Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Kevin Bowling has an article that shows how to setup a UEFI system to work with FreeBSD — including ZFS on root — and another UEFI OS like Windows.
https://www.freebsdnews.com/2017/01/23/freebsd-uefi-root-zfs-windows-dual-boot-kevin-bowling/
https://bsdmag.org/freebsd_uefi_root/
I’m not sure if this article is an improved version of or just a rebroadcast of:
http://kev009.com/wp/2016/07/freebsd-uefi-root-on-zfs-and-windows-dual-boot/
“This driver implements the Intel Processor Trace functionality in Intel Skylake architecture for Microsoft Windows. “
https://github.com/intelpt/WindowsIntelPT
There’s also the Talos driver:
and libIPT:
Microsoft just updated this page:
No list of what’s changed, it seems that would be a reasonable thing for a large list of requirements… I’ll leave you to figure out what changed. 🙂
(If someone knows of a good way to diff this page against the same page a few weeks ago (without archive.org), please leave a Comment on this blog post. Thanks.)
Baring the system: New vulnerabilities in SMM of Coreboot and UEFI based systems
By: Yuriy Bulygin, Oleksandr Bazhaniuk
Previously, we discovered a number of vulnerabilities in UEFI based firmware including software vulnerabilities in SMI handlers that could lead to SMM code execution, attacks on hypervisors like Xen, Hyper-V and bypassing modern security protections in Windows 10 such as Virtual Secure Mode with Credential and Device Guard. These issues led to changes in the way OS communicates with SMM on UEFI based systems and new Windows SMM Security Mitigations ACPI Table (WSMT). This research describes an entirely new class of vulnerabilities affecting SMI handlers on systems with Coreboot and UEFI based firmware. These issues are caused by incorrect trust assumptions between the firmware and underlying hardware which makes them applicable to any type of system firmware. We will describe impact and various mitigation techniques. We will also release a module for open source CHIPSEC framework to automatically detect this type of issues on a running system.
https://recon.cx/2017/brussels/talks/baring_the_system.html
This page was just updated:
Sorry, I didn’t do the detective work to see what has changed, I’ll leave that to you.🙂
http://thinkdeploy.blogspot.com/2017/01/thinkpad-bios-to-uefi-conversion-using.html?spref=tw
http://thinkdeploy.blogspot.com/2016/08/the-think-bios-config-tool.html
Some related Lenovo BIOS tools:
https://support.lenovo.com/us/en/documents/ht100612
http://support.lenovo.com/us/en/downloads/ds014169
http://support.lenovo.com/us/en/products/laptops-and-netbooks/thinkpad-l-series-laptops/thinkpad-l420/downloads/ds019499
[I confess still not understanding what this “BIOS to UEFI” thing that Windows admin tools now have. Is it switching from Legacy to UEFI firmware then redoing the OS bits to handle that? Why are these boxes using Legacy mode in the first place? Oh well.]
This page was just updated:
Sorry, I didn’t do the detective work to see what has changed, I’ll leave that to you. 🙂
I wish there was some Microsoft Twitter/other feed that announced these changes…. ;-(
Adolfo V Aguayo of Intel announced the version 2.2 release of OpenCIT.
New Features in 2.2:
– TPM 2.0 support.
+ Added support for platform and asset tag attestation of Linux and Windows hosts with TPM 2.0.
+ Support attestation of either SHA1 or SHA256 PCR banks on TPM 2.0.
+ Ubuntu 16.04 and RHEL 7.2, 7.3 (SHA1 and SHA256), Windows Server 2012 and Hyper-V Server 2012 (SHA1) are supported with TPM 2.0
– All the certificates and hashing algorithms used in CIT are upgraded to use SHA256. SHA1 has been deprecated and will no longer be used.
– CIT Attestation Service UI has been updated to allow the user to select either the SHA1 or SHA256 PCR bank for Attestation of TPM 2.0 hosts.
+ The CIT Attestation Service will automatically choose the strongest available algorithm for attestation (SHA1 for TPM 1.2, and SHA256 for TPM 2.0)
– CIT Attestation Service UI Whitelist tab no longer requires the user to select PCRs when whitelisting, and will automatically choose the PCRs to use based on the host OS and TPM version. This is done to reduce confusion due to differing behaviors between TPM 1.2 and TPM 2.0 PCR usages.
– Additional changes made to support TPM 2.0:
+ Linux hosts with TPM 2.0 will now utilize TPM2.0-TSS (TPM 2.0 Software Stack) and TPM2.0-tools instead of the legacy trousers and tpm-tools packages. The new TSS2 and TPM2.0-tools are packaged with the CIT Trust Agent installer.
+ TPM 2.0 Windows hosts use TSS.MSR (The TPM Software Stack from Microsoft Research) PCPTool.
+ TPM 1.2 hosts will continue to use the legacy TSS stack (trousers) and tpm-tools components.
For more information, see the full announcement on the oat-devel@lists.01.org mailing list.
pdxgrlgeek has a new post on the Intel blog, on the topic of Intel Manageability Commander, an Intel AMT-centric, Microsoft Windows-centric tool, which optionally Integrates with Microsoft SCCM. Excerpts of blog post and from the software’s readme PDF:
I am excited to announce the release of Intel® Manageability Commander. Built from the widely used MESHCommander application, Intel® Manageability Commander will make it significantly easier to take advantage of Intel® AMT out of band hardware management features provided on Intel® vPro™ platforms. Intel® Manageability Commander is a light weight console used to connect with and utilize the features of Intel® Active Management Technology (Intel® AMT). Through this software, users will be able to connect to activated Intel® AMT devices to perform functions such as power control, remote desktop, hardware inventory, remote terminal, and more. Additionally, this software will plug into Microsoft* System Center Configuration Manager (SCCM) version 1511 and later.
Subset of features from blog post:
* View and modify network settings of Intel® AMT. If the PC has a wireless interface, users can add multiple wireless profiles to connect to Intel® AMT using the wireless interface
* Configure Intel® AMT security features such as System Defense, Audit Log, and Access Control List
* Discover, diagnose and manage Intel® AMT configured PCs remotely
* View and solve user PC and Operating System issues via integrated KVM remote control (Keyboard, Video, Mouse)
* Display Intel® AMT events and filter events by keyword
* Enable or disable Intel® AMT features on a configured system directly from Intel® Manageability Commander’s user interface.
* Integrate with Microsoft SCCM current build version 1511 and later
Read the list of errata in the relnotes, too. For example:
“1) Powering off a system using Intel® Manageability Commander uses the Intel® AMT power control feature and is outside of the operating system. This means that an OS-based reboot or power down is not possible. Over time, repeated use of this feature could lead to corruption in the operating system. This is the expected behavior of Intel® AMT power off command for all versions of Intel® AMT”
This is a Windows-centric tool. It appears if you want to have all the fun tools from Intel, you have to use Windows, not Linux or MacOSX or Android or ChromeOS. 😐
https://communities.intel.com/community/tech/vproexpert/blog/2016/11/05/intel-manageability-commander-with-microsoft-sccm-integration
http://www.intel.com/content/www/us/en/support/software/manageability-products/intel-manageability-commander.html
https://downloadcenter.intel.com/download/26375/Intel-Manageability-Commander
Lucian Constantin has an article about a new MBR-based Windows-centric tool created by Cisco’s Talos. From his article on CSO Online:
[…]Cisco’s Talos team has developed an open-source tool that can protect the master boot record of Windows computers from modification by ransomware and other malicious attacks. threat intelligence The tool, called MBRFilter, functions as a signed system driver and puts the disk’s sector 0 into a read-only state. It is available for both 32-bit and 64-bit Windows versions and its source code has been published on GitHub. The master boot record (MBR) consists of executable code that’s stored in the first sector (sector 0) of a hard disk drive and launches the operating system’s boot loader. The MBR also contains information about the disk’s partitions and their file systems. Since the MBR code is executed before the OS itself, it can be abused by malware programs to increase their persistence and gain a head start before antivirus programs. Malware programs that infect the MBR to hide from antivirus programs have historically been known as bootkits — boot-level rootkits. […]
From the project’s readme:
[…]This is a simple disk filter based on Microsoft’s diskperf and classpnp example drivers. The goal of this filter is to prevent writing to Sector 0 on disks. This is useful to prevent malware that overwrites the MBR like Petya. This driver will prevent writes to sector 0 on all drives. This can cause an issue when initializing a new disk in the Disk Management application. Hit ‘Cancel’ when asks you to write to the MBR/GPT and it should work as expected. Alternatively, if OK was clicked, then quitting and restarting the application will allow partitoning/formatting. […]
Windbg, Microsoft’s Windows system debugger, has been released with new features, one of which is ability to write debugger scripts in JavaScript.
(WordPress renders the MSDN blog URL strangely, if you can’t click on that, click on the URL in Alex’s twtter.)
https://twitter.com/aionescu/status/792157463076233216
https://blogs.msdn.microsoft.com/windbg/2016/10/27/new-insider-sdk-and-javascript-extensibility/
https://github.com/Microsoft/windows-itpro-docs/blob/master/windows/keep-secure/TOC.md
This reminds me, the guidance for Linux users from the Linux Foundation is nearly a year old now, no updates:
“Interesting undocumented Device Guard code integrity policy rules. Obtained via the SIPolicy XML schema.”
https://twitter.com/mattifestation/status/783399561306005504
https://twitter.com/mattifestation/status/783405609651765248
WordPress mangles Github Gist urls, click on the above Twitter URLs to get the Gist URL.
https://github.com/nohajc/BlueGuard
I just noticed this on Github. Not much documentation: “UEFI Hypervisor”. Windows-based. Maybe interesting to some.
https://github.com/jbarczak/HAXWell
Code demonstrating how to load custom ISA on Intel Haswell GPUs via OpenGL. Also includes various ISA utilities and benchmarks. This code works on Windows 8.1. […] For more information, see my related blog posts:
GPU Ray-Tracing The Wrong Way: http://www.joshbarczak.com/blog/?p=1197
SPMD Is Not Intel’s Cup of Tea: http://www.joshbarczak.com/blog/?p=1120
You Compiled This Driver, Trust Me: http://www.joshbarczak.com/blog/?p=1028
Earlier I saw some brief information about some “BIOS to UEFI” feature that Microsoft was adding to some product of theirs, but had no idea what it was about. Here is a bit more information on the System Center feature:
“Improvements for BIOS to UEFI conversion
You can now customize an operating system deployment task sequence with a new variable, TSUEFIDrive, so that the Restart Computer step will prepare a FAT32 partition on the hard drive for transition to UEFI. The following procedure provides an example of how you can create task sequence steps to prepare the hard drive for the BIOS to UEFI conversion.”
https://technet.microsoft.com/library/mt772349(TechNet.10).aspx#Improvements-for-BIOS-to-UEFI-conversion
MSI ntiolib.sys/winio.sys local privilege escalation:
So, it seems that not only ASUS drivers allows unprivileged reading and writing to physical memory. Just a few months ago I was looking at the drivers that are loaded on my machine, and I found small MSI driver called NTIOLib_X64.sys. Out of curiosity I’ve looked at it in IDA and it turned out that it has almost the same functionality as the ASMMAP/ASMMAP64 ASUS drivers. I’ve tried to contact MSI through various different channels, but I haven’t really get past their customer support, so I’m not sure if anyone from the development team is aware of this design flaw. After almost 4 months I decided to publish my findings here. […]
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Discover the Desktop
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
News from coreboot world
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Just another WordPress.com site
Hastily-written news/info on the firmware security/development communities, sorry for the typos.
Firmware Security 
You must be logged in to post a comment.