ShowSLIC.efi: Access ACPI-based Windows SLIC License Key

March 1, 2018 ~ hucktech ~ Leave a comment

FPMurphy has a new blog post with source to a new tool, and mentions plans for 3-4 new tools/year!

Those who follow my work in the UEFI Shell space are aware that I usually develop a number of new, and hopefully useful, UEFI shell utilities each year. This year, I plan to write three or four new utilities and enhance a number of existing utilities. This is the first of these new utilities. In this post, I describe the ShowSLIC utility. It is the first of my new utilities and came about from license and booting issues caused by a disk failure on a friend’s laptop that was running Windows 7. ShowSLIC is designed to enable you to retrieve SLIC (System License Internal Certificate) information from a UEFI-based Microsoft Windows PC or laptop. Such information is accessible (exposed) via the ACPI (Advanced Configuration and Power Interface) SLIP table.[…]

https://blog.fpmurphy.com/2018/01/accessing-acpi-slic-from-uefi-shell.html#ixzz58Wq6TSMw

https://blog.fpmurphy.com/

Looks like you have to scrape the source from the HTML blog post, not included in latest UEFI-Utilities, AFAICT:

https://github.com/fpmurphy/UEFI-Utilities-2016/commits/master

add-to-efi.sh – script to add boot entries to native EFI loader

February 28, 2018 ~ hucktech ~ Leave a comment

This script allows users and administrators to automatically add their EFISTUB-enabled Linux system to the system’s native EFI bootloader without the need of any additional bootloader. It’s required that all files needed to perform the boot process (e.g. vmlinuz-xxx, initramfs-xxx.img) reside on the EFI system partition, which has to be mounted somewhere. The tool searches for the EFI partition by its partition type, then for installed kernels and finally for suitable initrds (including Intel Microcode). Furthermore, the tool is able to detect if the root filesystem is encrypted and adds appropriate kernel parameters. If you want to use (PART)UUID for booting, this tool will also do.[…]

https://github.com/stertingen/add-to-efi.sh

Oracle Solaris 11.4: UEFI Secure Boot on Intel HW

February 26, 2018 ~ hucktech ~ Leave a comment

Solaris UEFI Secure Boot now available for preview in #solaris114beta. Secure or Verified Boot checks signed firmware & software end-to-end from @Intel hardware, UEFI firmware, GRUB boot manager, & Solaris kernel. I worked on it with Ann Lai in 2016 before I left @OracleSolaris.

— Dan Anderson (@_Dan_Anderson) February 24, 2018

UEFI Secure Boot on Oracle Solaris x86 enables you to install and boot Oracle Solaris on platforms where UEFI Secure Boot is enabled. This feature provides more security by maintaining a chain of trust during boot: digital signatures of the firmware and software are verified before executing the next stage. No break occurs in the chain because of unsigned, corrupt, or rogue firmware or software during the boot process. This feature helps assure that the firmware and software used to boot Oracle Solaris on a hardware platform is correct, and has not been modified or corrupted.

https://docs.oracle.com/cd/E72435_01/html/E72445/grijo.html
https://docs.oracle.com/cd/E37838_01/html/E60974/index.html
https://blogs.oracle.com/solaris/oracle-solaris-114-beta-released
https://github.com/oracle/solaris-userland/tree/master/components/shim
https://www.phoronix.com/scan.php?page=news_item&px=Oracle-Linux-7-Update-4

I guess it's official, then. We've accidentally written the first stage bootloader and initial verification chain for a major commercial UNIX®. https://t.co/rj1B6ngs8Y

— Farce Majeure🌹 (@vathpela) February 25, 2018

At this point @vathpela deserves far more credit than I do

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) February 24, 2018

UEFI BIOS Accessibility for the Visually Impaired

February 23, 2018 ~ hucktech ~ Leave a comment

UEFI BIOS Accessibility for the Visually Impaired

Rafael R. Machado, Gustavo M. D. Vieira

People with some kind of disability face a high level of difficulty for everyday tasks because, in many cases, accessibility was not considered necessary when the task or process was designed. An example of this scenario is a computer’s BIOS configuration screens, which do not consider the specific needs, such as screen readers, of visually impaired people. This paper proposes the idea that it is possible to make the pre-operating system environment accessible to visually impaired people. We report our work-in-progress in creating a screen reader prototype, accessing audio cards compatible with the High Definition Audio specification in systems running UEFI compliant firmware.

Submitted 7 Dec 2017 to Computers and Society [cs.CY]
Published 11 Dec 2017
Journal ref: SBESC ’17: Proceedings of the VII Brazilian Symposium on Computing Systems Engineering, IEEE Computer Society, 2017, 155-160
Doi: 10.1109/SBESC.2017.27
http://arxiv.org/abs/1712.03186

Click to access 1712.03186.pdf

https://scirate.com/arxiv/1712.03186

efi and uefi_app: Rust bindings and sample UEFI Rust app

February 23, 2018 ~ hucktech ~ Leave a comment

efi_app: A sample UEFI application written in Rust.

https://github.com/gurry/efi_app

Ergonomic Rust bindings to the UEFI environment for writing UEFI applications.

https://github.com/gurry/efi

uefi-rs: Rust wrapper for UEFI

February 23, 2018February 23, 2018 ~ hucktech ~ Leave a comment

This library allows you to write UEFI applications in Rust.

UEFI is the successor to the BIOS. It provides an early boot environment for OS loaders and other low-level applications.

The objective of this library is to provide safe and performant wrappers for UEFI interfaces, and allow developers to write idiomatic Rust code.

https://github.com/GabrielMajeri/uefi-rs

dkmsscripts: scripts to help with DKMS and UEFI boot keysigning

February 19, 2018 ~ hucktech ~ Leave a comment

Collection of scripts and readme’s to help with DKMS and UEFI boot keysigning. Everythign in here is for RHEL derivs for now. Pathing is slightly different on Debian based. This assumes you have a /root/dkms/ directory with keys and scripts in it.

https://github.com/Spikeophant/dkmsscripts

UEFImarkEbcEdition: UEFI Byte Code (EBC) benchmark utility

February 19, 2018 ~ hucktech ~ 1 Comment

System information, benchmark utility for UEFI. Use EFI Byte Code (EBC). EBC instructions coded as FASM macro. SOURCE directory contains FASM source, plus EBC application build service utilites for DOS(TASM) and Win32(FASM). EXECUTABLE directory contains UEFI EBC application. For UEFI, cross platform (x64, IA32, +).

https://github.com/manusov/UEFImarkEbcEdition

SHA_Performance_Review_In_UEFI: UEFI SHA1/SHA256 perf tests with C (and asm)

February 17, 2018 ~ hucktech ~ Leave a comment

Background of The work: To compare the SHA1/SHA-256 performance in different implementation, different optimization flags and with different compilers(GCC48/GCC5). See how the performance difference in UEFI(Pre-boot environment). As a UEFI developer, while using these CPU intensive algorithms, we need to take into account the performance between them.

https://github.com/tsunghowu/SHA_Performance_Review_In_UEFI

UEFTW – UEFI Toys: ShellOpt/ShellExpand/DBounce/KernextPatcher/AcpiPatcher (binary-only, no source)

February 17, 2018 ~ hucktech ~ Leave a comment

UEFTW – UEFI Toys: ShellOpt/ShellExpand/DBounce/KernextPatcher/AcpiPatcher (binary-only, no source)

Some of UEFI Toys by me. Taken from my early forked of Clover and ‘others’ below. No sources available yet, just binary (EAT that!).

ShellOpt: Port of GNUEFI Finnbarr P. Murphy ShellOpt (>>>) to EDK2, to set / delete various Shell options.

ShellExpand: To eliminate known Shell bugs edit command by translating TABS to SPACES with custom size.

DBounce: An UEFI driver to load all required drivers first before finally calling a chainloader. Originally introduced by Christoph Pfisterer (rEFIts author). The original source can be found here. Later I port this module to work with EDK2 with following changes (compared to original):

KernextPatcher: KernextPatcher (stand for Kernel & Kext Patcher) is an Darwin kernel & extensions patcher UEFI driver based on Clover Memfix by dmazar. This driver try to hook ExitBootServices event and patching kernelcache including kernel it self and kexts.

AcpiPatcher: AcpiPatcher is an Darwin ACPI patcher UEFI driver. Yes, its a MEGA stripped version compare to original one. At least, we can now get rid from some of complexity to load custom ACPI tables with some fixes. This driver try to hook ExitBootServices event and patching ACPI as below.

https://github.com/cecekpawon/UEFTW

Careful, these are closed-source binaries. Freeware is hard to trust, these decades… I have not tried them.

Windows 10: storing system-tracking data in UEFI variables

February 14, 2018February 14, 2018 ~ hucktech ~ Leave a comment

"system-unique tracking identifiers that persist across reinstalls by storing them in the TPM or UEFI firmware variables"https://t.co/5ySnN7Eaqm

— slipstream/RoL (@TheWack0lian) February 12, 2018

https://twitter.com/dakotathekat/status/963086883621408768

https://docs.microsoft.com/en-us/uwp/api/Windows.System.Profile.SystemIdentification

As one comment above notes, make sure you know how to reset this firmware-stored data before you dispose of any such systems.

Interesting, I would have guessed that this data would be stored in UEFI SMM LockBox, but some forms of UEFI variables are also hard to access. Ah, but this is for persistent data…

https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c

I’d swear I saw some MacOSX (before change to macOS) components moved from system libraries up into Apple EFI, I wonder if Apple also implements SmmLockBox?

Windows: enable BIOS and UEFI boot for PXE in DHCP

February 14, 2018 ~ hucktech ~ Leave a comment

Enable BIOS and UEFI Boot for PXE in DHCP https://t.co/yeZu71dUFS via @PhilPritchett

— Sk@tterBr@inZz (@skatterbrainzz) February 12, 2018

There’s an URL to a live.com download in the blog, as well as PowerShell script inline with blog text:

https://ittherapist.net/2018/02/10/enable-bios-and-uefi-boot-for-pxe-in-dhcp/

FreeBSD bhyve UEFI support improved

February 14, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/lattera/status/963126671963557888

MFC: r316746 Add UEFI support to vmrun.sh

Adds:
-E: Use UEFI mode
-f: path to UEFI firmware image (default: path to uefi-edk2-bhyve package)
-F: UEFI framebuffer size (default: w=1024,h=768)
-L: IP to listen for VNC connections on (default: 127.0.0.1)
-P: Port to listen for VNC connections on (default: 5900)
-T: Enable tablnet device (for VNC)
-v: Wait for VNC client before booting VM

https://svnweb.freebsd.org/base?view=revision&revision=329178

Dell Sputnik systems disable Secure Boot

February 14, 2018 ~ hucktech ~ Leave a comment

https://t.co/4tSwynJim9 is certainly confusing (Dell ship their Linux systems with UEFI Secure Boot enabled, but set a variable that causes Linux to disable validation)

— Matthew Garrett (@mjg59@nondeterministic.computer) (@mjg59) February 13, 2018

Wow, that's just… wow. They had to invent a method that's actually more work than just enrolling the UEFI CA credentials that RedHat has already used to sign their UEFI loader.

— Brian Richardson (on LinkedIn) (@BrianOnChips) February 13, 2018

“Dell ship their Sputnik systems with a pre-populated MokSB variable that disables Secure Boot, so this is working as intended on the Fedora side.”

https://bugzilla.redhat.com/show_bug.cgi?id=1544794

ARM (Linaro) on Spectre/Meltdown impact on firmware

February 9, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/01/26/arm-linaro-on-meltdown-and-spectre/

the second blog post is out, covering Spectre/Meltdown impact on: UEFI, ARM Trusted Firmware, U-Boot, OP-TEE, and Linux kernel. Good reading!

https://www.linaro.org/blog/meltdown-spectre-2/

Mr. Chromebox’s ChromeOS Firmware Utility Script

February 7, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/MrChromebox/status/937055974736781313

https://twitter.com/MrChromebox/status/960055385905422336

https://mrchromebox.tech/
https://github.com/MattDevo/

pwrtest.efi – UEFI Shell developer tool to test Intel/AMD RTC wake function

February 5, 2018 ~ hucktech ~ Leave a comment

The pwrtest.efi is an UEFI Shell tool that help developer to confirm RTC wake function from a system(Support on both Intel and AMD platform). Usage:

pwrtest -s3 -t 10 -w 60 ; 系統會在10 sec delay 後進入S3，然後在60 sec 後喚醒(Wake up)
pwrtest [-h|-s3|-s4|-s5|-s|-ss|-sx|-cb|-r]
-h help
-s3|-s4|-s5 ;選擇系統的Sx State (Intel platform)
-cb ;做coldboot ，我是透過 gRT->ResetSystem() 方式去做的
-ss ; 做Shutdown，我是透過 gRT->ResetSystem() 方式去做的
-sx value ; 支援AMD platform去做Sx State，因為填的SLP_TYP值不同.
value = 3/4/5 for AMD platform(S3/S4/S5)
value = 5/6/7 for Intel Platform (S3/S4/S5)
e.g,
pwrtest -sx 4 -t 5 -w 30 ; For AMD Platform, Put system to S4 after 5 sec, then wake after 30 sec.
pwrtest -sx 6 -t 5 -w 30 ; For INTEL Platform, Put system to S4 after 5 sec, then wake after 30 sec.
pwrtest -s3 -t 5 -w 30 ; For INTEL Platform, Put system to S3 after 5 sec, then wake after 30 sec.
pwrtest -r ; Warm boot
pwrtest -cb ; Cold boot
[…]

See URL to password-protected live.com-hosted zip containing freeware binary (not open source) in blog post.

http://biosengineer.blogspot.com/2018/02/uefi-shell-utility-pwrtestefi.html

slides from yesterday’s BSides Seattle presentation (and seeking archive of lost Intel ATR blog on Hacking Team)

February 4, 2018 ~ hucktech ~ Leave a comment

Slides available tomorrow or next week here re: firmware security and evil maid attack #BSidesSeattle https://t.co/y5skz3Nxw2

— Teri Radichel #cybersecurity #pentesting (@TeriRadichel) February 3, 2018

Yesterday I gave a presentation at Bsides Seattle on defending firmware. This version of the presentation attemped to address DFIR audience, not just SysAdmin/Site Reliablity Engineer audience.

I got some interesting feedback on IR after this presentation, we’ll do a blog on this in the next few days. As well as a few updates to existing IR standards to showcase where firmware is lacking.

Below is copy of slides:

There are 4 sections, Threats, Tech, Tools, and Guidance. The Tech section is probably weakest to read without having an audio. This talk was result of trying to jam a 4-hour training session into a 1-hour talk, the Tech section lost the most from this compression.

bsidesseattle2018.fisher.defending-firmware

Bsides didn’t record audio/video of their event.

I updated the slides from yesterday, the “DIY Homework” section focused on following along with the analysis in the old Intel ATR blog post on the Wikileaked Hacking Team UEFI malware blob. However, that blog URL is no longer around.

If you know of any online archives of these URLs, please leave a Comment on this blog post, thanks!
http://www.intelsecurity.com/advanced-threat-research/blog.html
http://www.intelsecurity.com/advanced-threat-research/ht_uefi_rootkit.html_7142015.html

This is the best-fit replacement for missing above URL, and it includes some new content (eg, blacklist command) that original blog did not. Save a copy of the blog post, I don’t expect it to be archived:

https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/

swissarmy-grubefipxe – A configuration for netbooting various linux distros using PXE/EFI/GRUB

February 4, 2018 ~ hucktech ~ Leave a comment

This is a little side-project of mine to be able to netboot various Operating Systems using EFI based computers and GRUB over PXE. I have this running on my QNAP NAS, but I believe almost any decent NAS has the requirements to run this. This project was born out of my disdain for flashing distros to USB keys.[…]

https://github.com/vittorio88/swissarmy-grubefipxe

MountEFI – mac tool to select drive containing an EFI to mount

February 4, 2018 ~ hucktech ~ 1 Comment

This Mac-centric bash script has been rewritten as a Mac-centric Python script:

“A more robust edition of my previous MountEFI script. Added my usual collection of disk functions – plus some experimentation with callback functions.

def custom_quit():
     head(“MountEFI”)
     print(“by CorpNewt\n”)
     print(“Thanks for testing it out, for bugs/comments/complaints”)
     print(“send me a message on Reddit, or check out my GitHub:\n”)
     print(“www.reddit.com/u/corpnewt”)
     print(“www.github.com/corpnewt\n”)
     print(“Have a nice day/night!\n\n”)
exit(0)

https://github.com/corpnewt/MountEFI