSION_PROTOCOL
+ Bluetooth Support (H file only)
+ Errata Boot Manager Policy & SATA Device Path Node
+ RamDisk Device Path
+ UEFI “Next” Feature –
* Boot from HTTP (Excluding IPV6)
* WIFI support (H file only)
* EAP2 Protocol (H file only)
* UEFI TLS API
* REST Protocol
* Platform recovery
* Customized Deployment of Secure Boot
* BMC/Service Processor Device Path
Other features:
+ Add ACPI 6.0 definitions.
+ Add SMBIOS 3.0 definitions.
+ Support OpenSSL version 1.0.2d.
Looking forward to the upcoming checkins to Tianocore’s EDK2 trunk!
Full roadmap article:
https://github.com/tianocore/tianocore.github.io/wiki/RoadMap2015
ACPI _DSD update
Early last month, the UEFI Forum updated this spec:
_DSD (Device Specific Data) Implementation Guide, v1.1
http://www.uefi.org/sites/default/files/resources/_DSD-implementation-guide-toplevel-1_1.htm
The main thing added to the above HTML document was a pointer to this spec:
Click to access _DSD-hierarchical-data-extension-UUID-v1.pdf
It describes a new Hierarchical Properties Extension UUID. I don’t know much about _DSD, it has been around for a while, so not sure if this 1.1 change is interesting or not.
I wish UEFI Forum would announce updates to ACPI specs. There web site has multiple press/news pages and RSS feeds, only a few of them are operational.
More Information:
HP/Intel presentation on HTTP Boot and Redfish
Samer El-Haj-Mahmoud, a System Firmware Architect at Hewlett-Packard, was kind enough to give me an URL to a recent presentation at Intel Developer Forum (IDF), on UEFI HTTP Boot and DMTF Redfish:
STTS001: Firmware in the Data Center:
Building a Modern Development Framework Using UEFI and Redfish REST APIs.
Mark Doron, Intel
Dong Wei, HP
Samer El-Jah-Mahmoud, HP
The HP/Intel co-presentation is on HTTP Boot and Redfish, and the UEFI based deployment solution on HP ProLiant Servers. Topics include PXE -vs- UEFI HTTP Boot, IPMI -vs- Redfish, and clarification of HP’s implementation -vs- recent UEFI 2.5/TianoCore implementation. I wish I could find audio or video archives of this talk, not just slides. 😦
I’m not a fan of URL-shorteners, and this is a LONG URL, I think you need all the stuff after the .pdf extension:
Also, check out the UEFI videos and other resources at HP’s site:
http://www.hp.com/go/proliant/uefi
UEFI at ELCE
The Embedded Linux Conference Europe (ELCE) is happening in October. There’s a set of UEFI talks happening at the event:
UEFI Forum Update and Open Source Community Benefits, Mark Doran
Learn about the recent UEFI Forum activities and the continued adoption of UEFI technology. To ensure greater transparency and participation from the open source community, the Forum has decided to allow for public review of all specification drafts. Find out more about this new offering and other benefits to being involved in firmware standards development by attending this session.
What Linux Developers Need to Know About Recent UEFI Spec Advances, Jeff Bobzin
Users of modern client and server systems are demanding strong security and enhanced reliability. Many large distros have asked for automated installation of a local secure boot profile. The UEFI Forum has responded with the new Audit Mode specified in the UEFI specification, v2.5, offering new capabilities, enhanced system integrity, OS recovery and firmware update processes. Attend this session to find out more about the current plans and testing schedules of the new sample code and features.
LUV Shack: An automated Linux kernel and UEFI firmware testing infrastructure, Matt Fleming
The Linux UEFI Validation (LUV) Project was created out of necessity. Prior to it, there was no way to validate the interaction of the Linux kernel and UEFI firmware at all stages of the boot process and all levels of the software stack. At Intel, the LUV project is used to check for regressions and bugs in both eh Linux kernel and EDK2-based firmware. They affectionately refer to this testing farm as the LUV shack. This talk will cover the LUV shack architecture and validation processes.
The Move from iPXE to Boot from HTTP, Dong Wei
iPXE relies on Legacy BIOS which is currently is deployed by most of the world’s ISPs. As a result, the majority of x86 servers are unable to update and move to a more secure firmware platform using UEFI. Fortunately, there is a solution. Replacing iPXE with the new BOOT from HTTP mechanism will help us get there. Attend this session to learn more.
UEFI Development in an Open Source Ecosystem, Michael Krau, Vincent Zimmer
Open source development around UEFI technology continues to progress with improved community hosting, communications and source control methodologies. These community efforts create valuable opportunities to integrate firmware functions into distros. Most prevalent UEFI tools available today center on chain of trust security via Secure Boot and Intel® Platform Trust Technology (PTT) tools. This session will address the status of these and other tools. Attendees will have the opportunity to share feedback as well as recommendations for future open UEFI development resources and processes.
UEFI aside, there’s many other presentations that look interesting, for example:
Isn’t it Ironic? The Bare Metal Cloud – Devananda van der Veen, HP
Developing Electronics Using OSS Tools – Attila Kinali
How to Boot Linux in One Second – Jan Altenberg, linutronix GmbH
Reprogrammable Hardware Support for Linux – Alan Tull, Altera
Measuring and Reducing Crosstalk Between Virtual Machines – Alexander Komarov, Intel
Introducing the Industrial IO Subsystem: The Home of Sensor Drivers – Daniel Baluta, Intel
Order at Last: The New U-Boot Driver Model Architecture – Simon Glass, Google
Suspend/Resume at the Speed of Light – Len Brown, Intel
The Shiny New l2C Slave Framework – Wolfram Sang
Using seccomp to Limit the Kernel Attack Surface – Michael Kerrisk
Tracing Virtual Machines From the Host with trace-cmd virt-server – Steven Rostedt, Red Hat
Are today’s FOSS Security Practices Robust Enough in the Cloud Era – Lars Kurth, Citrix
Security within Iotivity – Sachin Agrawal, Intel
Creating Open Hardware Tools – David Anders, Intel
The Devil Wears RPM: Continuous Security Integration – Ikey Doherty, Intel
Building the J-Core CPU as Open Hardware: Disruptive Open Source Principles Applied to Hardware and Software – Jeff Dionne, Smart Energy Instruments
How Do Debuggers (Really) Work – Pawel Moll, ARM
Make your Own USB device and Driver with Ease! – Krzysztof Opasiak, Samsung
Debugging the Linux Kernel with GDB – Peter Griffin, Linaro
http://events.linuxfoundation.org/events/embedded-linux-conference-europe/program/schedule
What’s the next built-in ACPI attack?
[UPDATE: just confirmed that ACPI.info’s links page had the WPBT link since 2011. After posting below article, I wondered if the ACPI.info webmaster updated their links page in the last few days…)
https://web.archive.org/web/20111208014141/http://www.acpi.info/links.htm
While the media is currently blaming Lenovo for sloppy Windows QA, they’re also waking up to the reality that Windows has been using for the last few years. Initial Ars Technica and YCombinator posts on the topic quoted the abstract to the spec on a web page that was no longer available, so it sounds conspiratorial. But the doc has been online since 2011. Besides microsoft.com-based links, the ACPI.info web site maintains a good set of links, including a pointer to the WPBT spec, and other ACPI-related table specs.
http://www.acpi.info/links.htm
The ACPI specs — at least some of them? — are maintained by the UEFI Forum. The UEFI Forum’s web site does NOT have a link to the WPBT spec.
I’ll bet there’re a few other existing ‘unknown’ ACPI features hidden on the ACPI.info links page that’ll be ‘discovered’ in the next few months, due to another sloppy OEM or sharp security researcher… From above links URL, here’ s a partial list (I omitted multiple entries which’re specs for other hardware, and some of those might also include ACPI tables) of ACPI tables to attack:
Core System Resources Table, CSRT
Debug Port Table, DBGP
Debug Port Table 2, DBG2
DMA Remapping Table, DMAR
IA-PC High Precision Event Timer Table, HPET
I/O Virtualization Reporting Structure, IVRS
iSCSI Boot Firmware Table, IBFT
Management Controller Host Interface Table, MCHI
Microsoft Software Licensing Tables, MSDM, SLIC
Multiprocessor Startup for ARM Platforms
PCI SIG’s MCFG
Serial Port Console Redirection Table, SPCR
Server Platform Management Interface Table, SPMI
Simple Boot Flag Table, BOOT
Smart Battery System Components and SMBus Spec
Trusted Platform Module 2 Table, TPM2
Trusted Computing Platform Alliance Capabilities Table, TCPA
Watchdog Action Table, WDAT
Watchdog Timer Resource Table, WDRT
Windows ACPI Emulated Devices Table, WAET
Windows Platform Binary Table, WPBT
Quoting Wikipedia on ACPI security risks:
“Ubuntu Linux founder Mark Shuttleworth has likened ACPI to Trojan horses. He has described proprietary firmware (ACPI-related or any other firmware) as a security risk, saying that “firmware on your device is the NSA’s best friend” and calling firmware (ACPI or non-ACPI) “a Trojan horse of monumental proportions”. He has pointed out that low quality, closed source firmware is a major threat to system security: “Your biggest mistake is to assume that the NSA is the only institution abusing this position of trust — in fact, it’s reasonable to assume that all firmware is a cesspool of insecurity, courtesy of incompetence of the highest degree from manufacturers, and competence of the highest degree from a very wide range of such agencies”. As a solution to this problem, he has called for declarative firmware (ACPI or non-ACPI). Firmware should be open-source so that the code can be checked and verified. Firmware should be declarative, meaning that it should describe “hardware linkage and dependencies” and should not include executable code.”
Vendors need to be disclosing a LOT MORE information about what they’ve included in their firmware, now that people are aware of this, thanks to Lenovo. It is easy to fix OEM’s mistakes at OS level, by reinstalling an open source OS, or installing vanilla Windows and then getting the drivers from the OEM/IHVs. But you can’t update your system’s firmware, and ACPI is the new dumping ground for OEM bloat. Well, not new, just newly-realized by some of us. I want a system with absolute minimail ACPI table bloat, and I want to KNOW what tables are shipped on the firmware. Linux OEMs: don’t ship COTS firmware that has Windows-centric ACPI blobs in them. If you look on #UEFI on G+ and Twitter, you’ll find more and more people demanding Open Hardware and fully-open source firmware, which is refreshing. 🙂
Intel update on Debian and UEFI
Yesterday Brian Richardson of Intel UEFI posted a new blog entry on 32-bit UEFI and Linux support, with specific information about Debian. It was NICE to see the Debian swirl as the icon on an Intel.com-hosted blog post! 🙂 I am sometimes concerned that UEFI Forum and Intel only think about UEFI Forum-member Linux OSVs (Canonical, RedHat, SuSE) when it comes to UEFI and Linux. It’s NICE to see Intel working with non-UEFI Forum members on UEFI issues, especially Debian!
Blog excerpt:
“Thanks to Steve McIntyre from the Debian team for pointing out my error. Steve’s also helping organize a repository for information on UEFI implementations that don’t play nice with Linux. I think this is a great idea, so check it out if you have any relevant info. I’ll share my tips for testing UEFI & Linux in an upcoming post, in case you want to contribute to their project.”
Brian@Intel’s full blog post:
http://blogs.intel.com/evangelists/2015/08/11/update-on-ia32-uefi-and-linux-support/
Steve@Debian’s blog post:
http://blog.einval.com/2015/08/02#intel_justifies_mixed_efi
This repo of Linux UEFI information sounds GREAT!. Amongst the things it tracks, I hope it tracks the various Secure Boot strengths that Linux distributions have:
UEFI upstreaming OpenSSL patch
UEFI has an optional build directive to enable “Secure Boot”. Secure Boot’s crypto is backed by the Open Source library libOpenSSL. For a long time, Tianocore’s OpenSSL was based on 0.98x release of OpenSSL. It sucks for UEFI that every time OpenSSL issues a new release (which is often, these months), the UEFI patch sometimes has to get updates to reflect OpenSSL changes. Plus, it was scary to see UEFI using such an ancient 0.98x release of OpenSSL for so long. Recently, UEFI updated to 1.0x releases of OpenSSL, and have been doing a lot of patch churning, due to frequent OpenSSl releases. So, it’s nice to see that there’s a effort by David Woodhouse of Intel’s Open Source Technology Centre, to make an effort to upstream the UEFI patches to OpenSSL, for the first time filing an issue in the RT. (Previously, AFAICT, the only effort to upstream was brief email on the OpenSSL mailing list, no RT filed.) I don’ t think UEFI Forum is one of the members of the OpenSSL Foundation; it might be nice if they were, given their Secure Boot dependence on this library. (OEMs/IBVs can swap out OpenSSL with another crypto lib, unclear which do…)
I hope the OpenSSL Foundation and it’s developers accept this patch, or work with UEFI Forum’s developers to come up with acceptable patch to upstream. I may be biased, but UEFI Secure Boot might be one of OpenSSL’s most important uses. Having UEFI target code in main OpenSSL trunk will save UEFI developers time, but also help with OpenSSL developers to understand the UEFI codepath differences, and may help reduce UEFI-centric code issues later. Imagine if Windows or Linux target support for OpenSSL was a separate patch, yuck.
Even if OpenSSL Foundation doesn’t accept the patch, it is still a significant new OpenSSL patch for UEFI, worth a review.
http://rt.openssl.org/Search/Simple.html?q=UEFI
Below is David’s posting to the edk2-devel list at 01.org:
——– Forwarded Message ——–
Subject: [edk2] [PATCH v3 0/16] CryptoPkg: OpenSSL update
From: David Woodhouse
Not sure which version this is; let’s call it v3 despite the fact that I think it’s actually the first time all this lot has been posted together in a single coherent series.
All the OpenSSL fixes are filed in upstream RT and in my git tree at http://git.infradead.org/users/dwmw2/openssl.git/ and backported to OpenSSL 1.0.2 in the OpenSSL_1_0_2-stable branch of the same repo.
This series cleans up a number of our outstanding OpenSSL patches to match what’s been submitted upstream, including the use of OPENSSL_SYS_UEFI instead of abusing OPENSSL_SYSNAME_UWIN.
It also cleans up places in our code where we access OpenSSL “internal” structures which are going to be made opaque in OpenSSL 1.1 and accessor functions should be used instead.
The build infrastructure is fixed to be more consistent with the way that OpenSSL is usually built all the OPENSSL_NO_xxx definitions are moved into opensslconf.h, and the file list is properly synchronised with the result of ‘make files’ in the suitably-configured OpenSSL source.
A script is provided which allows the opensslconf.h file and the list of files in OpensslLib.inf to be automatically updated. This script is not required during a normal build; it’s only for when we update the OpenSSL which is used by the EDK II repository.
Finally, we remove CryptoPkg/include/openssl and instead use the real OpenSSL include directory. This Just Works on POSIX-compliant platforms, and has symlinks to the original files. In OpenSSL 1.1 it’ll work even on Windows, as those files have been *moved* to the include/openssl/ directory of the OpenSSL source tree. For the time being, Install.sh can die and Install.cmd is updated to copy the files to $(OPENSSL_PATH)/include/openssl to work around Windows’ lack of symlinks.
Both the final commit (using OpenSSL HEAD) and the penultimate (still using a patched 1.0.2d) have been build-tested for IA32 and X86 both using GCC on Linux and VS2008 under Windows. And also using MinGW32/MingGW64 under Linux, although the final link there fails due to calls to __chkstk_ms (see GCC PR#67169).
Git tree at http://git.infradead.org/users/dwmw2/edk2.git
David Woodhouse (16):
CryptoPkg/BaseCryptLib: Add missing OpenSSL includes
CryptoPkg/BaseCryptLib: Use i2d_X509_NAME() instead of abusing X509_NAME
CryptoPkg/BaseCryptLib: Use accessor functions for X509_ATTRIBUTE
CryptoPkg/BaseCryptLib: Use accessor functions for ASN1_OBJECT
CryptoPkg/BaseCryptLib: Clean up checking of PKCS#7 contents type
CryptoPkg/BaseCryptLib: Use X509_V_FLAG_PARTIAL_CHAIN
CryptoPkg/BaseCryptLib: Use X509_V_FLAG_NO_CHECK_TIME
CryptoPkg/OpensslLib: Undefine NO_BUILTIN_VA_FUNCS to fix varargs breakage
CryptoPkg: Fix OpenSSL BN wordsize and OPENSSL_SYS_UEFI handling
CryptoPkg/OpensslLib: Eliminate GETPID_IS_MEANINGLESS definition
CryptoPkg/OpensslLib: Move OPENSSL_NO_xxx defines into opensslconf.h
CryptoPkg: Use OpenSSL include directory directly
CryptoPkg/OpensslLib: Include complete copy of opensslconf.h
CryptoPkg/OpensslLib: Update OpenSSL patch
CryptoPkg/OpensslLib: Automatically configure OpenSSL and generate file list
CryptoPkg: Support building with OpenSSL HEAD (1.1.0-devel)
CryptoPkg/CryptoPkg.dec | 2 +
CryptoPkg/Include/OpenSslSupport.h | 26 ++
CryptoPkg/Include/openssl/README | 1 –
CryptoPkg/Library/BaseCryptLib/InternalCryptLib.h | 10 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c | 7 +-
CryptoPkg/Library/BaseCryptLib/Pk/CryptDh.c | 1 +
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 94 +—
CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasic.c | 1 +
CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaExt.c | 1 +
CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 102 +—
CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 18 +-
CryptoPkg/Library/BaseCryptLibRuntimeCryptProtocol/InternalCryptLib.h | 8 –
CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2d.patch | 380 —————
CryptoPkg/Library/OpensslLib/Install.cmd | 77 —
CryptoPkg/Library/OpensslLib/Install.sh | 79 —-
CryptoPkg/Library/OpensslLib/OpenSSL-HOWTO.txt | 44 ++
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 480 ++—————–
CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 61 —
CryptoPkg/Library/OpensslLib/opensslconf.h | 488 ++++++++++++++++++++
CryptoPkg/Library/OpensslLib/process_files.sh | 38 ++
20 files changed, 691 insertions(+), 1227 deletions(-)
AMD clarifies firmware strategy
A while ago, I asked on the UEFI development list for someone to clarify AMD’s UEFI strategy. I’m unfortunately, not that strong on AMD64 technology, and was a bit confused by the available documentation as to a few things. Gary Simpson, Firmware Architect at AMD, was kind enough to reply to my questions, with verbose reponses. I’ve slightly edited the message, cleaning up the email intro and simplifying my questions, but did not alter any text responses from AMD. Below, lines beginning with “Q:” are questions from me to AMD, and the bold lines with “A:” are Gary’s replies.
Q: Can anyone explain AMD’s strategy w/r/t UEFI and BIOS, UEFI and coreboot?
A: Here’s some quick background: AMD is a founding Board member (i.e. Promoter) of the UEFI Forum and an active member in most of the work groups. We are proponents of the UEFI and ACPI interfaces (because they provide standardized firmware API’s, allowing shrink-wrapped OS distributions, without customized drivers, enabling end-user OS flexibility and choice). Also, despite some birthing pains with individual implementations, UEFI is enormously more secure than legacy BIOS was. AMD’s evolution from legacy BIOS to UEFI has happened over the last ten years in sync with the schedules of our industry partners (IBV’s, OEM’s) and their code bases. We’re not seeing any demand for legacy BIOS enablement anymore, so we no longer focus any effort there. Coreboot is the only remaining legacy code base we enable. Coreboot enablement is provided by AMD’s embedded group for a market-appropriate subset of our chips.
By the way, you may be assuming that the traditional competitiveness between companies persists in the UEFI Forum and the spec work groups that it oversees. But there is actually very little of that (especially compared with a lot of other industry-standards bodies). The general attitude within UEFI is that the firmware layer should be unified, interoperable, well-specified and secure. There is no room for competition or company-specific advantage in the firmware layer. (Then, of course, we all go home to our individual companies and work to create competitive advantage at other layers, such as hardware or higher-level software.) I just want to make sure you understand the atmosphere of cooperation and common-cause that exists between the various OEM’s, Silicon Vendors, OS Vendors, IBV’s, and others that make up the UEFI Forum. That cooperative atmosphere pervades the UEFI work groups, as well as the UEFI Board of Directors.
Q: What AMD X64 models use UEFI, what models use BIOS, what models use coreboot?
A: We don’t specify or control this. Our customers can implement whatever platform firmware solution they choose. However, the firmware components AMD provides focus primarily on UEFI solutions. As mentioned, our embedded group also enables coreboot for a selected subset of our chips. Coreboot is the only legacy code base we still target. For coreboot, we maintain wrappers and a centralized function dispatcher, but our core code is natively targeted at the various UEFI-style code bases used by our IBV partners, our OEM customers, and Tianocore (e.g. EDKII).
Q: I’m unclear if current/upcoming AMD X64 models are still using BIOS on most or only some of their systems, as well as coreboot -vs- UEFI usage and future plans.
A: Internally, we create Customer Reference Boards (CRB’s) and build platform firmware in-house to support them. These in-house BIOS’s, which we use to bring-up and validate our new silicon designs, are all UEFI-based. These are almost always based on our AGESA firmware (see below) combined with a platform code base from one of the IBV’s. Additionally, AMD’s embedded team ports coreboot to their versions of the CRB’s.
Q: Are there different goals for UEFI/BIOS/coreboot for consumer desktop/laptop models -vs- server models? I’ve heard one person speculate that servers are focusing on BIOS, laptops are focusing on GPUs/DirectX [and perhaps UEFI].
A: AMD’s goal is simply to provide what our customers want and need. Server manufacturers were, in general, slower to transition from legacy to UEFI, but we are no longer seeing any demand from them for legacy BIOS.
Q: I’m really unclear how they can get Win8 logos if they’re using BIOS. If they’re getting logos for those systems. Do AMD systems have less Win8 technical restrictions than Intel systems in this regard?
A: In combination with the BIOS Vendors and/or the OEM’s, AMD makes UEFI solutions (supporting Secure Boot, etc.) available for all our chips. We qualify for our Win8 and Win10 logo certifications the old fashioned way – by passing the tests. We make sure that all of our CRB’s pass the certifications tests, and we assist our OEM customers as needed to make sure that their production systems pass as well.
Q: What is AMD equivalent of Intel FSP, for closed-source blobs need alongside Tianocore open source?
A: Our deliverable is called AGESA (AMD Generic Encapsulated SW Architecture). It plugs into the IBV and OEM code bases and does initialization and configuration of the AMD silicon (CPU, GPU, FCH (southbridge), GNB (Graphics North Bridge), etc.). We private-license AGESA source (for free) to our IBV and OEM partners. For coreboot, AGESA is currently provided as a binary module. We did previously publish AGESA open-source in the coreboot repository for a few of our chips over the last several years. You can have a look at those if you’re interested.
Q: How do I debug UEFI on AMD systems, like I can use Intel WinDbg/GDB-based solution for debugging Tianocore with Tunnel Mountain box?
A: AMD does not have an equivalent to Tunnel Mountain. There aren’t any motherboard manufacturers willing to produce and sell such a board, since our volumes would be smaller than Tunnel Mountain. We do design and build Customer Reference Boards for each new chip. The CRB volumes are small and the cost is high, so they mostly go to larger customers. Even inside AMD, these are usually in short supply.
Q: Are you going to port LUVos (and LUV-live) — including it’s new and bundled various tests, especially CHIPSEC — to your systems? CHIPSEC won’t work on AMD64 systems, only Intel systems, implementations are different.
A: We don’t have any current plans to do this, but your question may cause us to do more investigation in this area.
Q: For AMD’s new ARM Ltd.-based systems, are they going to use UEFI on all of them, or just some? What will be used on others, U-Boot or something else?
A: This is an area where we are feeling our way forward. Different customers will want different things. We will try to accommodate them all as well as we can. We plan to offer AGESA for UEFI code bases only, so we won’t support U-Boot directly, but we will enable a UEFI solution that creates a Flattened Device Tree, which should boot any OS’s that normally sit on top of U-Boot.
Q: Are you using Linaro for UEFI bits and making your own ARM firmware, our outsourcing to IBV, if so which?
A: We are working with IBV’s, replicating the traditional firmware-development process from the x86 PC world, but we recognize that traditional ARM-embedded customers may be looking for a free-source stack from us, so we are working to prepare for that possibility as well.
Q: Are you going to help Linaro with their AArch64 port of LUV-live and CHIPSEC, especially including AMD-specific AArch64 implementation issues?
A: No plans yet, but we will investigate.
—- [End of ‘interview’.]
Thanks, Gary, for the detailed answers to my many ignorant questions! For more information, see the email thread on the edk2-devel mailing list, mainly see Gary’s response on July 31st:
https://lists.01.org/mailman/listinfo/edk2-devel
It is especially good to hear about AGESA being open source! I hope Intel can match that bar, with FSP…
Since the responses from Gary, I’ve done two AMD64-centric blog posts, one on the most recent (?) vulnerability, and one on ASESA.
Some additional questions I should’ve asked but didn’t think of until now:
Q: Has AMD or any AGESA licensee (IBV, OEM) ever hired an security audit of the AGESA sources, and published the results?
Q: Does the AMD’s SimNow, either Public or Partner release, support OVMF (the public release appears to not), or is there any other emulator/simulator accurate enough to facilitate porting of CHIPSEC to AMD64 systems?
Q: Can you clarify use of TrustZone on AMD64 — not ARM Ltd.-based AArch32/AArch64 systems? Does TrustZone even work on non-ARM systems as-is, or was this a new port? Are there any more technical details you can point us to for this?
Again, thanks Gary! For the sake of enterprise security, I hope AMD helps with and AMD64 port of CHIPSEC, or at least helps document the issues that need to be removed and added to and AMD64 port, so the open source community can help with the port.
Tianocore web site updated
As reported by the Intel UEFI Twitter feed, the UEFI Forum’s web team have done a complete overhaul to the TianoCore.org web site:
https://twitter.com/Intel_UEFI/status/624674581815664644
http://www.tianocore.org/
http://www.tianocore.org/contrib/
http://www.tianocore.org/contrib/getting-started.html
http://www.tianocore.org/edk2/
http://www.tianocore.org/news/feed.xml
There are a few other web pages, not many more; most others are github-hosted web pages now.
This news was found on the Twitter feed of Brian Richardson of Intel, which was not on my previous 0.3 release of Twitter feeds, but will be in next 0.4 release:
https://twitter.com/Intel_Brian
On a related note, the edk2-devel mailing list finally moved from SourceForge to 01.org:
https://github.com/tianocore/tianocore.github.io/wiki/edk2-devel
Linux distros (and FreeBSD): join the UEFI Forum
Hey Linux/FreeBSD distros: it’s great that you’ve got UEFI support including Secure Boot certs. But that’s not enough, you need to join the UEFI Forum, and help evolve UEFI to be more Linux-friendly.
Right now, the last time I checked, the only Linux distros that had joined were: Canonical (Ubuntu), Red Hat, and SuSE. As well as Linaro. Excluding SuSE and Redhat’s commercial products, that means that Ubuntu, Fedora, and OpenSUSE are the community Linux distros that may have the best UEFI support.
UEFI Forum members have access to:
* member-only communications (web forums)
* member-only invites to meetings/events (including the 1-3 plugfests they do each year).
* member-only access to software and specs the public doesn’t have.
* access to file bugs/change requests, which the public cannot do.
I think you get access to their non-public trunk, a subset of which is exported to the public as TianoCore, but I’m not sure. (Hypocritically, I’m not a member yet, still working on it, blocking on some new company infrastructure.)
If you join, you can help evolve and improve UEFI, and have early access to UEFI resources so your distros can be ready for any changes. You can attend the plugfests and do interop testing with other UEFI products/projects, to find problems before your users have to see them.
If you don’t join, you’ll be constantly reacting to UEFI Forum releases, have less resources than UEFI Member distros have, and if there’s a problem all you can do is whine and blame Intel and/or Microsoft, when you should look into the mirror instead.
The Linux Foundation should help enable community distros, which don’t have large corporations to back their membership, to get involved as well. The Free Software Foundation should join and participate, instead of keeping their heads in the sand and wish everyone would stop using UEFI. Embrace and Extend.
In addition to Linux distros, FreeBSD also supports UEFI, and is not a UEFI Forum member. iX Systems and FreeBSD Foundation: this also applies to you.
You also need to register your distro with the UEFI Forum’s ESP Subdirectory Registry, so you can have some UEFI binaries (boot loader, etc.) in a well-known location. Ex, if Debian’s cbootstrap gets ported to a UEFI Application, then \EFI\Debian\cbootstrap.efi would be an example of where the file would be stored. Right now, Debian is registered, but not a member of the UEFI Forum!?
Intel, ARM, Linaro, Red Hat, SuSE, and Canonical have been doing a great job improving UEFI so it works better with non-Apple, non-Microsoft operating systems. IMO, more distros need to get involved and help.
More Information:
http://uefi.org/members
http://uefi.org/join
http://uefi.org/registry
While I’m on my soapbox, Linux distros should consider some UEFI-centric rescue options in their boot CDs. ALT Linux Rescue ISOs include rEFInd boot manager, and let you optionally jump into UEFI Shell. You could use UEFI-aware GRUB for this, instead of rEFInd. Additionally, it would be nice to also give access to running: FWTS (FirmWare Test Suite), Intel CHIPSEC to test the hardware/firmware for security. It would also be nice to include the UEFI port of CPython 2.7x, along with the UEFI Shell, for more powerful diagnostic abilities. Distro installers should also consider installing UEFI Shell and UEFI Python and CHIPSEC onto system’s ESP, in an advanced mode, not just let them access via install ISO. Of course, there are security issues by enabling extra Pre-OS tools, user would need to opt-into all of this. Intel’s LUV-live, which Linaro is porting to AArch64, contains BITS (BIOS Interface Test Suite), FWTS, CHIPSEC all in one convenient location. I hope other Linux distros emulate some of LUV-live’s diagnostic and rescue abilities.
Firmware Security 
You must be logged in to post a comment.