Kaspersky TDSS Killer: now with UEFI support (and Kaspersky Anti-Virus for UEFI (KUEFI))

The above tweet hints at UEFI support in Kaspersky TDSS Killer 3.1.0.20, but I’ve not found any more specific information.

https://usa.kaspersky.com/downloads/tdsskiller

PS: Kaspersky has a UEFI AntiVirus product, for OEMs:

Kaspersky Anti-Virus for UEFI (KUEFI) is the EFI BIOS level endpoint security solution providing effective protection from rootkits and bootkits and ensuring safe OS loading. The product’s key feature is that it starts running in the EFI environment even before the OS bootup process begins, thus preventing any resident malware from loading. By working on EFI level, KUEFI ensures reliable protection from rootkits, bootkits and other malware specifically designed to circumvent desktop anti-malware technologies. KUEFI is provided as a small EFI module which nevertheless contains the award-winning Kaspersky Anti-Virus engine. The KUEFI architecture enables its integration into any motherboard firmware supporting the EFI standard, regardless of the vendor.

https://usa.kaspersky.com/antivirus-for-uefi

GPU-pass-through-compatibility-check: Automatically set up a Linux system for PCI pass-through and check if it is compatible

This project consists of 3 parts.
1) A script (gpu-pt-check.sh) that automatically checks to what extend a computer is compatible with GPU pass-through in its given configuration.
2) A script (setup.sh) that automatically installs and configures your system for GPU pass-through (Only tested on fresh installs of Fedora 28 x64 with Gnome, booted in UEFI mode!)
3) Instructions on how to create a bootable Linux USB stick that automatically runs the gpu-pt-check.sh script when you boot from it without any user interaction required.

example output

https://github.com/T-vK/GPU-pass-through-compatibility-check

r-efi: UEFI Reference Specification Protocol Constants and Definitions for Rust

The r-efi project provides the protocol constants and definitions of the UEFI Reference Specification as native rust code. The scope of this project is limited to those protocol definitions. The protocols are not actually implemented. As such, this project serves as base for any UEFI application that needs to interact with UEFI, or implement (parts of) the UEFI specification.

https://github.com/r-util/r-efi

See-also:

https://firmwaresecurity.com/2018/11/28/c-efi-uefi-reference-specification-protocol-constants-and-definitions-2/

ALT Linux adds packages for UEFI keys and certs

https://github.com/alt-packages/alt-uefi-keys
https://github.com/alt-packages/alt-uefi-certs
https://en.altlinux.org/Main_Page
https://www.altlinux.org/UEFI

This package contains ALT Linux UEFI SB CA certificate corresponding to the private key that is now used to sign ALT Linux UEFI bootloaders to cope with UEFI SecureBoot regime (aka “Restricted Boot”). This can be enrolled by the user so that ALT shim and subsequent bootloaders are accepted by firmware without Microsoft’s certificates.

PS: ALT Linux Rescue includes an EFI System Partition (ESP) with a few tools, and a boot option to go into UEFI or Linux.

https://en.altlinux.org/Rescue

c-efi: UEFI Reference Specification Protocol Constants and Definitions

The c-efi project provides the protocol constants and definitions of the UEFI Reference Specification as native C11 code. The scope of this project is limited to those protocol definitions. The protocols are not actually implemented. As such, this project serves as base for any UEFI application that needs to interact with UEFI, or implement (parts of) the UEFI specification. Additionally to providing a C library, this project also serves as documentation base for UEFI programming in C. It provides target-triples for UEFI, bootstrap helpers, and a bunch of documentation how to get started.

https://github.com/c-util/c-efi

https://c-util.github.io/c-efi

Intel security guidance: Host Firmware Speculative Execution Side Channel Mitigation

[…]This provides specific guidance for firmware based upon the EFI Developer Kit II (EDKII) and coreboot. Because this document deals with host firmware internal requirements, it is not intended to provide side channel mitigation guidance for general application developers.

Scope: This addresses bare-metal firmware runtime risks and mitigation suggestions for the bounds check bypass, branch target injection, rogue data cache load, rogue system register read, and speculative store bypass side channel methods. Our examples and context are primarily focused on ring 0 firmware runtimes (for example: EFI Developer Kit II, PI SMM, and coreboot SMM). Other firmware execution environments are out of scope.[…]

https://software.intel.com/security-software-guidance/api-app/insights/host-firmware-speculative-execution-side-channel-mitigation

more info:

https://software.intel.com/security-software-guidance/software-guidance

Fall 2018 UEFI Plugfest, presentations uploaded

The slides from the last UEFI Forum plugfest are now online.

* State of the UEFI – Dong Wei (UEFI Forum Vice President)
* Increasing Risks to UEFI Firmware Due to Growing Attack Surfaces – Glenn Plant (Phoenix)
* UEFI Updates and Secure Software Isolation on Arm – Dong Wei (Arm)
* UEFI and the Security Development Lifecycle (SDL) – Trevor Western (Insyde)
* Advanced Trusted Platform Module (TPM) Usage – HPBird Chen (AMI)
* Building Customized Tests with Firmware Test Suite – Alex Hung (Canonical)
* System Firmware and Device Firmware Updates Using Unified Extensible Firmware Interface (UEFI) Capsules – Brian Richardson (Intel)
* Capsule Update with MM Mode – Udit Kumar and Meenakshi Aggarwal (NXP)
* How Writing Portable UEFI Drivers Improves Reliability (and Helps Me) – Leif Lindholm (Linaro)
* TianoCore Updates: Tags, Testing & Platforms – Brian Richardson (Intel) and Leif Lindholm (Linaro)

http://www.uefi.org/learning_center/presentationsandvideos

Hopefully the videos will show up here shortly, as they normally do:

https://www.youtube.com/user/UEFIForum

Linux Unattended Installation – Tools to create an unattended installation of a minimal setup of Linux

This project provides all you need to create an unattended installation of a minimal setup of Linux, whereas minimal translates to the most lightweight setup – including an OpenSSH service and Python – which you can derive from the standard installer of a Linux distribution. The idea is, you will do all further deployment of your configurations and services with the help of Ansible or similar tools once you completed the minimal setup. Use the build-iso.sh script to create an ISO file based on the netsetup image of Ubuntu. Use the build-disk.sh script to create a cloneable preinstalled disk image based on the output of build-iso.sh. […]UEFI and BIOS mode supported.[…]

https://github.com/core-process/linux-unattended-installation