Highlights — from my perspective — include:
* The bsdinstall(8) utility now supports UEFI+GELI as an installation option.
* The bhyve(8) utility is now able to be run withing a jail(8).
PS: There’re a few days left to purchase a FreeBSD 25th Anniversary t-shirt:
The above tweet hints at UEFI support in Kaspersky TDSS Killer 22.214.171.124, but I’ve not found any more specific information.
PS: Kaspersky has a UEFI AntiVirus product, for OEMs:
Kaspersky Anti-Virus for UEFI (KUEFI) is the EFI BIOS level endpoint security solution providing effective protection from rootkits and bootkits and ensuring safe OS loading. The product’s key feature is that it starts running in the EFI environment even before the OS bootup process begins, thus preventing any resident malware from loading. By working on EFI level, KUEFI ensures reliable protection from rootkits, bootkits and other malware speciﬁcally designed to circumvent desktop anti-malware technologies. KUEFI is provided as a small EFI module which nevertheless contains the award-winning Kaspersky Anti-Virus engine. The KUEFI architecture enables its integration into any motherboard ﬁrmware supporting the EFI standard, regardless of the vendor.
This project consists of 3 parts.
1) A script (gpu-pt-check.sh) that automatically checks to what extend a computer is compatible with GPU pass-through in its given configuration.
2) A script (setup.sh) that automatically installs and configures your system for GPU pass-through (Only tested on fresh installs of Fedora 28 x64 with Gnome, booted in UEFI mode!)
3) Instructions on how to create a bootable Linux USB stick that automatically runs the gpu-pt-check.sh script when you boot from it without any user interaction required.
The r-efi project provides the protocol constants and definitions of the UEFI Reference Specification as native rust code. The scope of this project is limited to those protocol definitions. The protocols are not actually implemented. As such, this project serves as base for any UEFI application that needs to interact with UEFI, or implement (parts of) the UEFI specification.
There’s a new UEFI AudioPkg, appears to offer some kind of audio support, no documentation yet.
Hmm, if this works, then someone could conceivably port MAME to UEFI! 🙂
This package contains ALT Linux UEFI SB CA certificate corresponding to the private key that is now used to sign ALT Linux UEFI bootloaders to cope with UEFI SecureBoot regime (aka “Restricted Boot”). This can be enrolled by the user so that ALT shim and subsequent bootloaders are accepted by firmware without Microsoft’s certificates.
PS: ALT Linux Rescue includes an EFI System Partition (ESP) with a few tools, and a boot option to go into UEFI or Linux.
The c-efi project provides the protocol constants and definitions of the UEFI Reference Specification as native C11 code. The scope of this project is limited to those protocol definitions. The protocols are not actually implemented. As such, this project serves as base for any UEFI application that needs to interact with UEFI, or implement (parts of) the UEFI specification. Additionally to providing a C library, this project also serves as documentation base for UEFI programming in C. It provides target-triples for UEFI, bootstrap helpers, and a bunch of documentation how to get started.
efi-roller is a simple script to help sign EFI images. It creates the needed keys and helps you keep track of what to sign.
There’s awesome-firmware-security, and a uefi.tech, and a few other sites that have links to UEFI/firmware technologies. Now there is a new site, Awesome UEFI:
A general purpose UEFI Bootloader/Chainloader with a modern UI.
It is just getting started, not working yet.
The UEFI Forum has specified the date/location of the next plugfest:
Event Date: April 8-12, 2019
Location: Bellevue, WA
[…]This provides specific guidance for firmware based upon the EFI Developer Kit II (EDKII) and coreboot. Because this document deals with host firmware internal requirements, it is not intended to provide side channel mitigation guidance for general application developers.
Scope: This addresses bare-metal firmware runtime risks and mitigation suggestions for the bounds check bypass, branch target injection, rogue data cache load, rogue system register read, and speculative store bypass side channel methods. Our examples and context are primarily focused on ring 0 firmware runtimes (for example: EFI Developer Kit II, PI SMM, and coreboot SMM). Other firmware execution environments are out of scope.[…]
Jordan Rhee of Microsoft has created a new project. All the documentation was used for the Title.
Now I’m wondering what Project Cyres is.
[…]Will this work on a non-IBM server?
No, this uses IBM-specific UEFI hooks to reset the passwords.
UEFI-Boot is a simple project that focused on loading Linux kernel directly from UEFI firmware without need in any bootloader.