Tag: UEFI

tool mini-review: UEFITool

~ hucktech ~ 2 Comments

UEFITool is a UEFI firmware parsing tool, written by Nikolaj Schlej. UEFITool is a GUI tool for parsing, extracting and modifying UEFI firmware images. It supports parsing of full BIOS images starting with the flash descriptor or any binary files containing UEFI volumes. The UI provides abilities to Extract, Insert, Replace, Remove, and Rebuild, and Search. Extracting and Replacing can be done either by just the body, or also include it’s header (GUID, size, attributes and other structure-related information). Inserting targets UEFI volumes and encapulation sections, and can be done before, after, or into. You can Search by hex patterns, a GUID, Unicode text, or ASCII text. The BSD-ish licensed open source tool is cross-platform, written in C++, using Qt v4 or v5, built using the Qt qmake utility.

More Information:

https://github.com/LongSoft/UEFITool

Linux ACPI support for ARM-v8

~ hucktech ~ Leave a comment

Earlier this month, Linaro announced their effort to upstream the Linux patches to enable ACPI on ARMv8. It appears the patch may make it in Linux 4.1, but it is not done yet.

The Linaro blog post credits a large list of people who helped: UEFI Forums’ ACPI Working Group, Linaro, ARM, Red Hat, Huwaei, Qualcomm, AMD, AMD, APM, HP, other Linaro LEG members, and Linux kernel maintainers, including Linus.

As part of this effort, on March 26th, ARM hosted a Firmware Summit focused on ARMv8 and ACPI, with dozens attending, including SoC vendors, BIOS vendors, firmware and kernel developers, ODMs and OEMs.

The Linux kernel checking comment for this patchset includes this description:

‘This series introduces preliminary ACPI 5.1 support to the arm64 kernel using the “hardware reduced” profile. We don’t support any peripherals yet, so it’s fairly limited in scope:
– MEMORY init (UEFI)
– ACPI discovery (RSDP via UEFI)
– CPU init (FADT)
– GIC init (MADT)
– SMP boot (MADT + PSCI)
– ACPI Kconfig options (dependent on EXPERT)
ACPI for arm64 has been in development for a while now and hardware has been available that can boot with either FDT or ACPI tables. This has been made possible by both changes to the ACPI spec to cater for ARM-based machines (known as “hardware-reduced” in ACPI parlance) but also a Linaro-driven effort to get this supported on top of the Linux kernel. This pull request is the result of that work. These changes allow us to initialise the CPUs, interrupt controller, and timers via ACPI tables, with memory information and cmdline coming from EFI. We don’t support a hybrid ACPI/FDT scheme. Of course, there is still plenty of work to do (a serial console would be nice!) but I expect that to happen on a per-driver basis after this core series has been merged.’

Upon accepting the patch, Linus said:

‘No earth-shattering new features come to mind, even if initial support for ACPI on arm64 looks funny. Depending on what you care about, your notion of “big new feature” may differ from mine, of course. There’s a lot of work all over, and some of it might just make a big difference to your use cases.’

This *is* big new feature, if you care about firmware and Linux.
More Information:

https://www.linaro.org/blog/collaborative-effort-to-upstream-acpi/

ARM Trusted Firmware

~ hucktech ~ Leave a comment

Starting around 2013, ARM started to release “ARM Trusted Firmware” as a BSD-licensed Github-hosted open source project.Ā  ARM Trusted Firmware is the trusted execution environment that runs behinds the scenes of the OS on AArch64 platforms. It works in conjunction with UEFI, including Secure Boot.

In upcoming blog posts, I’ll be writing some articles with more details about this project. For now, I’ll suggest reading their Firmware Design Guide and watching the below Youtube-hosted Linaro intro video.

More Information:

https://github.com/ARM-software/arm-trusted-firmware
https://github.com/ARM-software/arm-trusted-firmware/blob/master/docs/change-log.md
https://github.com/ARM-software/tf-issues/issues
https://github.com/ARM-software/arm-trusted-firmware/blob/master/docs/user-guide.md
https://github.com/ARM-software/arm-trusted-firmware/blob/master/docs/firmware-design.md
https://github.com/ARM-software/arm-trusted-firmware/blob/master/docs/porting-guide.md
https://lists.linaro.org/pipermail/boot-architecture/
https://lists.linaro.org/pipermail/linaro-uefi/

Recent FreeBSD firmware improvements

~ hucktech ~ Leave a comment

Like Linux, FreeBSD now also supports UEFI. PC-BSD and TrueOS are FreeBSD-based, as is NanoBSD, the embedded subset of FreeBSD.

Besides UEFI pre-OS tool support, FreeBSD also has Forth-based OpenFirmware /boot/loader, with numerous diagnostic commands (autoboot, bcachestat, boot, echo, heap, help, include, load, load_geli, ls, lsdev, more, pnpscan, read, reboot, set, show, unload, unset, ?).

Earlier this week, PC-BSD 10.1.2 has been released. Amongst the changes I notice two firmware-related improvements for this release:

* Support for encrypted iSCSI backups via Life-Preserver, including support for bare-metal restores via installer media

* Improvements to Online Updater, along with GRUB nested menus for Boot-Environments

Firmware changes aside, they’ve been adding some interesting security features: /-level encryption for ZFS, PersonaCrypt Utility, with Stealth Mode, Tor mode for firewall, etc.

More information:

10.1.2 release:
http://lists.pcbsd.org/pipermail/announce/2015-May/000076.html
http://blog.pcbsd.org/2015/05/pc-bsd-10-1-2-released/
https://www.freebsdnews.com/

FreeBSD and UEFI:
https://www.freebsd.org/doc/en/books/handbook/boot.html
https://www.freebsd.org/cgi/man.cgi?query=uefi&apropos=0&sektion=8&manpath=FreeBSD+11-current&format=html
https://wiki.freebsd.org/SecureBoot
https://wiki.freebsd.org/UEFI
http://bsdmag.org/beyond-bios-the-extended-firmware-interface -efi/

/boot/loader:
https://www.freebsd.org/cgi/man.cgi?query=loader%288%29
http://ficl.sourceforge.net/ficl.html

Upcoming UEFI/BIOS security training

~ hucktech ~ Leave a comment

Here are two upcoming UEFI/BIOS security related training events being taught by industry experts (listed by date):

Security of BIOS/UEFI System Firmware from Attacker’s and Defender’s Perspective
When: Jun 16-18 2015
What: Recon
Where: Hyatt Regency Montreal
Instructors: Yuriy Bulygin, Oleksandr Bazhaniuk, Andrew Furtak and John Loucaides
https://recon.cx/2015/trainingbiosuefi.html

Introductory BIOS & SMM Attack & Defense
When: Oct 12-16, 2015
What: HITB GSEC Singapore
Where: Sheraton Towers Singapore
Instructors: Xeno Kovah, Corey Kallenberg
http://gsec.hitb.org/sg2015/sessions/tech-training-6-introductory-bios-smm-attack-defense

 

BUILDRULEORDER support added to EDK-II BuildTools

~ hucktech ~ Leave a comment

Recently there’s been a lot of checkins to the EDK-II trunk. Most are new libraries for UEFI 2.5 support, but some are design-time improvements to the EDK-II toolchain. One recent change to the BaseTools package is to implement BUILDRULEORDER support for tools_def.Ā  This adds increased flexibility for compilers and related developer tools, which EDK-II’s Build command calls behinds the scenes. Quoting it’s comments:

This feature allows the toolchain to choose a preference for source file extensions in tools_def.txt. The first extension is given the highest priority. Here is an example usage for tools_def.txt:

*_*_*_*_BUILDRULEORDERĀ Ā  = nasm Nasm NASM asm Asm ASM S s
*_XCODE5_*_*_BUILDRULEORDERĀ Ā  = S s nasm Nasm NASM

Now, if a .inf lists these sources: 1.nasm, 1.asm and 1.S
All toolchains, except XCODE5 will use the 1.nasm file. The XCODE5 toolchain will use the 1.S file.

Note that the build_rule.txt file also impacts the decision, because, for instance there is no build rule for .asm files on GCC toolchains.

For more information, view recent archives of the EDK2-devel mailing list, such as:
http://comments.gmane.org/gmane.comp.bios.tianocore.devel/14760

Sage Engineering updates Minnow firmware

~ hucktech ~ Leave a comment

Sage Engineering maintains a Coreboot-based, SeaBIOS payload-based firmware for the Intel MinnowBoard MAX.

Today, they’ve announced an updated release. This update allows for flashing the boot image without a hardware device.

The binary SageBIOS boot ROM image, which is flashed on the development board’s SPI Flash device, is based on the Intel Firmware Support Package (Intel FSP) and coreboot open source initialization. The SageBIOS OSP replaces UEFI firmware that comes installed on both versions of MinnowBoard MAX and will support booting a greater variety of operating systems, including FreeBSD and a variety of RTOS, as well as legacy operating systems such as older versions of Microsoft Windows and even DOS. The SageBIOS OSP will support all the operating systems supported by the native UEFI firmware, such as Windows and Linux. In addition, the SageBIOS OSP will boot both 32-bit and 64-bit operating systems with a single boot image.

The download of the “demo ROM” is free, but email registration is required.
More information:
http://lists.elinux.org/pipermail/elinux-minnowboard/Week-of-Mon-20150518/001523.html
http://www.se-eng.com/minnow/

Spring UEFI Forum agenda announced

~ hucktech ~ Leave a comment

The UEFI Forum Spring event is happening in Tacoma.WA.US this coming week. They just announced the presentations for the event:

* Zachary Bobroff, AMI – PreBoot Provisioning solution with UEFI
* Kevin Davis, Insyde – System Prep Applications, A Powerful New Feature in UEFI 2.5
* Olivier Martin, ARM – Porting a PCI driver to ARM AArch64 platforms
* Lief Lindholm, ARM – Demonstrating a common EDK2 pltforms & drivers tree
* Dick Wilkins, Phoenix – UEFI FIrmware – Securing SMM
* Gabe Stocco and Scott Anderson, Microsoft – Windows Requirements for TPM, HVCI and Secure Boot
* Jeremiah Cox
* Vincent Zimmer, Intel – Filling UEFI/FW Gaps in the Cloud
* David Box, Intel – An overview of ACPICA userspace tools
* Samer El-Haj-Mahmoud, HP – Firmware in the Datacenter: Goodbye PXE and IPMI. Welcome Http

Typically, the UEFI Forum makes slides for these presentations available on their web site a few weeks later…

More information:
http://www.uefi.org/node/887

 

Red Hat OVMF whitepaper

~ hucktech ~ Leave a comment

[This is not fresh news. Since this is a new blog, I’m starting to work backward on some noteworthy news/releases that happened shortly before the blog started…]

Mid-2014, Red Hat released a whitepaper documenting the UEFI OVMF format. It is well-written, and useful for those new to UEFI, coming from a Linux background. The document is Copyright (C) 2014-2015, Red Hat, Inc., licensed CC BY-SA 4.0.

Abstract: The Unified Extensible Firmware Interface (UEFI) is a specification that defines a software interface between an operating system and platform firmware. UEFI is designed to replace the Basic Input/Output System (BIOS) firmware interface. Hardware platform vendors have been increasingly adopting the UEFI Specification to govern their boot firmware developments. OVMF (Open Virtual Machine Firmware), a sub-project of Intel’s EFI Development Kit II (edk2), enables UEFI support for Ia32 and X64 Virtual Machines. This paper reports on the status of the OVMF project, treats features and limitations, gives end-user hints, and examines some areas in-depth.

Keywords: ACPI, boot options, CSM, edk2, firmware, flash, fw_cfg, KVM, memory map, non-volatile variables, OVMF, PCD, QEMU, reset vector, S3, Secure Boot, Smbios, SMM, TianoCore, UEFI, VBE shim, Virtio

Read the whitepaper:

http://people.redhat.com/~lersek/ovmf-whitepaper-c770f8c.txt

Windows Defender attacks some non-Windows UEFI images

~ hucktech ~ Leave a comment

Starting in late 2013, Microsoft Windows Defender, a background malware scanner that gets updates via Windows Update, started looking for UEFI boot managers/loaders/tools that are not signed by Microsoft, and started deleting them. This impacts booting non-Windows OSes, Linux, FreeBSD, Android, etc. Windows Defender gives users no control to override/configure anything. Microsoft can update the scanner to delete new files in the future, when Windows Update refreshes it. Presumably any UEFI image that isn’t signed by Microsoft is likely a candidate.Ā  I am unclear what “UEFI module” is they describe in the documentation (see below), I presume this means any UEFI Application/Service/Driver. The list of OEM contacts the Microsoft documentation points to for these “UEFI modules” is a very old list, doesn’t cover most UEFI Forum Members. Then again, some of the main targets of Defenders deletions are likely not OEMs nor UEFI Forum Members, but open source UEFI tools.

This feature is useful if you have a Windows system and you only run Windows, and never want to run anything other than Windows. This feature is not useful if you ever wish to dual-boot a non-Windows OS alongside Windows, since Windows Defender will destroy the other OS’s boot loader.

The workaround is to never dual-boot anything alongside Windows. OEMs who want to build non-Windows machines have to risk Windows Defender making their systems unbootable, if any customer tries to dual-boot Windows on it. I wonder, if an OEM is ever capable enough to ship a Linux system with UEFI Secure Boot setup to boot Linux, without Microsoft keys, would Windows Defender properly check the UEFI keys and delete the Windows boot manager, which is unsigned by that firmware? šŸ™‚

More information:

Microsoft security advisory: Update to revoke noncompliant UEFI boot loader modules
https://support.microsoft.com/en-us/kb/2871690
https://technet.microsoft.com/library/security/2871690

Excerpts:

“Microsoft is announcing the availability of an update for Windows 8 and Windows Server 2012 that revokes the digital signatures for nine private, third-party UEFI modules that could be loaded during UEFI Secure Boot. When the update is applied, the affected UEFI modules will no longer be trusted and will no longer load on systems where UEFI Secure Boot is enabled. The affected UEFI modules consist of specific Microsoft-signed modules that are either not in compliance with our certification program or their authors have requested that the packages be revoked. At the time of this release, these UEFI modules are not known to be available publicly. Microsoft is not aware of any misuse of the affected UEFI modules. Microsoft is proactively revoking these non-compliant modules as part of ongoing efforts to protect customers. This action only affects systems running Windows 8 and Windows Server 2012 that are capable of UEFI Secure Boot where the system is configured to boot via UEFI and Secure Boot is enabled. There is no action on systems that do not support UEFI Secure Boot or where it is disabled.”

“On affected releases of Microsoft Windows that are running on UEFI firmware with UEFI Secure Boot enabled, the update revokes the digital signatures for specific UEFI modules that could be loaded during UEFI Secure Boot. When the update is applied, the affected UEFI modules will no longer be trusted and will no longer load on systems where UEFI Secure Boot is enabled. The affected UEFI modules consist of specific Microsoft-signed modules that are either not in compliance with our certification program or their authors have requested that the packages be revoked.”

“For more information about your UEFI module, contact the UEFI module supplier. This might include the system vendor, the plug-in card vendor, or other UEFI software vendors such as UEFI backup and restore solutions, UEFI anti-malware, and so on.”

“Customers should update their UEFI modules to compliant versions prior to installation of this update. Customers who apply this update on a system with a non-compliant UEFI module risk putting the system into a non-bootable state. Microsoft recommends that all customers apply this update after ensuring they are running up-to-date UEFI modules.”

“Customers who want to continue using non-compliant UEFI modules for their own purposes, such as for testing, can do so by disabling Secure Boot in their system’s BIOS configuration menu.

Linaro makes LUVos-live available for ARM64

~ hucktech ~ 1 Comment

LUVos (Linux UEFI Validation — aka luvOS or LUVos, is a Yocto-based Linux distro that helps diagnose UEFI firmware. LUV-live is a liveimage boot version of LUVos. LUV-live also includes other hardware/firmware tools, such as BITS, FWTS, and CHIPSEC.

Intel-based LUV was initially only targeting Intel platforms. But LUV is an open source project, with a healthy community of contributors.

Recently Linaro has been porting LUV to ARM64. Thanks, Linaro! This is great news for ARM64 Linux enterprise hardware. Once Linaro ports CHIPSEC to ARM, it’ll be a very good day for ARM64 firmware defensive security tools.

It would be nice to consider an ARM32 port, as well as ARM64. All devices need bootkit detection tools, not just enterprise-class systems. šŸ™‚

[Someone please wake up AMD. Right now, AFAICT, their platform now has the worst defensive tools. They need a LUV-live with a CHIPSEC that works on ARM systems.]

https://wiki.linaro.org/LEG/Engineering/luvOS

https://01.org/linux-uefi-validation

Book Review: Embedded Firmware Solutions

~ hucktech ~ Leave a comment

Embedded Firmware Solutions: Development Best Practices for the Internet of Things
APress Media
ISBN 978-4842-0071-1
February 2015
Jiming Sun, Marc Jones, Stefan Reinauer, Vincent Zimmer
http://www.apress.com/9781484200711

[I recently finished reading this book. Sadly, I didn’t know about it until the other day, after my LinuxFestNorthWest talk on firmware security tools, someone from Sage pointed out that I omitted this from my More Information slides.]

If you care about firmware development — or just understanding current firmware architecture — you should have this book. It is the only current book with information about modern firmware in use today. The authors are all experienced and well-known firmware developers, including members of the Coreboot and UEFI teams, and there is also an impressive list of tech reviewers. There are 4 areas that this book focuses on:
* Intel Firmware Support Package (FSP), and it’s use in Coreboot and UEFI.
* UEFI and it’s dev platform.
* Coreboot and Chrome use of it.
* Intel Quark and UEFI firmware.

Intel Press has a handful of other UEFI books, but they are years old, this book is only a few months old, and has fresher details on UEFI. I don’t know of any other book with this kind of information on Coreboot, or on Intel FSP. There are a variety of books on Intel’s Minnowboard and Quark/Galileo IoT hardware: most of those books talk about how to write user-level apps, this is the only book that talks about updating the firmware of Intel IoT devices.

I’m looking forward to a second edition in a year or so, once tech changes enough.

New NVME Express pass-through protocol in UEFI 2.5

~ hucktech ~ Leave a comment

Feng Tian of Intel recently checked in changes to the EDK-II trunk for the EFI_NVME_PASS_THRU_PROTOCOL, as part of the UEFI 2.5 checkins. This UEFI NVM Express protocol provides services that allow NVM Express commands to be sent to an NVM Express controller or to a specific namespace in a NVM Express controller.

I’ve found the definitions in the code, but not an implementation, so either the checkin hasn’t happened yet, I’ve missed it, or it’s a non-open source implementation that won’t be in the TianoCore code, I’m unclear. If you know, please speak up!

For more information, see:
MdePkg/Include/Protocol/NvmExpressPassthru.h
and:

Front

New UEFI HTTP Boot support in UEFI 2.5

~ hucktech ~ 1 Comment

One of the new features in UEFI 2.5 is the use of the HTTP protocol for network booting. Previously, UEFI booted remotely, using IPv4 or IPv6, starting with DHCP, then finishing using TFTP, “PXE-based”. This new UEFI 2.5 change defines new DHCP options to specify URI-based pointers to the “Network Boot Program (NBP)”, the binary image to download and run, which can be used using HTTP instead of TFTP. DHCP Servers will need to support this new HTTPBoot extension, if the DHCP type code for x86 is 0x0F and 0x10 for x64. For example, inside a corporate enterprise, with an URL like:
http://examplebootserver/boot/boot.efi

HTTP aside, the new spec hints of future URI-based network protocol support, such as FTP or NFS, in the future.

AFAICT, this presumes HTTP, not HTTPS. Most of the spec says HTTP. Only in one place did I see a reference to TLS and HTTPS, see Figure 72. But TLS and the S in HTTPS were in red, unlike all else, unclear what this means, if it is not public feature only in commercial UEFI products, etc.Ā  Speak up if you know.

The spec mentions both enterprise and home use of this protocol, and they mention usage of this protocol across across networks (via the public Internet), not just internal home/corporate network use.

Refer to section 23.7 of the UEFI v2.5 specification for more details.
http://www.uefi.org/specsandtesttools

I’ve yet to locate this code in the public TianoCore EDK-II trunk; either I’ve missed it, it hasn’t yet been checked in, or the code is part of a non-open source codebase. It would answer the HTTPS/TLS question, as well. Speak up if you know the answer!

UEFI systems’s updates can incorporate new features, so this feature may show up in your system the next time your vendor issues an update. So, DNS, DHCP, and HTTP are all network attack vectors for network UEFI booting. Is your firewall/router ready for UEFI HTTP Booting?

Windows 10 UEFI Secure Boot policy welcomed by Linux users

~ hucktech ~ Leave a comment

In an article by Sam Varghese in iTWire, Linux users will find Microsoft’s current advice to Windows 10 OEMs regarding UEFI Secure Boot welcome news. More information here:

http://www.itwire.com/opinion-and-analysis/open-sauce/67959-microsofts-new-secure-boot-strategy-will-suit-linux-firms

 

[iTWire article aside, more welcome news would be if OEMs would build consumer Linux devices with Secure Boot working directly with them, without Microsoft PKI/CA/keys, in some of their models. Intel and SuSE demonstrated this at IDF2013, yet no consumer devices are available, AFAIK.
Even more welcome news would be offering Coreboot as an option, including new Coreboot support in UEFI as PI component.
Even more news would be providing systems where owners could build and update their own firmware, from tianocore.org and coreboot.org code, along with any new drivers from the OEM, and have a firmware update mechanism for local owner-users, not only beg for updates from vendors.
But I guess I should simply be happy that Microsoft is permitting Windows OEMs to still let users install software on the HW/FW/SW that we don’t actually own/control. šŸ™‚ –ed]