GetSecureBootPolicy.ps1: Partially-completed Secure Boot policy parser

Re: https://firmwaresecurity.com/2018/03/31/geoff-chappell-secure-boot-internals/

https://github.com/mattifestation/BCD

Click on above URL or remove spaces in below URL (WordPress mangles Github Gist URLs…)

https://gist. github.com/mattifestation /f1e160bc970c8a7b82355d7e5946901b

Chrome OS firmware change may support Verified Boot of Windows?

[…]A recent branch title “firmware-eve-campfire” was discovered in the Chromium gerrit, accompanied by changes referencing “AltOS” and “go/vboot-windows.” That, combined that with the addition of placeholder strings for “Chrome OS” and “AltOS” being added to all languages, suggests that a future Chrome OS device, codenamed “Eve” will have the capability to boot more than one operating system. The commit was found by -nbsp- on Reddit. Obviously, with a name like “vboot-windows,” it is easy to jump to the conclusion that the feature is intended for Microsoft Windows, though little information about this is available. Most of the relevant code is hidden behind the private gerrit for Google employees, making it difficult to ascertain how this works and what it is intended for. According to a post at XDA-developers, it seems possible that this could be used for non-Windows OSes, such as Linux, or whatever Google Fuschia actually is.[…]

https://www.techrepublic.com/article/a-mysterious-chrome-os-commit-could-hint-at-a-chromebook-that-dual-boots-windows/

Intel seeks BIOS/UEFI Tools Developer

BIOS-UEFI Firmware Tools Engineer

As BIOS-UEFI Firmware Tools Engineer you will develop tools and scripts needed for build and test automation infrastructure that is the backbone of the the Continuous Integration process in Intel’s Data Center UEFI firmware BIOS team.[…]

https://jobs.intel.com/ShowJob/Id/1573600/BIOS%20UEFI%20Firmware%20Tools%20Engineer

PS: I need to figure out a way to get some swag/etc from jobs that’re filled via this blog. ;-(

PS: Intel HR: spaces in URLs is generally frowned upon.

 

Geoff Chappell: Secure Boot internals

DRAFT: Take more than your usual care.
SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION

The SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION structure is what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemSecureBootPolicyFullInformation (0xAB).
Documentation Status

The SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION structure is not documented.

http://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/secureboot_policy_full.htm

 

Total Meltdown for Windows 7: follow-up

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1038

Microsoft Windows: Kernel Virtual Address (KVA) Shadow: mitigating Meltdown

KVA Shadow: Mitigating Meltdown on Windows

On January 3rd, 2018, Microsoft released an advisory and security updates that relate to a new class of discovered hardware vulnerabilities, termed speculative execution side channels, that affect the design methodology and implementation decisions behind many modern microprocessors. This post dives into the technical details of Kernel Virtual Address (KVA) Shadow which is the Windows kernel mitigation for one specific speculative execution side channel: the rogue data cache load vulnerability (CVE-2017-5754, also known as “Meltdown” or “Variant 3”). KVA Shadow is one of the mitigations that is in scope for Microsoft’s recently announced Speculative Execution Side Channel bounty program. It’s important to note that there are several different types of issues that fall under the category of speculative execution side channels, and that different mitigations are required for each type of issue. Additional information about the mitigations that Microsoft has developed for other speculative execution side channel vulnerabilities (“Spectre”), as well as additional background information on this class of issue, can be found here. Please note that the information in this post is current as of the date of this post.[…]

https://blogs.technet.microsoft.com/srd/2018/03/23/kva-shadow-mitigating-meltdown-on-windows/

 

Microsoft updates: Windows OEM security guidance

Standards for a highly secure Windows 10 device
03/07/2018
These standards are for general purpose laptops, tablets, 2-in-1’s, mobile workstations, and desktops. This topic applies specifically and uniquely for Windows 10 version 1709, Fall Creators Update. If you are a decision maker purchasing new devices and you want to enable the best possible security configuration, your device should meet or exceed these standards. Beyond the hardware and firmware configurations outlined below, Microsoft recommends running Windows 10 S for security. Windows 10 S is a specific configuration of Windows 10 Pro that offers a familiar Windows experience that’s streamlined for security and performance. Windows 10 S provides the best of the cloud and full featured apps, and is designed for modern devices. Windows Defender is always on and always up-to-date.[…]

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure

 

 

PCILeech3 and Memory Process File System released!

Targets 64-bit Intel systems running Windows.

http://blog.frizk.net/2018/03/memory-process-file-system.html

https://github.com/ufrisk/pcileech

ShowSLIC.efi: Access ACPI-based Windows SLIC License Key

FPMurphy has a new blog post with source to a new tool, and mentions plans for 3-4 new tools/year!

Those who follow my work in the UEFI Shell space are aware that I usually develop a number of new, and hopefully useful, UEFI shell utilities each year. This year, I plan to write three or four new utilities and enhance a number of existing utilities. This is the first of these new utilities. In this post, I describe the ShowSLIC utility. It is the first of my new utilities and came about from license and booting issues caused by a disk failure on a friend’s laptop that was running Windows 7. ShowSLIC is designed to enable you to retrieve SLIC (System License Internal Certificate) information from a UEFI-based Microsoft Windows PC or laptop. Such information is accessible (exposed) via the ACPI (Advanced Configuration and Power Interface) SLIP table.[…]

https://blog.fpmurphy.com/2018/01/accessing-acpi-slic-from-uefi-shell.html#ixzz58Wq6TSMw

https://blog.fpmurphy.com/

Looks like you have to scrape the source from the HTML blog post, not included in latest UEFI-Utilities, AFAICT:

https://github.com/fpmurphy/UEFI-Utilities-2016/commits/master

Microsoft Device Health Attestation protocol

Re: https://firmwaresecurity.com/2018/02/22/hp-including-expected-pcr0-values-in-firmware-releases/

Microsoft Device Health Attestation protocol

Device Health Attestation
https://technet.microsoft.com/en-us/library/mt750346.aspx

[MS-DHA]: Device Health Attestation Protocol
https://msdn.microsoft.com/en-us/library/mt766195.aspx

ASUS doesn’t care about Linux [Firmware]

See image in below tweet. A tweet with a bug report about ACPI and TPM2 on ASUS systems.

Linux users: remember that you’re not using a Linux box, you’re using a Windows box, or a Chrome box, and reinstalling an OS, which the OEM doesn’t support, so they won’t be offering you any way to update your firmware with that OS. Unless you’re buying your machine from an OEM that installs Linux. If you are a Linux user, stop buying Windows/Chrome PCs and buy Linux PCs.

Windows AMSI (AntiMalware Scan Interface) bypass

http://standa-note.blogspot.ca/2018/02/amsi-bypass-with-null-character.html

https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx

See-also:

https://www.cyberark.com/threat-research-blog/amsi-bypass-patching-technique/

Windows 10: storing system-tracking data in UEFI variables

https://twitter.com/dakotathekat/status/963086883621408768

https://mastodon.social/@slipstream/99513179089285773

https://docs.microsoft.com/en-us/uwp/api/Windows.System.Profile.SystemIdentification

As one comment above notes, make sure you know how to reset this firmware-stored data before you dispose of any such systems.

Interesting, I would have guessed that this data would be stored in UEFI SMM LockBox, but some forms of UEFI variables are also hard to access. Ah, but this is for persistent data…

https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c

I’d swear I saw some MacOSX (before change to macOS) components moved from system libraries up into Apple EFI, I wonder if Apple also implements SmmLockBox?

adding BIOS Mode and Secure Boot state to BGInfo

 

Adding Windows 10 Version, BIOS Mode and Secure Boot State to BGInfo