Tag: UEFI

reminder: July24th: UEFI Forum’s first security webinar

~ hucktech ~ Leave a comment

Michael Krau, Industry Communications Working Group Chair
Eric Johnson, American Megatrends, Inc.
Tim Lewis, Insyde Software
Dick Wilkins, Phoenix Technologies
Vincent Zimmer, Intel

The panelists will outline the major challenges currently facing platform security, how the UEFI Forum and UEFI specification address these challenges and finally, how you can join us in the battle to protect firmware from outside threats. The webinar is open to the public and attendees will get the chance to participate in a live Q&A session.

http://www.uefi.org/node/3877
https://register.gotowebinar.com/register/3708207810278601474
https://www.gotomeeting.com/webinar/join-webinar

Apple macOS 10.13.6: UEFI SecureBoot support for iMac Pro

~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2017/12/13/apple-secure-boot/ and https://firmwaresecurity.com/2017/12/20/apple-kb-article-on-secure-boot/

there is more info on Apple Secure Boot:

https://support.apple.com/en-us/HT208864
https://support.apple.com/en-us/HT208937

CVE-2017-3197: GIGABYTE UEFI security problems

~ hucktech ~ Leave a comment

What’s this? No more info, but it almost looks like someone at MITRE ran CHIPSEC against a GIGABYTE box and found some failures, so assigned a CVE. Too bad MITRE doesn’t have boxes from ALL OEMs. Maybe this is something more than simple CHIPSEC failures, but the CVE omits details…

GIGABYTE BRIX UEFI firmware for the GB-BSi7H-6500 (version F6) and GB-BXi7-5775 (version F2) platforms does not securely implement BIOSWE, BLE, SMM_BWP, and PRx features. As a result, the BIOS is not protected from arbitrary write access and may permit modifications to the SPI flash.

 

https://nvd.nist.gov/vuln/detail/CVE-2017-3197

Super Mario Bros (NES emulator) ported to UEFI

~ hucktech ~ Leave a comment

David Lee has apparently ported a NES emulator — without sound — to UEFI, but source code is not apparently available:

I used EDK II framework.
About the keyboard input, Program reads the value from 0x60 port directly because of multi-key input processing.
I measure the timer count twice(for 1sec) by using the rdtsc instruction to make game delay more accurate.
I didn’t implement the audio output.

 

Ubuntu: DKMS modules need to be configured to work with UEFI Secure Boot

~ hucktech ~ Leave a comment

I just noticed this nice document on Ubuntu security features, maybe it is new, maybe I never noticed it before:

https://wiki.ubuntu.com/Security/Features#secure-boot

I also notice this page, which I believe has recently been updated:

DKMS modules need to be configured to work with UEFI Secure Boot

Ubuntu is now checking module signing by default, on kernels 4.4.0-18.34, 4.4.0-21.37, 4.2.0-42.49, 3.19.0-65.73 and 3.13.0-92.139 onwards. You can read more details in this bug in Launchpad. Because of those changes, DKMS modules will not work on systems with Secure Boot enabled unless correctly configured. In order to make DKMS work, Secure Boot signing keys for the system must be imported in the system firmware, otherwise Secure Boot needs to be disabled. There are several methods to configure your system to properly load DKMS modules with Secure Boot enabled.

https://wiki.ubuntu.com/UEFI/SecureBoot/DKMS

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221

 

Apple: periodic reminder: set your firmware password

~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/05/02/apple-set-your-firmware-password/

https://support.apple.com/en-us/ht204455

Conan for UEFI??

~ hucktech ~ Leave a comment

An open source, secure, vendor-neutral, pre-OS packaging tool for updating platform microcode and firmware might be interesting. So when I saw this UEFI test app:

https://github.com/matlo607/uefi-test

it was interesting to note that it includes some support for the Conan C/C++ packaging tool for UEFI, eg:

https://github.com/matlo607/uefi-test/blob/master/conan-recipes/edk2/conanfile.py

I’ve no time today to study it closely, so I’m unsure if it is using conan as an OS-present tool, or it has conan running as a pre-OS UEFI app. Big difference! 🙂

Conan is a C/C++ packaging tool. The official docs don’t mention UEFI support:

Conan can be installed in many Operating Systems. It has been extensively used and tested in Windows, Linux (different distros), OSX, and is also actively used in FreeBSD and Solaris SunOS. There are also several additional operating systems on which it has been reported to work. […] Conan works and is being actively used on Windows, Linux (Ubuntu, Debian, RedHat, ArchLinux, Raspbian), OSX, FreeBSD, and SunOS, and, as it is portable, it might work in any other platform that can run python. In the documentation, examples for a specific OS might be found, such as conan install . -s compiler=”Visual Studio”, which will be specific for Windows users. If on a different system, the reader should adapt to their own platform and settings (for example conan install . -s compiler=gcc). […] Also conan works with any build system. In the documentation, CMake will be widely used, because it is portable and well known. But conan does not depend on CMake at all; it is not a requirement. Conan is totally orthogonal to the build system. There are some utilities that improve the usage of popular build systems such as CMake or Autotools, but they are just helpers. Furthermore, it is not necessary that all the packages are built with the same build system. It is possible to depend on packages created with other build system than the one you are using to build your project.

https://github.com/conan-io/conan
https://conan.io/

PS: Above project uses CMake, and Conan supports CMake. And there’s also this CMake/UEFI project, but appears to not be native UEFI use of CMake:

UEFI VirtualBox tutorial


https://github.com/eruffaldi/uefiboot
http://teslacore.blogspot.com/2016/02/starting-with-uefi-with-cmake-and.html

EFI3M: EFI Multi-boot Menu Maker

~ hucktech ~ Leave a comment

EFI3M builds a Multi-boot menu for computers with an EFI firmware. The menu will be displayed when booting the computer and allows the user to start any of the installed system from its EFI boot loader: not only Linux distributions, but also BSD distributions, Microsoft Windows, Apple OS X, pretty much any system that has a boot loader in an ESP (EFI System Partition) on any drive of the computer, be it a hard disk, a SSD, a NVMe, whatever. The multi boot menu is installed in an internal ESP as /EFI/efibootmenu/BOOTx64.EFI alongside its configuration file grub.cfg and also, optionally, in /EFI/BOOT/ which is the fall back directory looked at by the firmware, if it is not not already busy. It can also be installed on an USB stick, to allow booting any installed system if for some reason booting would otherwise fail.

https://github.com/DidierSpaier/EFI3M

grub-bgrt theme: GRUB2 theme which uses UEFI logo (aka BGRT)

~ hucktech ~ Leave a comment

grub-bgrt theme: A theme for GRUB2 which uses your system’s UEFI logo (aka BGRT).

I expect this will be popular.

This old blog post is still a commonly-accessed blog post, it seems people like to hack BGRT images on their sysetms:

HackBGRT: changes Windows boot logo on UEFI systems

OEMs, consider making this a user feature via your boot menu.

See-also:

https://docs.microsoft.com/en-us/windows-hardware/drivers/bringup/boot-screen-components

https://blog.fpmurphy.com/2015/07/access-bsrt-information-and-boot-logo-from-uefi-shell.html

Image offset value relative to display