The above tweet hints at UEFI support in Kaspersky TDSS Killer 126.96.36.199, but I’ve not found any more specific information.
PS: Kaspersky has a UEFI AntiVirus product, for OEMs:
Kaspersky Anti-Virus for UEFI (KUEFI) is the EFI BIOS level endpoint security solution providing effective protection from rootkits and bootkits and ensuring safe OS loading. The product’s key feature is that it starts running in the EFI environment even before the OS bootup process begins, thus preventing any resident malware from loading. By working on EFI level, KUEFI ensures reliable protection from rootkits, bootkits and other malware speciﬁcally designed to circumvent desktop anti-malware technologies. KUEFI is provided as a small EFI module which nevertheless contains the award-winning Kaspersky Anti-Virus engine. The KUEFI architecture enables its integration into any motherboard ﬁrmware supporting the EFI standard, regardless of the vendor.
This project consists of 3 parts.
1) A script (gpu-pt-check.sh) that automatically checks to what extend a computer is compatible with GPU pass-through in its given configuration.
2) A script (setup.sh) that automatically installs and configures your system for GPU pass-through (Only tested on fresh installs of Fedora 28 x64 with Gnome, booted in UEFI mode!)
3) Instructions on how to create a bootable Linux USB stick that automatically runs the gpu-pt-check.sh script when you boot from it without any user interaction required.
The r-efi project provides the protocol constants and definitions of the UEFI Reference Specification as native rust code. The scope of this project is limited to those protocol definitions. The protocols are not actually implemented. As such, this project serves as base for any UEFI application that needs to interact with UEFI, or implement (parts of) the UEFI specification.
There’s a new UEFI AudioPkg, appears to offer some kind of audio support, no documentation yet.
Hmm, if this works, then someone could conceivably port MAME to UEFI! 🙂
This package contains ALT Linux UEFI SB CA certificate corresponding to the private key that is now used to sign ALT Linux UEFI bootloaders to cope with UEFI SecureBoot regime (aka “Restricted Boot”). This can be enrolled by the user so that ALT shim and subsequent bootloaders are accepted by firmware without Microsoft’s certificates.
PS: ALT Linux Rescue includes an EFI System Partition (ESP) with a few tools, and a boot option to go into UEFI or Linux.
The c-efi project provides the protocol constants and definitions of the UEFI Reference Specification as native C11 code. The scope of this project is limited to those protocol definitions. The protocols are not actually implemented. As such, this project serves as base for any UEFI application that needs to interact with UEFI, or implement (parts of) the UEFI specification. Additionally to providing a C library, this project also serves as documentation base for UEFI programming in C. It provides target-triples for UEFI, bootstrap helpers, and a bunch of documentation how to get started.
efi-roller is a simple script to help sign EFI images. It creates the needed keys and helps you keep track of what to sign.
There’s awesome-firmware-security, and a uefi.tech, and a few other sites that have links to UEFI/firmware technologies. Now there is a new site, Awesome UEFI:
A general purpose UEFI Bootloader/Chainloader with a modern UI.
It is just getting started, not working yet.
The UEFI Forum has specified the date/location of the next plugfest:
Event Date: April 8-12, 2019
Location: Bellevue, WA
[…]This provides specific guidance for firmware based upon the EFI Developer Kit II (EDKII) and coreboot. Because this document deals with host firmware internal requirements, it is not intended to provide side channel mitigation guidance for general application developers.
Scope: This addresses bare-metal firmware runtime risks and mitigation suggestions for the bounds check bypass, branch target injection, rogue data cache load, rogue system register read, and speculative store bypass side channel methods. Our examples and context are primarily focused on ring 0 firmware runtimes (for example: EFI Developer Kit II, PI SMM, and coreboot SMM). Other firmware execution environments are out of scope.[…]
Jordan Rhee of Microsoft has created a new project. All the documentation was used for the Title.
Now I’m wondering what Project Cyres is.
[…]Will this work on a non-IBM server?
No, this uses IBM-specific UEFI hooks to reset the passwords.
UEFI-Boot is a simple project that focused on loading Linux kernel directly from UEFI firmware without need in any bootloader.
The slides from the last UEFI Forum plugfest are now online.
* State of the UEFI – Dong Wei (UEFI Forum Vice President)
* Increasing Risks to UEFI Firmware Due to Growing Attack Surfaces – Glenn Plant (Phoenix)
* UEFI Updates and Secure Software Isolation on Arm – Dong Wei (Arm)
* UEFI and the Security Development Lifecycle (SDL) – Trevor Western (Insyde)
* Advanced Trusted Platform Module (TPM) Usage – HPBird Chen (AMI)
* Building Customized Tests with Firmware Test Suite – Alex Hung (Canonical)
* System Firmware and Device Firmware Updates Using Unified Extensible Firmware Interface (UEFI) Capsules – Brian Richardson (Intel)
* Capsule Update with MM Mode – Udit Kumar and Meenakshi Aggarwal (NXP)
* How Writing Portable UEFI Drivers Improves Reliability (and Helps Me) – Leif Lindholm (Linaro)
* TianoCore Updates: Tags, Testing & Platforms – Brian Richardson (Intel) and Leif Lindholm (Linaro)
Hopefully the videos will show up here shortly, as they normally do:
This project provides all you need to create an unattended installation of a minimal setup of Linux, whereas minimal translates to the most lightweight setup – including an OpenSSH service and Python – which you can derive from the standard installer of a Linux distribution. The idea is, you will do all further deployment of your configurations and services with the help of Ansible or similar tools once you completed the minimal setup. Use the build-iso.sh script to create an ISO file based on the netsetup image of Ubuntu. Use the build-disk.sh script to create a cloneable preinstalled disk image based on the output of build-iso.sh. […]UEFI and BIOS mode supported.[…]