Now Unified EFI (UEFI) is controlled by the UEFI Forum, with Adopter and Contributor levels. Created by Intel, initially to boot their Itanium systems, called EFI. Universal Extensible Firmware Interface A complete technical replacement for the legacy PC BIOS firmware, available for many systems and architectures. Good background on understanding threats. “Addresses the primary threat that an adversary will modify or replace the BIOS on a PC client device and compromise the PC client environment in a persistent way.” IAD (Information Assurance Directorate): BIOS Update Protection Profile, 1.0, 2013 Common Criteria's Standard Protection Profile (PP) for PC client devices BIOS firmware (including UEFI). Use of Trustworthy Computing security to augment firmware security, locally (TPM) and remotely (TNC). Securely transmit measurements of BIOS integrity from endpoints to the Measurement Assessment Authority. Enable endpoints to measure the integrity of all firmware components and configuration data components. Provide the hardware support to Roots of Trust for BIOS integrity measurements. Service Processor as Root of Trust Non-Bypassability of BIOS Protections by Service Processor Added authenticated remote online firmware update mechanisms, in addition to local updates. Defines Integrity protection and nonbypassability features.Įxpanded 147 model from 'PC' (Basic Server) to include more complex servers (Managed Server, Blade Server), with dedicated management channels, possibly a Service Processor. Defines authenticates BIOS update mechanism, and optional secure local update mechanism. offers guidance on firmware 2011: SP800-147: BIOS Protection Guidelines 2011: SP800-155: BIOS Integrity Measurement Guidelines (Draft) 2014: SP800-147B: BIOS Protection Guidelines for Serversĭefines best practices for various phases: Provisioning, Platform Deployment, Operations and Maintenance, Recovery, Disposition. Reverend Bill and others have slight variations, but the main point is the same: the 0/3 model is insufficient, and needs to cover FW/HW in more detail. :-) Proposed by various security researchers, with differing definitions. Negative rings are unofficial, not endorsed by Intel or UEFI Forum. Not just '1 CPU', but multiple processors beyond CPUs, TPM, IPMI, some work when powered-off. Physical hardware -vs- virtualization servers with virtual hardware and firmware. Ring 0 (Kernelspace), kernel mode, OS kernel/driversīut Ring 0 doesn't cover nuances of HW/FW: – Later BIOSs, with appropriate NICs, support PXE network boot, for diskless workstations. A collection of OEM/IHV hardware's Option ROMs (OpROMs), the undefined BIOS 'driver model'. Malware authors (and operating system vendors) are moving components into firmware Linux kernel, Installers, 'Pre-OS' tools (eg, GRUB2), and other FOSS code needs to work with firmware in a safe manner.Ī system firmware image (unable to traverse file systems) A non-file-based boot loader stored in first sector of MBR partition, that loads the boot loader/OS, which might be a contiguous file next to MBR, easy to get overwritten if multiple OSes used on system. Firmware-level attacks are invisible, if you are using the wrong tools, and/or aren't looking for them. For more advanced use, Python and C language skills are needed.īootkits are scarier than Rootkits. You can use: bash//cmd.exe shell(s) and write scripts for them. You know architectural fundamentals of: Intel hardware, IBM PC BIOS/OpROM firmware. You are a Linux system administrator, developer, or security researcher. Focus: UEFI Shell and commands, EDK-II developer toolchain, CHIPSEC, LUV, FWTS, BITS, LAVA, a few other EFI security tools. Emphasizing UEFI-based system, not focusing on Coreboot- or BIOS-based systems. What open source tools are available to for diagnosing Intel- and ARM-based Linux systems. Shell, Python, EDK-II/UDK/EADK, UEFI Apps, QEMU, MinnowBoard. Building Your Linux Firmware Security Toolkit Lee Fisher Bellingham.WA.US Last Revised: 22:18 Content licensed: CC by-SA 4.0
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |