EBC Debugger added to EDK2

November 13, 2016 ~ hucktech ~ Leave a comment

Pete Batard has added EBC Debugger support to the EDK2 project! As I understand it, there was EBC Debugger support in the original EDK project, but it was not carried forward into the EDK2 project, so this is great news! It sounds like this initial patch will need to go through an iteration or two, so hold off until the dust settles…

“The EBC Debugger, which was present in Tianocore, is an invaluable tool for EBC development. This patch adds it back into the EDK2, allowing, for instance, the compilation of an AARCH64 EBC debugger. […]”

EBC is a bytecode and VM that is widely used, yet barely understood by most, including security researchers. While EBC was initially an Intel-centric technology, only supporting their Itaniaum, x86, and x64 processors, and only available from their commercial-only Intel C Compiler, these days ARM is also targetting EBC support. I’m unclear about ARM’s EBC compiler options, perhaps only via their commecial-only compiler? I hope someone gets EBC support into an open source C compiler codebase, like clang or GCC.

More information:
https://github.com/pbatard/EbcDebugger/commit/906e87ed6ceab1c361ba6f681bef48179baf549e
https://github.com/pbatard/edk2/tree/EBCDebugger
http://www.uefi.org/node/550
https://github.com/tianocore/edk/tree/master/Sample/Universal/Ebc/Dxe
https://sourceforge.net/projects/efidevkit/files/Documents/EBC%20Debugger%20User%20Manual.pdf/download
https://lists.01.org/mailman/listinfo/edk2-devel

FWTS 16.011.00 released

November 10, 2016 ~ hucktech ~ Leave a comment

Ivan Hu of Canonical announced the 16.011.00 release of FWTS, the FirmWare Test Suite.

New Features include:
* ACPICA: Update to version 20160930
* uefibootpath: add test for eMMC device path
* uefidump: add dumping for the eMMC device path

There are lots of bugfixes as well, see the Changelog.

https://launchpad.net/ubuntu/+source/fwts
http://fwts.ubuntu.com/release/fwts-V16.11.00.tar.gz
https://launchpad.net/~firmware-testing-team/+archive/ubuntu/ppa-fwts-stable
https://wiki.ubuntu.com/FirmwareTestSuite/ReleaseNotes/16.11.00

UEFI Capsule-Update and Recovery

November 8, 2016 ~ hucktech ~ Leave a comment

On the EDK2-Devel mailing list, Michael Kinney of Intel has started a new EDK2 wiki page on UEFI Capsule-Based-Firmware Update/Recovery. Capsule Updates are how UEFI-based firmware updates itself.

Draft of documentation for Signed Capsule Feature:
I have started a draft of Wiki pages that describe how to use and verify the Signed Capsule feature from Jiewen Yao. I have focused this first draft on the system firmware update use case for signed capsules. Please review this content and provide feedback. I will work on the remaining 3 signed capsule use cases while the content for this fist use case is reviewed. I plan to add this content to the edk2 Wiki once the reviews are completed.

https://github.com/mdkinney/edk2/wiki/Capsule-Based-Firmware-Update-and-Firmware-Recovery

https://github.com/mdkinney/edk2/wiki/Capsule-Based-System-Firmware-Update

https://lists.01.org/mailman/listinfo/edk2-devel

Run As Radio: UEFI Secure Boot

November 7, 2016 ~ hucktech ~ Leave a comment

Episode 503 is on UEFI and Secure Boot:

“The BIOS has evolved, and we need to take advantage of it! While at Ignite in Atlanta, Richard sat down with Mark Minasi to talk about UEFI and SecureBoot. The conversation starts out with a bit of a history lesson about BIOS, ROM and booting up a computer. Mark tells the story of how EFI started with Intel’s Itanium, and eventually appeared everywhere. UEFI is effectively an operating system in its own right, with drivers and it’s own set of security risks. This leads to a conversation around SecureBoot, dealing with the challenges of resisting security exploits from startup onward. It’s easy enough to get SecureBoot running, it’s what happens when it’s triggered that gets complicated. “

http://www.runasradio.com/Shows/Show/503

UEFI-Bootkit

November 4, 2016 ~ hucktech ~ 1 Comment

I just noticed a new UEFI bootkit on Github which I’d never heard of:

“UEFI-Bootkit: A small bootkit designed to use as little ASM as possible. Thanks to pyro666”

https://github.com/dude719/UEFI-Bootkit

I sent a FYI to the UEFI Security group before posting about it to this blog, in the name of responsible disclosure. Dick Wilkins of Phoenix Technologies– and of the UEFI Forum’s Security Response Team (USRT) — replied with his input on the code:

“I just took a quick look at this code in github. It looks like the typical UEFI application that changes the configuration and could cause unexpected things to boot. The unexpected stuff could damage the system and then continue to boot up normally but compromised. This is exactly why Secure Boot was needed. If Secure Boot is disabled (or not implemented), there are many ways to insert code into the boot path and compromise a system. If Secure Boot is enabled, this code and any code like it would not be properly signed and would never run. There is nothing new here. This is why end users must be discouraged from disabling secure boot and running non UEFI Secure Boot aware systems.”

http://www.uefi.org/security

AMI providing Redfish-enabled firmware for Intel and Aspeed models

November 3, 2016 ~ hucktech ~ Leave a comment

AMI provides firmware for BIOS/BMC on Intel CRB using Xeon Processor and AST2300 BMC https://t.co/wz4UzgPXJ3

— AMI (@AMI_PR) November 2, 2016

AMI is now offering firmware for both BIOS and BMC on Intel customer reference boards (CRB) for the Intel Xeon® processor D-1500 product family and the 4th generation baseboard management controller (BMC) from Aspeed, the Aspeed AST2300 BMC. AMI has developed generic Redfish BIOS and BMC firmware support and has tested on the next generation AMD silicon. AMI’s BIOS and BMC firmware are highly integrated, allowing data center administrators to simultaneously, remotely and securely manage a number of server platforms out-of-box. Other features include BIOS-level firmware configuration and firmware updating. BMC functionality is based on the open industry standard specification and schema from DMTF’s Redfish™ API with the goal of creating seamless integration into existing tool chains.

http://ami.com/products/bios-uefi-firmware/aptio-v/
https://ami.com/news/press-releases/?PressReleaseID=368

New UEFI patch that Enables SMM page level protection.

November 3, 2016 ~ hucktech ~ Leave a comment

Jiewen Yao of Intel submitted a 6-part patch to Tianocore which adds SMM security. It appears it is the first version of the patch.

This series patch enables SMM page level protection. Features are:
1) PiSmmCore reports SMM PE image code/data information in EdkiiPiSmmMemoryAttributeTable, if the SMM image is page aligned.
2) PiSmmCpu consumes EdkiiPiSmmMemoryAttributeTable and set XD for data page and RO for code page.
3) PiSmmCpu enables Static Paging for X64 according to PcdCpuSmmStaticPageTable. If it is true, 1G paging for above 4G is used as long as it is supported.
4) PiSmmCpu sets importance data structure to be read only, such as Gdt, Idt, SmmEntrypoint, and PageTable itself.

tested platform:
1) Intel internal platform (X64).
2) EDKII Quark IA32
3) EDKII Vlv2 X64
4) EDKII OVMF IA32 and IA32X64.

MdeModulePkg/Include: Add PiSmmMemoryAttributesTable.h
MdeModulePkg/dec: Add gEdkiiPiSmmMemoryAttributesTableGuid.
MdeModulePkg/PiSmmCore: Add MemoryAttributes support.
UefiCpuPkg/dec: Add PcdCpuSmmStaticPageTable.
UefiCpuPkg/PiSmmCpuDxeSmm: Add paging protection.
QuarkPlatformPkg/dsc: enable Smm paging protection.
36 files changed, 4513 insertions(+), 798 deletions(-)

For more information, see the posting on the edk2-devel list:
https://lists.01.org/mailman/listinfo/edk2-devel

UEFI Forum talk at Linux Plumbers Conference

October 31, 2016 ~ hucktech ~ Leave a comment

November 1-4 is the Linux Plumbers Conference in Santa Fe, New Mexico, USA.

“UEFI Forum member, Harry Hsiung of Intel, will present “UEFI & Linux Interoperability.”

http://uefi.org/node/3570

https://www.linuxplumbersconf.org/2016/

Alex’s H2 slides on UEFI Firmware Rootkits uploaded

October 30, 2016 ~ hucktech ~ Leave a comment

Our @h2hconference slides "UEFI Firmware Rootkits: Myths and Reality" @vxradius https://t.co/fv0b5hpWI5 New stuff coming soon at @ZeroNights

— Alex Matrosov (@matrosov) October 29, 2016

https://github.com/REhints/Publications/tree/master/Conferences/H2HC%202016

Lenovo BIOS to UEFI

October 28, 2016 ~ hucktech ~ Leave a comment

https://github.com/theznerd/LenovoBIOStoUEFI

“Lenovo BIOS to UEFI TS Converter with CG/DG Prep: Allows you to configure SecureBoot/UEFI settings, as well as Virtualization Technology and TPM for Credential Guard and Device Guard. This script is designed to work on both ThinkPad and ThinkCentre machines. This script connects to the WMI instances for Lenovo machines, and then configures the requested settings. This script is designed to be used as part of a task sequence where you want to convert from legacy BIOS to UEFI and at the same time prepare the machine for Credential Guard and Device Guard.”

CURL port to UEFI

October 28, 2016 ~ hucktech ~ Leave a comment

XiaoXing Zhao is porting CURL to UEFI!

“Leveraging curl to use in the UEFI Shell”

https://github.com/qqkstar/curl
https://curl.haxx.se/libcurl/

Tim Lewis resumes uefi.blogspot blog!

October 28, 2016 ~ hucktech ~ Leave a comment

For a long time the uefi.blogspot.com was one of the only sources of UEFI blogging. It appears to have been inactive for about 2 years, but has 2 new posts from this month! Make sure this blog is still on your RSS feed list.

http://uefi.blogspot.com/2016/10/intel-and-insyde-embedded-white-paper.html

http://www.intel.com/content/www/us/en/embedded/software/fsp/fast-secure-iot-solutions-insyde-software-blink-boot-fsp-white-paper.html

http://uefi.blogspot.com/2016/10/pi-15-released.html

Dmytro takes on the Intel NUC

October 22, 2016October 22, 2016 ~ hucktech ~ Leave a comment

Dmytro Oleksiuk has a new blog post with UEFI security issues with an Intel NUC using AMI Aptio UEFI BIOS.

(Sad to see that Intel appears to not appear to run CHIPSEC as part of release management QA their own NUCs.)

Exploiting AMI Aptio firmware on example of Intel NUC
[…] Today I’m sharing with you the story of my next x86 machine hacking — we’re going to talk about UEFI vulnerabilities, exploit mitigation features of System Management Mode and new exploit called Aptiocalypsis. Also, this time I did responsible disclosure to Intel and AMI, so, at the moment of this publication you already can patch some of vulnerable products.

Lots of interesting things happened since release of ThinkPwn exploit. Firstly I supposed that vulnerable code was written by Lenovo or its Independent BIOS Vendor (IBV), but later it turned out that they’ve taken this totally mad driver from Intel reference code. This exact code is not available in public, but open source firmware of some Intel boards has it too. For example, SmmRuntimeManagementCallback() function from Intel Quark BSP it’s exactly the same vulnerable code that I’ve found in firmware of my T450s. It’s also interesting that vulnerable code is quite old (it comes from EFI 1.x era) but nevertheless, it was never present in EDK2 source from public repository — its version of QuarkSocPkg was heavily modified in comparison with vulnerable one. The horrible and vulnerable by design piece of code was removed by Intel somewhere in the middle of 2014, but it seems that there were no security advisories regarding this issue. Due to this IBVs had no chance to fix this vulnerability in their relatively old code base and the bug appeared in modern computers from Lenovo, Intel, GIGABYTE, Dell, HP, Fujitsu and other OEM’s (oops!).

Well, I guess at this point it’s much or less clear that currently there’s nothing to do with ThinkPad anymore, it was pwned with 0day, it has too awkward code base that follows ancient version of EFI specification and 8 series chipset that is not the freshest stuff you can get. As my next target for firmware security adventures I’ve decided to take some Skylake based machine of well-known vendor who might have a decent firmware that would be interesting to break. Because I like all kinds of small x86 compatible computers, I’ve put my eye on the latest generation of Intel NUC. It also looks interesting because platform vendor knows his hardware better than anyone else, so, from firmware security perspective, Intel NUC is definitely not the worst choice.[…]

http://blog.cr4.sh/2016/10/exploiting-ami-aptio-firmware.html

Another perfect example of how dangerous write-something-where vulns really are: one buggy memory write in SMM leads to total FW pwnage. https://t.co/WWGvDIHyY9

— Nikolaj Schlej (@NikolajSchlej) October 22, 2016

Quick summary on vulnerable Intel and AMI UEFI drivers from my recent article: 1) https://t.co/juJ8mkUSw5
2) https://t.co/qHEbGVbYyu

— Dmytro Oleksiuk 💥 d_olex@mastodon.social (@d_olex) October 22, 2016

Secure Boot in vSphere 6.5

October 18, 2016 ~ hucktech ~ Leave a comment

Tom Fenton has an article in Virtualization Review on the latest version of VMWare’s vSphere 6.5, and this release includes UEFI changes:

[…]Another major security upgrade in this release is “Secure Boot,” to prevent unauthorized operating systems and software from loading during the startup process. Secure Boot is a feature enabled by UEFI, and can be used not only when booting the hypervisor, but also when booting up the guests. VMware has also updated its logging to include the ability to track who did what on a vSphere system. […]

https://virtualizationreview.com/articles/2016/10/18/vsphere-6_5-first-look.aspx

CPP-UEFI-Wrapper

October 14, 2016 ~ hucktech ~ Leave a comment

CPP-UEFI-Wrapper is a new project to create a C++ wrapper for C-centric UEFI. It is just getting started, not yet ready for use.

https://github.com/GuildMasterInfinite/CPP-UEFI-Wrapper

C++ UEFI Wrapper:
This project is a C++ wrapper for the UEFI specification, intended for people who write UEFI applications (OS loaders, shells, etc.) The project is composed of two parts, 1) The low-level wrapper, that uses structs and pointers to directly implement the UEFI specification. and 2) The high-level, object-oriented wrapper, that uses classes to represent various UEFI protocols. Features:
* Uses modern C++14 features (constexpr, static_assert, strongly typed enums).
* Mainly intended for UEFI applications, not UEFI drivers or firmwares.
* Relies on some C/C++ headers, but does not require a hosted standard library (obviously).
[…]

UEFI Forum plugfest videos online

October 12, 2016 ~ hucktech ~ Leave a comment

The PDFs of the presentations were uploaded earlier, now the videos are online on YouTube.

The presentations are all very interesting. The Microsoft talk gives more background on clarifying the “Secure Boot” golden keys being leaked. Style points go to that speaker with his ‘golden key’ necklace. 🙂

https://www.youtube.com/user/UEFIForum

http://uefi.org/events/past

http://uefi.org/learning_center/presentationsandvideos

iUEFI

October 8, 2016 ~ hucktech ~ Leave a comment

“iUEFI is a tool to manager uefi boot option. It is based on qml/Qt.”

https://github.com/Iceyer/iUEFI

screenshot:

https://camo.githubusercontent.com/e550c6d084fb6c90268d37c62de30f55b7ff80e2/687474703a2f2f69312e7069696d672e636f6d2f3536373537312f366365376265623137373033323666342e706e67

BlueGuard

October 7, 2016 ~ hucktech ~ Leave a comment

https://github.com/nohajc/BlueGuard

I just noticed this on Github. Not much documentation: “UEFI Hypervisor”. Windows-based. Maybe interesting to some.

UEFI Forum publishes plugfest presentation PDFs

October 6, 2016 ~ hucktech ~ Leave a comment

Recently the UEFI Forum had a plugfest. They just uploaded the slides of the presentations. I think the videos are expected in a few weeks as well.

UEFI Fall Plugfest – September 20-22, 2016
* Redfish Configuration of UEFI HII Settings – Mike Rothman (Intel) and Samer El Haj Mahmoud (Lenovo)
* Out of Band BIOS Remote Management – Matthew Krysiak (AMI)
* UEFI Forum Update – Dong Wei (HPE)
* Microsoft UEFI Security Updates – Scott Anderson, Suhas Manangi, Nate Nunez, Jeremiah Cox, and Michael Anderson (Microsoft)
* Tianocore 2016 Updates -Tony Mangefeste (Intel)
* UEFI Network and Security Update – Vincent Zimmer (Intel)
* Updated TCG TPM 2.0 Specs – Dick Wilkins (Phoenix Technologies Ltd.)
* ARM Trusted Firmware ARM UEFI SCT Update – Charles Garcia-Tobin (ARM)

http://www.uefi.org/learning_center/presentationsandvideos
http://uefi.org/events/past

video of Brian’s Tianocore Linaro Connect presentation

October 5, 2016 ~ hucktech ~ Leave a comment

Brian Richardson of Intel recently gave a presentation at ARM Ltd’s Linaro Connect on the subject of UEFI. Intel started UEFI but in recent years ARM is also using UEFI.

TianoCore – Open Source UEFI Community Update by Brian Richardson
Watch Live: https://t.co/tVDGnAZowb pic.twitter.com/HqYsoFmWxQ

— Linaro (@LinaroOrg) September 29, 2016

My @tianocore keynote from @LinaroConnect is available on YouTube. Proof I talked about UEFI & did not have tomatoes thrown at me. https://t.co/5ETGeastBK

— Brian Richardson (on LinkedIn) (@BrianOnChips) September 29, 2016