LibC library musl ported to UEFI

April 24, 2016 ~ hucktech ~ Leave a comment

Michael Zimmerman, one of the main developers behind EFIDroid, also has another interesting UEFI side project: uefi-musl-toolchain, a port of the LibC library musl to UEFI!

Quoting Wikipedia, musl is “a C standard library intended for operating systems based on the Linux kernel, released under the MIT License. It was developed by Rich Felker with the goal to write a clean, efficient and standards-conformant libc implementation. It is designed from scratch to allow efficient static linking and to have realtime-quality robustness by avoiding races, internal failures on resource exhaustion and various other bad worst-case behaviours present in existing implementations. The dynamic runtime is a single file with stable ABI allowing race-free updates and the static linking support allows an application to be deployed as a single portable binary without significant size overhead. It claims compatibility with the POSIX 2008 specification and the C11 standard. It also implements most of the widely used non-standard Linux, BSD, and glibc functions.

On his musl port to UEFI, Michael says:

I ported the libc alternative musl to UEFI by replacing the syscalls with simple function calls to library and wrote a GCC wrapper. The system call table is still incomplete but this way I can compile any (single-threaded) application for UEFI. This currently works on ARM only, but just because this is the platform I am interested in, not because it wouldn’t be possible.

This is fresh code, the project is only 2 days old. 🙂

https://github.com/M1cha/uefi-musl-toolchain

Example of busybox on UEFI compiled using musl: http://pastebin.com/MRXdBjyN

https://www.musl-libc.org/

UEFI Customized Secure Boot: EDK2 branch

April 23, 2016 ~ hucktech ~ Leave a comment

Chao B Zhang of Intel has created a branch of the Tianocore EDK-II for Customized Secure Boot, presumably a new flavor mentioned in the UEFI Forum’s private issue tracking system (or it is public, not sure yet what branch will contain). It sounds like some new post-2.6, pre-2.7 feature that Microsoft is requesting. I wonder how this will impact non-Windows OSes…

Excerpted readme:

[Staging/Customized-Secure-Boot]: Create branch for Customized Secure Boot

Create a remote branch Staging/Customized-Secure-Boot for EC1263 feature. This staging branch is requested by Jeremiah Cox of Microsoft for ECR 1263 Customized Secure Boot feature. This ECR has some conflicting language/figures that may result in in consistent implementations. Customized Secure Boto feature provides capabilities for automated platform deployment by enterprises, OEMs, system integrators, and enthusiasts into custom, higher security Secure Boot configurations. This can mitigate chain of custody concerns in the supply chain of a given hardware platform. It further provides the ability to manage multiple UEFI certificate signers and image revocations from multiple signers. It also provides a viable solution to enterprise, enthusiast, and OS vendor signing of images while maintaining overall security of the pre-boot environment. Finally, it provides for a consistent programmatic and secure re-deployment of already-deployed systems.

More info:
https://github.com/tianocore/edk2-staging/tree/Customized-Secure-Boot
https://mantis.uefi.org/mantis/view.php?id=1263 (UEFI Forum members only, not for public)
https://lists.01.org/mailman/listinfo/edk2-devel

Nikolaj completes his 4-part NVRAM/UEFI blog series

April 20, 2016 ~ hucktech ~ Leave a comment

Nikolaj has completed (?) his 4-part blog series on NVRAM formats in UEFI. Part 4 is on AMI’s NVAR.

https://habrahabr.ru/post/281901/

http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fhabrahabr.ru%2Fpost%2F281901%2F&sandbox=1

Here’s a pointer to the last edition:

Nikolaj on NVRAM formats, part 3

I think that UEFITool NE has another alpha released, with some UI changes.

AMI adds Redfish support

April 18, 2016 ~ hucktech ~ Leave a comment

https://twitter.com/AMI_PR/with_replies

AMI has announced Redfish support for their UEFI implementation:

American Megatrends Announces Out-of-Band BIOS Configuration through Redfish

AMI is proud to announce out-of-band BIOS configuration compatible with DMTF Redfish. DMTF’s Redfish API platform was created by DMTF’s Scalable Platforms Management Forum as an open industry standard specification designed to provide end users simple and powerful, yet scalable management platform hardware. To meet the needs of end users, Redfish allows users to develop solutions that combat homogenous interfaces and reduced functionality. Redfish utilizes a combination of REST, JSON and OData and serves as a secure replacement for IPMI-over-LAN. AMI’s OOB (Out-of-Band) Firmware Management delivers extended management solutions through the adoption of Redfish between BIOS, BMC and Extensible Management Architecture (EMA). AMI OOB Firmware Management provides complete Redfish support and allows for the consistent exchange of information between the BIOS and BMC. AMI has been diligently working on providing an OOB firmware solution for datacenter solutions providers such as QCT (Quanta Cloud Technology).

https://ami.com/news/press-releases/?PressReleaseID=354
https://ami.com/products/bios-uefi-firmware/aptio-v/
http://www.dmtf.org/standards/redfish
http://redfish.dmtf.org/

Motherboard interview on Intel UEFI and IoT security

April 17, 2016 ~ hucktech ~ Leave a comment

Motherboard has an interview with Brian Richardson of the Intel UEFI team, on the topic of IoT security. Wide range of topics covered!

Check out my interview with @motherboard – "Protecting Firmware is Crucial for IoT Technology"https://t.co/Bhrz7fbH4D #uefi #iamintel

— Brian Richardson (on LinkedIn) (@BrianOnChips) April 16, 2016

http://motherboard.vice.com/en_uk/blog/protecting-firmware-is-crucial-for-iot-technology

Vincent on Intel FSP and EDK-II interactions

April 16, 2016 ~ hucktech ~ Leave a comment

Open source platforms – EDKII using Intel FSP https://t.co/prLtjDQMeF via @sharethis

— vincent zimmer (@vincentzimmer) April 16, 2016

Vincent Zimmer of Intel has a new blog post, on UEFI’s EDK-II and Intel FSP (Firmware Support Package), and how the FSP works with the EDK-II. Good background, with lots of links.

https://firmware.intel.com/blog/open-source-platforms-edkii-using-intel-fsp

For more information on UEFI and FSP, also read the APress book, which Vincent is one of the authors:

Book Review: Embedded Firmware Solutions

Nikolaj on NVRAM formats, part 3

April 16, 2016 ~ hucktech ~ Leave a comment

On NVRAM formats, part 3, about Phoenix SCT formats: FlashMap, EVSA, CMDB and some others common ones.https://t.co/8PYdCBSVq5

— Nikolaj Schlej (@NikolajSchlej) April 15, 2016

Nikolaj Schlej already has part 3 on his blog series on NVRAM formats in UEFI! Very long post with lot’s of information!

On NVRAM formats, part 3, about Phoenix SCT formats: FlashMap, EVSA, CMDB and some others common ones.

https://habrahabr.ru/post/281469/

http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fhabrahabr.ru%2Fpost%2F281469%2F&sandbox=1

Nikolaj on NVRAM formats, volume 2

Also it appears he’s also released UEFITool NE alpha 25:
https://github.com/LongSoft/UEFITool/releases/tag/NE.A25

ByoSoft supports Intel Firmware Engine

April 14, 2016 ~ hucktech ~ Leave a comment

https://twitter.com/FirmwareEngine/status/720168913229590528

Intel Developer Forum (IDF) takes place in San Francisco and also in China, and the one in ShenZhen is in the news now. Nanjing Byosoft Co., Ltd — aka Byosoft, a UEFI firmware vendor, announced that their ByoCore(TM) BIOS will fully support Intel Firmware Engine:

“Byosoft is the first vendor announce to fully support Intel® Firmware Engine among the independent firmware vendors in the industry, and the Intel® Firmware Engine technology will offer a low-cost, high-flexibility, easy-to-use service solution to Byosoft’s customers in Internet of Thing (IoT) and embedded market.”

“Byosoft believe Intel® Firmware Engine can greatly help customer to use ByoCoreTM BIOS and finish the customization, especially for those who don’t purchase source code of the ByoCoreTM. Intel® Firmware Engine offers flexible method of firmware customization based on binary, and without involving Byosoft engineer direct support, the customer can finish the firmware modification by themselves to create the required image.”

“Byosoft has co-worked with Intel and upgraded the ByoCoreTM BIOS codebase to support Intel® Firmware Engine. ByoCoreTM customer can fast customize ByoCoreTM firmware through Intel® Firmware Engine, configuring, adding or removing the existed firmware packages, and integrate user-defined payload. With Intel® Firmware Engine, ByoCoreTM customer can build customized firmware faster and easier.”

Full announcement:
http://www.byosoft.com.cn/xwzxx/98.htm

This is great news for the Windows UEFI ecosystem. Again, I wish Intel would release a Linux version of the Windows-only Firmware Engine. 😦

Nikolaj on NVRAM formats, volume 2

April 13, 2016 ~ hucktech ~ Leave a comment

Nikolaj has started a series of blog posts on NVRAM formats in UEFI:

First edition is here:

Nikolaj on UEFI NVRAM formats

The second edition is already out:

On NVRAM formats, part two: https://t.co/I5XMQHrLsq
This time it's about non-NVRAM data in NVRAM FVs.
Still in Russian, sorry about that. 🙂

— Nikolaj Schlej (@NikolajSchlej) April 11, 2016

https://habrahabr.ru/post/281412/

http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fhabrahabr.ru%2Fpost%2F281412%2F&sandbox=1

Looking forward volume 3!

Brian Richardson on UEFI community changes

April 11, 2016 ~ hucktech ~ Leave a comment

Brian Richardson of Intel’s UEFI team posted a new blog with information about recent changes in the Tianocore development ecosystem. Brian summarizes recent activity, including Tony Mangefeste’s new community roadmap, the recent UEFI plugfest in Taipei, and other changes:

New blog: Updates to Tianocore, an open source UEFI community https://t.co/EGZo3pM1Tv #iamintel #makesoftware

— Brian Richardson (on LinkedIn) (@BrianOnChips) April 11, 2016

http://blogs.intel.com/evangelists/2016/04/11/tianocore-community-uefi/

U-Boot’s EFI loader gets El Torito ISO support

April 11, 2016 ~ hucktech ~ Leave a comment

Alexander Graf of SuSE has updated his EFI patch for U-Boot, adding the ability to boot from El Torito-style ISOs:

efi_loader: Support loading from El Torito isos

Some distributions still provide .iso files for installation media. To give us greatest flexibility, this patch set adds support for El Torito booting with EFI payloads.

iso: Make little endian and 64bit safe
iso: Start with partition 1
iso: Allow 512 byte sector size
efi_loader: Split drive add into function
efi_loader: Add el torito support
efi_loader: Pass file path to payload
efi_loader: Increase path string to 32 characters
distro: Enable iso partition code

For more information, see the full patch:
http://lists.denx.de/mailman/listinfo/u-boot

Nikolaj on UEFI NVRAM formats

April 11, 2016 ~ hucktech ~ Leave a comment

First part on NVRAM formats: https://t.co/otAfAzqoba
In Russian, but C structs and colored screenshots are self-descriptive enough, I hope.

— Nikolaj Schlej (@NikolajSchlej) April 10, 2016

Nikolaj Schlej has written the first of a series of articles on NVRAM file formats:

“NVRAM formats of UEFI-compatible firmwares”

It is in Russian. If you don’t read Russian, there are many C structs and colored screenshots that are self-explanatory, and auto-translators (like Google Translate) work pretty well.

If you’ve not been watching UEFITool NE recently, there have been lots of checkins for NVRAM formats.

https://habrahabr.ru/post/281242/

http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fhabrahabr.ru%2Fpost%2F281242%2F&sandbox=1

Nikolaj is also looking for some NVRAM formats for testing:

Can someone send me a non-AMI UEFI image for IA64 arch?
There is a requirement of 8-byte aligned variables there, want to have a sample.

— Nikolaj Schlej (@NikolajSchlej) April 10, 2016

FreeBSD 10.3 released

April 4, 2016 ~ hucktech ~ Leave a comment

Marius Strobl announced FreeSD 10.3, with changes to UEFI, amongst other updates and new features. An excerpt of the highlights listed in the announcement:

* The UEFI boot loader received several improvements: It now follows /boot/config and /boot.config files, multi-device boot support works and command line arguments are parsed. Additionally, its framebuffer driver has been enhanced with GOP (Graphics Output Protocol) and UGA (Universal Graphics Adapter) handling, allowing to set the current graphics mode on systems using one of these methods. Moreover, ZFS boot capability has been added to the UEFI boot loader, including support for multiple ZFS Boot Environments (BEs), e. g. those provided by sysutils/beadm.

* The bsdinstall(8) utility has been updated to allow for creating root-on-ZFS installations on UEFI-based systems in automatic mode.

* The mkimg(1) utility has been updated to support NTFS file systems in both GPT and MBR partitioning schemes.

* And much more …

More information:
https://www.FreeBSD.org/releases/10.3R/relnotes.html
https://www.FreeBSD.org/releases/10.3R/errata.html
https://www.FreeBSD.org/releases/10.3R/signatures.html
https://www.FreeBSD.org/releases/10.3R/announce.asc
ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/10.3/
ftp://ftp.freebsd.org/pub/FreeBSD/releases/VM-IMAGES/10.3-RELEASE/
https://www.FreeBSD.org/releases/10.3R/installation.html
https://lists.freebsd.org/pipermail/freebsd-announce/2016-April/001713.html
https://www.freebsd.org/releases/10.3R/relnotes.html#kernel-bugfix

Vincent on UEFI firmware updates

April 2, 2016 ~ hucktech ~ Leave a comment

Vincent Zimmer of Intel (and UEFI Forum) has a blog post about the recent Open Compute Project Summit, discussing UEFI and firmware updates, especially network-based updates, and the issues involved. There’s a presentation (with slides and video) from the OCP Summit to watch, blog has multiple pointers.

http://vzimmer.blogspot.com/2016/03/open-compute-2016.html

William Leara introduction to SCTs

April 2, 2016 ~ hucktech ~ Leave a comment

William Leara has a new blog post giving an introduction to the UEFI SCTs, Self-Certification Tests:

http://www.basicinputoutput.com/2016/03/introduction-to-uefi-self-certification.html

These tests are fully-available to UEFI Forum members, and snapshots of it are given to the public every few quarters. I wish there was more security testing in them, not just protocol adherance testing.

UEFI Forum Spring plugfest presentations uploaded

April 1, 2016 ~ hucktech ~ Leave a comment

The UEFI Forum is concluding their Spring plugfest in Taipei. They’ve uploaded the 8 presentations to uefi.org:

    UEFI Forum Update – Dong Wei (HPE)
    UEFI Forum ARM Update – Mitch Ishihara (ARM)
    Improving Platform Security with UEFI Secure Boot and UEFI Variables – David Chen (Insyde Software)
    The TPM 2.0 specs are here, now what? – Dick Wilkins (Phoenix Technologies)
    Standardized Firmware for ARMv8 based Volume Servers – Jonathan Zhang (Cavium Inc.) and Robert Hsu (AMI)
    Microsoft Update for Windows Security – Jackie Chang, Tony Lin (Microsoft Corporation)
    UEFI Port to RISC-V Processor Architecture – Abner Chang (HPE)
    Tianocore 2016 Updates – Tony Mangefeste (Intel)

http://uefi.org/learning_center/presentationsandvideos

and look for the videos to start showing up here:
https://www.youtube.com/user/UEFIForum

Debian plans for UEFI Secure Boot

April 1, 2016 ~ hucktech ~ Leave a comment

Steve McIntyre of the Debian Project posted a message to the Debian-EFI list, with plans for getting Debian to support UEFI Secure Boot. A summary of the main steps:

1. Generate a key and an EV code-signing cert, submit to Microsoft
2. dak changes to support upload and signing of EFI executables
3. Prepare and upload a package of the ‘shim’ EFI boot loader
4. Updates for other core packages to add signed versions
* grub2
* linux
* fwupdate
* ???
5. Minor tweaks to other places to make use of the signed packages
* d-i
* debian-cd
* debian-live
* ???

Full status message and more information:
https://wiki.debian.org/SecureBoot
https://lists.debian.org/debian-efi/2016/04/msg00002.html

Microsoft relicensed EDK2 FatPkg to BSD!!

March 30, 2016 ~ hucktech ~ Leave a comment

Laszlo Ersek of RedHat has updated the EDK2’s FatPkg to use the BSD license!

“This is huge. It will enable Fedora to ship OvmfPkg and ArmVirtPkg builds. It will enable RHEL to ship OVMF in Main. Of course other GNU/Linux distros will benefit similarly.”

I rarely say this as much as I’d like to, but: “Great job Microsoft!”

#Microsoft has removed the use restriction on the license for UEFI FAT sources maintained by the Tianocore program. Thank you, Microsoft

— tianocore (@tianocore) March 30, 2016

TianoCore UEFI FatPkg switches to 2-clause BSD license https://t.co/fVgzrIdU8A

— vincent zimmer (@vincentzimmer) March 30, 2016

http://thread.gmane.org/gmane.comp.bios.edk2.devel/9930/focus=9956

Intel UEFI firmware developer survey

March 28, 2016 ~ hucktech ~ Leave a comment

Intel has a survey for UEFI developers:

https://twitter.com/Intel_UEFI/status/714481953865465856

http://intelcustomer.az1.qualtrics.com/jfe1/form/SV_6lJbxG5BYFFMPSl?Source=Twitter

I hope they show the results.

Linux EFI bootloader control driver

March 21, 2016 ~ hucktech ~ Leave a comment

Matt Gumbel of Intel has submitted a patch to the Linux-EFI and Linux-kernel lists, to add an EFI bootloader control driver to Linux:

efi: Introduce EFI bootloader control driver

This driver intercepts system reboot requests and populates the LoaderEntryOneShot EFI variable with the user-supplied reboot argument. EFI bootloaders such as Gummiboot will consume this variable and use it to control which OS is booted next. We use this with Android where reboot() tells the kernel that we want to boot into recovery or other non-default OS environment. It is the bootloader’s job to guard against this variable being uninitialzed or containing invalid data, and just boot normally if that is the case.

+config EFI_BOOTLOADER_CONTROL
+   tristate “EFI Bootloader Control module”
+   depends on EFI_VARS
+   default n
+   help
+      This driver installs a reboot hook, such that if reboot() is
+      invoked with a string argument NNN, “bootonce-NNN” is copied to
+      the EFI variable, to be read by the bootloader. If the string
+      matches one of the boot labels defined in its configuration,
+      the bootloader will boot once to that label.

For more information, see drivers/firmware/efi/efi-bc.c, the linux-efi or linux-kernel mailing lists:
http://vger.kernel.org/majordomo-info.html