Tag: Windows

Comments on recent Reddit on UEFI and Linux

~ hucktech ~ Leave a comment

There’s a popular Reddit going on about UEFI and Linux:

[deleted by user]
by inlinux

which I noticed on Matthew Garrett’s blog, which also has some good insight on the topic:

http://mjg59.dreamwidth.org/35110.html

The Reddit author is complaining to Intel and Microsoft about the bloat of UEFI compared to a minimal boot loader, and the need for Coreboot, and how Linux doesn’t need most of this bloat.

“Unfortunately this means that it’s extremely complicated and big. The firmware is now as big and complicated as a full-fledged OS.”

Actually, UEFI *is* an OS, not just a firmware/boot loader like Coreboot or BIOS. UEFI is a complex OS, with dozens of driver models. The original IBM PC had BIOS, and was useless without MS-DOS (or another OS). Modern UEFI-based systems have no need for BIOS, the UEFI driver models replace BIOS OptionROMs, and UEFI can be either an OS or a firmware loader, depending on how used. UEFI systems don’t need an additional OS — Windows, Linux, etc. — to be installed. The UEFI OS is about as useful as MS-DOS 2.0, a shell, about 80 commands, a handful (edit, hexedit) of full-screen ‘curses’-like. Tweaking the shell to run your embedded app, there’s no need for the bloat of an additional OS.

“Complicated and big is bad. This means more bugs. Some bugs are security bugs so more bugs means more security holes. Also it’s generally proprietary so you have different groups of people trying to write the same thing from scratch so they can inject their ‘secret sauce’. So now not only you have something that is big and buggy, but also has lots of different sets of unique bugs.”

“Also it allows for a lot of fancy new ways to manage your hardware independently of the OS. Which while often convenient it is also going to be full of bugs and is proprietary. Which is going to be especially bad when the UEFI stuff allows for remote configuration and will piggy back on your network interfaces and doesn’t go away completely when the real OS is loaded.”

Small is nice. Secure is also nice. Modern BIOS have to deal with NIST and NSA/IAD guidelines for secure BIOS, and how that drives some sales. ..which Microsoft uses well to get SecureBoot into most systems. Google has taken barebones Coreboot and made is much more complex, in the name of security, when adding SecureBoot-like PKI features in Chromium. Large servers are more complex w/r/t updating firmware, and have various ‘pre-OS’ apps (iLO, IPMI, etc.) all of which were designed for some business need (hopefully beyond merely to sell hardware), and IPMI is ripe with security issues. UEFI attempts to deal with this, I’m not sure how Coreboot deals with or ignores this reality.

UEFI is well-entrenched in the PC world, used by Apple and Microsoft and Intel, and Windows OEMs do whatever Microsoft says. I don’t see future with a non-UEFI solution for Intel-based Windows OEMs. An alternate route for Linux OS users may be to focus on Chrome OEMs, which use Coreboot. Or to focus on AMD systems, which also use Coreboot. Or to focus on ARM systems, which use either U-Boot or UEFI, the latter mostly for business reasons not technical reasons, AFAICT.

Linux OEMs could select Coreboot. Linux OEMs could build UEFI using Coreboot as it’s PI layer, reducing a bit of UEFI complexity with Coreboot. Linux OEMs could use UEFI properly, without MSFT CA or keys, using SecureBoot to secure Linux, without begging Microsoft for permission to secure non-Windows OSes on WindowsPCs — Intel and SuSE demonstrated this at IDF in 2013, yet I’ve not seen a single Linux consumer device made by OEMs for Linux users. Last time I talked to a Linux OEM, a few weeks ago, they liked UEFI, since SecureBoot scared their Linux-centric customers to legacy BIOS systems, and the OEM was too lazy to work with Sage Engineering to reduce the number of blobs in their code and add Coreboot support to their units. Linux OEMs are not that bright. Neither are Windows OEMs, but Microsoft tells them what to do, there is nobody telling Linux OEMs what to do. Where is the Linux Foundation, offering leadership in this area?

MITRE Copernicus

~ hucktech ~ 1 Comment

So far, in this new blog, I’ve been mostly focusing on open source tools and open source operating systems, so I’ve not focused on MITRE’s Windows-centric non-open source tool, Copernicus[1]. But the tool is extremely powerful, and deserves more attention.

“Copernicus is the first tool to provide BIOS configuration management and integrity checking capabilities throughout an enterprise. The tool is implemented as a kernel driver that creates a file containing the BIOS dump and a file containing the raw configuration information. When deployed in enterprise environments, scripts can send the raw BIOS dump and configuration information to a server for post-processing. This processing can indicate whether a given BIOS differs from an expected baseline, and it can also indicate whether the BIOS or the computer’s System Management RAM (where some code loaded by BIOS continues running after boot).”

An excerpt from a G+ post in 2013 from Dragos Ruiu on Copernicus:

“IMHO Copernicus BIOS verification tool, is one of the most important new security tools in recent history. We’ve already found some persistent BIOS malware that survives re-flashing with it.”

I wish it were available for Linux, not just for Windows, so I could use it! And I wish it were open source (alas, all security tools are not): trusting any native kernel driver on your system, or especially to deploy to all systems in you enterprise, whether it is natively installed or from another boot media, has issues. I hope licensees from MITRE have the option to review the code and compile it themselves.

[Intel’s CHIPSEC also has some similar features. When run as an OS-present tool — instead of a live-boot or UEFI Shell booted — CHIPSEC also includes a native driver on Windows, and on Linux. With CHIPSEC, the kernel driver sources are provided.]

If you have Windows-based enterprise, you should investigate out Copernicus.

Windows-centric code aside, Copernicus distribution includes bios_diff.py, which works on Linux. This is a wonderful tool[2].

Even if you don’t care about Windows, you should study the Copernicus research, is it amazing.

Two of the creators of Copernicus have left MITRE and have started LegbaCore. Their last talk on using Copernicus at RSA conference last month[3] was excellent, talking about using Copernicus usage in enterprises.

More Information:

[1]http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research
http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about
http://www.mitre.org/publications/technical-papers/copernicus-2-senter-the-dragon
http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/playing-hide-and-seek-with-bios-implants
http://www.mitre.org/research/technology-transfer/technology-licensing/copernicus
[2]https://firmwaresecurity.com/2015/05/21/tool-mini-review-bios_diff-py/
[3]https://firmwaresecurity.com/2015/05/19/legbacore-releases-new-firmware-research-at-rsa-conference/

Tool mini-review: bios_diff.py

~ hucktech ~ 1 Comment

I recently became of a tool that I didn’t know worked on Linux: bios_diff.py, included with Copernicus. The MITRE Corporation’s Copernicus is a very powerful firmware security tool. I’ve been focusing more on non-Windows tools and open source tools, so I’ve not been giving Copernicus tools enough emphasis, something I’ll correct in future posts. I’ll start with this post, on bios_diff.py, which is distributed with Copernicus. This tool is not Copernicus-centric, nor Windows-centric.

If you’ve a dump of a BIOS ROM image, created by CHIPSEC or Copernicus or Coreboot’s FlashROM, you can use bios_diff.py to help determine what has changed. The tool parses the EFI Firmware Filesystem, to break out the files. It can also do smart diff’ing based on GUIDs in case files were added/removed, and will provide additional semantically relevant things like the file name, PE sections, and size of differences found (where each is applicable.)

This tool is a very useful addition to your open source firmware security toolbox.

This free tool does have some limits, EFIPWN is not as good as the newer UEFITool w/r/t some parsing. Perhaps someone has time to integrate UEFTool into a newer version of this tool? 🙂

Usage:

  bios_diff.py [-crs] [-i IGNORE] [-d [-a [-p]] [-n [-u UNIQUE]] [-l SIZELIMIT] [-m NUMBYTES]] [-o OUT] [-e EFIPWN] <file1> [<file2>]
  bios_diff.py (-h | –help)

The files are BIOS dumps to be compared.  <file2> may be a single file, or it may be a directory which contains several BIOS dumps against which we will diff <file1>.  Also, <file1> can be a directory by itself.  In this case, the first file found in this directory will be compared against all of the others.

Options:
  -c            delete the directories when the diff is complete
  -r            reuse parsed directories previously generated by EFIPWN if they appear to exist
  -s            print out all sha1 hashes of files in BIOS dump
  -i IGNORE     file containing list of regular expressions (one per line) for filenames we should ignore
  -d            do hash diffing of extracted files
  -a            print all unique ranges per file
  -n            print number of unique bytes per file
  -u UNIQUE     exclude diffs which have less than UNIQUE unique bytes for both files
  -l SIZELIMIT  dont compute unique ranges or bytes on files which exceed this size
  -p            print the PE information about diffs if the files are PE files
  -m NUMBYTES   merge regions which are within NUMBYTES of eachother
  -o OUT        output directory [default: temp]
  -e EFIPWN     the location of EFIPWN files [default: EFIPWN]

More information:

https://www.blackhat.com/docs/us-13/US-13-Butterworth-BIOS-Security-Code.zip