FWTS 16.09.00 released

Alex Hung of Canonical announced the latest release of FWTS, the FirmWare Test Suite, on the fwts-announce  and other lists.

New Features include:
  * lib: acpi: add supports for WPBT
  * acpi: wpbt: add ACPI WPBT test
  * lib: acpi: add supports for DRTM
  * acpi: drtm: add ACPI DRTM test
  * lib: fwts_guid: add a compare function
  * acpi: nfit: check fields equals 0 for Virtual CD and Disk
  * opal: mtd: Add OPAL MTD Validation
  * acpi: ACPI Platform check updates
  * acpi: fadt: Remove HEADLESS check on reduced hardware
  * pci: aspm: Add segment support
  * ACPICA: Update to version 20160831

See the full announcement for list of bugfixes.


What’s the next built-in ACPI attack?

[UPDATE: just confirmed that ACPI.info’s links page had the WPBT link since 2011. After posting below article, I wondered if the ACPI.info webmaster updated their links page in the last few days…)

While the media is currently blaming Lenovo for sloppy Windows QA, they’re also waking up to the reality that Windows has been using for the last few years. Initial Ars Technica and YCombinator posts on the topic quoted the abstract to the spec on a web page that was no longer available, so it sounds conspiratorial.  But the doc has been online since 2011. Besides microsoft.com-based links, the ACPI.info web site maintains a good set of links, including a pointer to the WPBT spec, and other ACPI-related table specs.


The ACPI specs — at least some of them? — are maintained by the UEFI Forum. The UEFI Forum’s web site does NOT have a link to the WPBT spec.


I’ll bet there’re a few other existing ‘unknown’ ACPI features hidden on the ACPI.info links page that’ll be ‘discovered’ in the next few months, due to another sloppy OEM or sharp security researcher… From above links URL, here’ s a partial list (I omitted multiple entries which’re specs for other hardware, and some of those might also include ACPI tables) of ACPI tables to attack:

Core System Resources Table, CSRT
Debug Port Table, DBGP
Debug Port Table 2, DBG2
DMA Remapping Table, DMAR
IA-PC High Precision Event Timer Table, HPET
I/O Virtualization Reporting Structure, IVRS
iSCSI Boot Firmware Table, IBFT
Management Controller Host Interface Table, MCHI
Microsoft Software Licensing Tables, MSDM, SLIC
Multiprocessor Startup for ARM Platforms
Serial Port Console Redirection Table, SPCR
Server Platform Management Interface Table, SPMI
Simple Boot Flag Table, BOOT
Smart Battery System Components and SMBus Spec
Trusted Platform Module 2 Table, TPM2
Trusted Computing Platform Alliance Capabilities Table, TCPA
Watchdog Action Table, WDAT
Watchdog Timer Resource Table, WDRT
Windows ACPI Emulated Devices Table, WAET
Windows Platform Binary Table, WPBT

Quoting Wikipedia on ACPI security risks:

“Ubuntu Linux founder Mark Shuttleworth has likened ACPI to Trojan horses. He has described proprietary firmware (ACPI-related or any other firmware) as a security risk, saying that “firmware on your device is the NSA’s best friend” and calling firmware (ACPI or non-ACPI) “a Trojan horse of monumental proportions”. He has pointed out that low quality, closed source firmware is a major threat to system security: “Your biggest mistake is to assume that the NSA is the only institution abusing this position of trust — in fact, it’s reasonable to assume that all firmware is a cesspool of insecurity, courtesy of incompetence of the highest degree from manufacturers, and competence of the highest degree from a very wide range of such agencies”. As a solution to this problem, he has called for declarative firmware (ACPI or non-ACPI). Firmware should be open-source so that the code can be checked and verified. Firmware should be declarative, meaning that it should describe “hardware linkage and dependencies” and should not include executable code.”

Vendors need to be disclosing a LOT MORE information about what they’ve included in their firmware, now that people are aware of this, thanks to Lenovo. It is easy to fix OEM’s mistakes at OS level, by reinstalling an open source OS, or installing vanilla Windows and then getting the drivers from the OEM/IHVs. But you can’t update your system’s firmware, and ACPI is the new dumping ground for OEM bloat. Well, not new, just newly-realized by some of us. I want a system with absolute minimail ACPI table bloat, and I want to KNOW what tables are shipped on the firmware. Linux OEMs: don’t ship COTS firmware that has Windows-centric ACPI blobs in them. If you look on #UEFI on G+ and Twitter, you’ll find more and more people demanding Open Hardware and fully-open source firmware, which is refreshing. 🙂

Lenovo Service Engine

A bit more on this topic from yesterday:
Lenovo has a response:

Lenovo Statement on Lenovo Service Engine (LSE) BIOS

There are more news agencies reporting on this story:

Yuck, is each OS vendor using UEFI as a crutch? I wish the Linux Foundation (or some other group) has advise for chip vendors, IBVs, IHVs, and pre-OS ISVs on how to use Linux properly on UEFI systems. It should require that this Windows-centric BIOS code to NOT be present on a Linux system. What other OS-specific crud is in my closed-source BIOS?!

Lenovo LSE, WPBT and wpbbin.exe

UPDATE: See-also:

An interesting find, potentialy scary if misused. See the Ars Technical and YCombinator stories for discovery. What is Windows’ ‘wpbbin.exe’, and how/when is it used? There’s one reference to it on Microsoft.com in a DOC related to WPBT, the Windows Platform Binary Table. From one document no longer on the Microsoft web site (saved in Google cache, found on the Ars article):

A rich set of tools exist to aid Windows provisioning, ranging from driver injection and offline registry management to sysprep imaging tools.  However, there is a small set of software where the tools are not enough.  The software is absolutely critical for the execution of Windows but for one reason or another, the vendor is unable to distribute the software to every provisioning entity.  This paper describes a mechanism for a platform, via the boot firmware, to publish a binary to Windows for execution.  The mechanism leverages a boot firmware component to publish a binary in physical memory described to Windows using a fixed ACPI table. The information provided here was originally published in conjunction with the availability of Windows 8. The guidance and requirements to use WPBT functionality has been updated for the Windows 10 timeframe.


Found while researching the above: Lenovo has security updates for LSE:

LEN 2015-077: Lenovo Service Engine (LSE) BIOS for Desktop
LEN-2015-020: Lenovo Service Engine (LSE) BIOS for Notebook

Lenovo Security Advisory: LEN-2015-020
Potential Impact: Privilege Escalation
Severity: High
Summary: Vulnerabilities have been identified in the Lenovo Service Engine (LSE). Lenovo has released a BIOS update to disable Lenovo Service Engine and a utility to remove services and files left on the system for systems running Windows 7, 8, 8.1 and 10. See below for a full list of notebook systems with LSE installed.