Fall 2018 UEFI Plugfest, presentations uploaded

November 8, 2018 ~ hucktech ~ 1 Comment

The slides from the last UEFI Forum plugfest are now online.

* State of the UEFI – Dong Wei (UEFI Forum Vice President)
* Increasing Risks to UEFI Firmware Due to Growing Attack Surfaces – Glenn Plant (Phoenix)
* UEFI Updates and Secure Software Isolation on Arm – Dong Wei (Arm)
* UEFI and the Security Development Lifecycle (SDL) – Trevor Western (Insyde)
* Advanced Trusted Platform Module (TPM) Usage – HPBird Chen (AMI)
* Building Customized Tests with Firmware Test Suite – Alex Hung (Canonical)
* System Firmware and Device Firmware Updates Using Unified Extensible Firmware Interface (UEFI) Capsules – Brian Richardson (Intel)
* Capsule Update with MM Mode – Udit Kumar and Meenakshi Aggarwal (NXP)
* How Writing Portable UEFI Drivers Improves Reliability (and Helps Me) – Leif Lindholm (Linaro)
* TianoCore Updates: Tags, Testing & Platforms – Brian Richardson (Intel) and Leif Lindholm (Linaro)

http://www.uefi.org/learning_center/presentationsandvideos

Hopefully the videos will show up here shortly, as they normally do:

https://www.youtube.com/user/UEFIForum

Linux Unattended Installation – Tools to create an unattended installation of a minimal setup of Linux

November 4, 2018 ~ hucktech ~ Leave a comment

This project provides all you need to create an unattended installation of a minimal setup of Linux, whereas minimal translates to the most lightweight setup – including an OpenSSH service and Python – which you can derive from the standard installer of a Linux distribution. The idea is, you will do all further deployment of your configurations and services with the help of Ansible or similar tools once you completed the minimal setup. Use the build-iso.sh script to create an ISO file based on the netsetup image of Ubuntu. Use the build-disk.sh script to create a cloneable preinstalled disk image based on the output of build-iso.sh. […]UEFI and BIOS mode supported.[…]

https://github.com/core-process/linux-unattended-installation

Ubuntu bug 1798863, CVE-2018-18653, UEFI Secure Boot vuln

October 31, 2018 ~ hucktech ~ Leave a comment

The Linux kernel, as used in Ubuntu 18.10 and when booted with UEFI Secure Boot enabled, allows privileged local users to bypass intended Secure Boot restrictions and execute untrusted code by loading arbitrary kernel modules. This occurs because a modified kernel/module.c, in conjunction with certain configuration options, leads to mishandling of the result of signature verification.[…]

Source: MITRE
Description Last Modified: 10/25/2018

https://nvd.nist.gov/vuln/detail/CVE-2018-18653

[…]This flaw is introduced by certain configuration options in combination with this out-of-tree patch from the Lockdown patchset[…]

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1798863

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1798863/comments/23

https://vuldb.com/?id.125976
Current Exploit Price (≈) $5k-$25k

Comparing Qualcomm’s XBL UEFI bootloaders on Snapdragon 820, 835, and 845

October 31, 2018 ~ hucktech ~ Leave a comment

New blog post: I compared Qualcomm Snapdragon's XBL UEFI bootloaders on the 3 generations of Google Pixel phones and a Windows 10 ARM64 tablet. https://t.co/kV99E8tdyT

— Zhuowei Zhang (@zhuowei) October 31, 2018

Comparing Qualcomm’s XBL UEFI bootloaders on Snapdragon 820, 835, and 845

Oct 30, 2018

I compared UEFI bootloaders from Google Pixel XL, 2XL, 3XL, and Lenovo Miix 630 to show how Qualcomm used the flexibility of UEFI to support Android and Windows. This is part 1 of a series about Qualcomm bootloaders. Part 2 will be posted in about a month.[…]

https://worthdoingbadly.com/qcomxbl/

UEFI parsing libraries

October 29, 2018October 29, 2018 ~ hucktech ~ Leave a comment

AFAIK, there are 4 libraries/codebases to parse UEFI binaries. Two in Python, one in C++, and the latest one in Go:

1) CHIPSEC, written in Python, available as a library and an app:
https://github.com/chipsec/chipsec

2) UEFI Firmware Parser, written in Python, available as a library and an app:
https://github.com/theopolis/uefi-firmware-parser

3) UEFITool, written in C++ (the New Engine branch of the code does not rely on Qt for the parsing engine):
https://github.com/LongSoft/UEFITool/tree/new_engine

4) and a new one, written in Go, part of the LinuxBoot toolchain:
https://github.com/linuxboot/fiano

Thanks to Nikolaj Schlej, author of UEFITools’ parser, for pointing out that Fiano has a new parser. I got the chance to meet Nikolaj at BSidesPDX the other day. 🙂

Am I missing a library? Leave a Comment on this post. Thanks!

AMI updates Aptio’s AMI Firmware Update (AFU), a Secure Update Utility

October 24, 2018 ~ hucktech ~ Leave a comment

[…]AFU still supports older SMM methodologies for older systems, but such methodologies cannot be used when the platform is equipped with modern BIOSes.[…]

https://ami.com/en/tech-blog/ami-firmware-update-afu-tool-a-secure-update-utility-for-aptio-v-uefi-bios-firmware/

UEFIfuzzing: UEFI applications and libraries for AFL fuzzing

October 23, 2018 ~ hucktech ~ 1 Comment

This edk2 pkg contains UEFI applications used to control AFL fuzzing.

These applications are for use with this version of TriforceAFL.

https://github.com/narmour/UEFIFuzzing

get-efi-images: dump all UEFI images (PE-files) from firmware

October 22, 2018 ~ hucktech ~ Leave a comment

https://github.com/yeggor/get-efi-images

It uses UEFI Firmware Parser:

https://github.com/theopolis/uefi-firmware-parser

macOS EFI Unlocker V1.0 for VMware: allows non-server versions of MacOS to be run with VMWare

October 22, 2018 ~ hucktech ~ Leave a comment

The macOS EFI Unlocker removes the check for server versions of Mac OS X verisons:

* 10.5 Leopard
* 10.6 Snow Leopard

allowing the non-server versions of Mac OS X to be run with VMware products. Later versions of Mac OS X and macOS
do not need the modified firmware due to Apple removing the restrictions imposed on 10.5 and 10.6.

EFI Unlocker 1 is designed for the following products:

* VMware Workstation and Player versions 14/15
* VMware Fusion versions 10/11

The checks for the server versions are done in VMware’s virtual EFI firmware and looks for a file called
ServerVersion.plist in the installation media and the installed OS. The patch modifies the firmware to check
for a file present on all versions of Mac OS X called SystemVersion.plist.

The patch uses a tool called UEFIPatch to make the modifications.

Please note you may need to use macOS Unlocker version 3 to run on non-Apple hardware.

https://github.com/DrDonk/efi-unlocker

EFI-Loader: UEFI OS loader in Rust

October 17, 2018 ~ hucktech ~ Leave a comment

Early code: print!(b”Hello, world!\n“); level

https://github.com/vnetserg/efi-loader

2 new Tianocore/EDK2 security advisories

October 13, 2018 ~ hucktech ~ Leave a comment

Tianocore Security Advisories has 2 new UEFI vulnerabilities:

https://edk2-docs.gitbooks.io/security-advisory/content/

30. EDK II Authenticated Variable Bypass
Logic error in MdeModulePkg in EDK II firmware may allow authenticated user to potentially bypass configuration access controls and escalate privileges via local access.
https://edk2-docs.gitbooks.io/security-advisory/content/edk-ii-authenticated-variable-bypass.html

31. EDK II TianoCompress Bounds Checking Issues: Multiple privilege escalation vulnerabilities in TianoCompress and UEFICompress decompression algorithm may allow authenticated user to potentially manipulate stack and heap buffers via local access.

https://edk2-docs.gitbooks.io/security-advisory/content/edk-ii-tianocompress-bounds-checking-issues.html

Microsoft Project Mu: adaptation of TianoCore’s EDK2

October 12, 2018 ~ hucktech ~ 1 Comment

https://github.com/Microsoft/mu_plus

https://github.com/Microsoft/mu_basecore

6 repos: https://github.com/topics/projectmu

https://microsoft.github.io/mu/faq/

https://microsoft.github.io/mu/

Project Mu is a modular adaptation of TianoCore’s edk2 tuned for building modern devices using a scalable, maintainable, and reusable pattern. Mu is built around the idea that shipping and maintaining a UEFI product is an ongoing collaboration between numerous partners. For too long the industry has built products using a “forking” model combined with copy/paste/rename and with each new product the maintenance burden grows to such a level that updates are near impossible due to cost and risk.

Project Mu also tries to address the complex business relationships and legal challenges facing partners today. To build most products it often requires both closed-source, proprietary assets as well as open source and industry standard code. The distributed build system and multi-repository design allow product teams to keep code separate and connected to their original source while respecting legal and business boundaries.

Project Mu originated from building modern Windows PCs but its patterns and design allow it to be scaled down or up for whatever the final product’s intent. IoT, Server, PC, or any other form factor should be able to leverage the content.

UEFI Forum: How to become a UEFI Security Superhero

October 11, 2018 ~ hucktech ~ Leave a comment

The UEFI Forum has a new infographic that has some information and guidance on security. The information is useful for a new audience, and most people are new to firmware security.

This WordPress-based blog embeds an URL to the JPEG.

See-also the home page: https://www.uefi.org/

EDK II Test Project

October 9, 2018 ~ hucktech ~ Leave a comment

The Tianocore EDKII Test Project has been created on Github. It contains the SCTs.

https://github.com/tianocore/edk2-test

ebcvm: EFI Byte Code Virtual Machine

October 7, 2018 ~ hucktech ~ Leave a comment

Appears to be new implementation of a UEFI bytecode VM. Builds with a simple Makefile, for C11 *nix systems. No other docs, except: EFI Byte Code Virtual Machine

https://github.com/retrage/ebcvm

CHIPSEC adds LoJax to UEFI module blacklist

October 5, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/09/27/apt28-malware-lojax-uses-uefi-rootkit/

the CHIPSEC tool has added this new UEFI malware to it’s blacklist.

https://github.com/chipsec/chipsec/commit/1ea5ea3c04f462201971160ca795e87511d65da8

https://github.com/chipsec/chipsec/commit/1ea5ea3c04f462201971160ca795e87511d65da8#diff-0e85babdc272abb21e8fdbe4aab522f6

UEFI workshops at BSidesPDX!

October 2, 2018 ~ hucktech ~ Leave a comment

Exciting, there are two workshops at BSidesPDX in Portland Oregon next month:

Detecting Evil Maid Firmware Attacks
https://bsidespdx.org/events/2018/workshops.html#Evil%20Maid

UEFI and CHIPSEC development for Security Researchers
https://bsidespdx.org/events/2018/workshops.html#Chipsec

PS: If you’re in town, there’s also the Portland Retro Gaming Expo, starting a few days earlier:
https://www.oregoncc.org/events/2018/10/portland-retro-gaming-expo-2018
http://www.retrogamingexpo.com/

GNU/HardenedLinux translates ‘Platform Firmware Security Defense…’ ebook to Chinese

September 30, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/07/28/new-ebook-platform-firmware-security-defense-for-enterprise-system-administrators-and-blue-teams/

The book “Platform Firmware Security Defense for Enterprise System Administrators and Blue Teams“, which Paul English of PreOS security wrote, introducing the concept of firmware security for the system administrator audience:

https://preossec.com/Newsletter-Q3-2018/
https://preossec.com/products/ebook-download

has been translated to Chinese, by the GNU Hardened Linux project!

https://github.com/hardenedlinux/hardenedlinux_translations/tree/master/platform_firmware_security_defense

more info:

https://hardenedlinux.github.io/

lojax_uefi_rootkit_checker: detect LoJax UEFI malware (on some HP ProLiant DLxxx systems)

September 30, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/09/27/apt28-malware-lojax-uses-uefi-rootkit/

A new detection tool in Python3:

#Yalnizca ProLiant DL180 ve ProLiant DL360 tipi sunucular icin firmware kontrolune uygundur.
#This script performs firmware checks for only ProLiant DL180 and ProLiant DL360.

https://github.com/evgind/lojax_uefi_rootkit_checker

Vincent on recent UEFI presentations

September 28, 2018 ~ hucktech ~ Leave a comment

Vincent has a new blog post, covering some of his recent tour of speaking engagements, with a bit on UEFI, and even some FSP humor.

http://vzimmer.blogspot.com/2018/09/east-and-further-east.html