Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

awesome-firmware-security

Awesome Firmware Security & Other Helpful Documents
https://github.com/PreOS-Security/awesome-firmware-security

Last synced: 5 days ago
JSON representation

  • Technologies and Terminology

    • Heads - Heads is a platform boot firmware payload that includes a minimal Linux that runs as a coreboot or LinuxBoot ROM payload to provide a secure, flexible boot environment.
    • OpenBMC - The OpenBMC project is a Linux distribution for embedded devices that have a BMC.
    • LAVA - LAVA is an automated validation architecture primarily aimed at testing deployments of systems based around the Linux kernel on ARM devices, specifically ARMv7 and later.
    • ACPI - ACPI is a platform firmware technology, originally intended to replace Plug and Play, MP, and Advanced Power Management. The UEFI Forum owns the spec and maintains an awesome list of ACPI-related documents.
    • ARC - ARC (Advanced Computing Environment) is a platform firmware technology used by early Windows NT non-Intel systems. The design of ARC was influential to the design of UEFI: firmware images on a hard disk partition, pointed to by variables.
    • SeaBIOS - The primary open source BIOS implementation.
    • coreboot - coreboot is a platform firmware technology, originally called LinuxBIOS. It loads payloads such as SeaBIOS, UEFI, among others. Widely used in embedded systems. Coreboot is used by Google on ChromeOS systems, using coreboot Verified Boot for additional security.
    • Direct Memory Access - DMA allows certain hardware subsystems, most notably PCIe to access main system RAM, independent of the central processing unit (CPU). Attackable by rogue hardware such as [PCIleech](https://github.com/ufrisk/pcileech/). The primary protection is [iommu](https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit) hardware and operating system support.
    • AMI
    • Insyde
    • Phoenix
    • Intel Boot Guard - Intel Boot Guard is a firmware security technology that helps secure the boot process before UEFI Secure Boot takes place. Once Boot Guard is enabled, it cannot be disabled and prevents the installation of replacement firmware such as coreboot.
    • JTAG - JTAG is a hardware interface to chips that allows access to the firmware. It is used by firmware engineers during devlopment, and by Evil Maid attackers when the vendor leaves the JTAG interface exposed in consumer devices.
    • LinuxBoot - LinuxBoot is a platform firmware boot technology that replaces specific firmware functionality like the UEFI DXE phase with a Linux kernel and runtime.
    • Management Mode - Management Mode is term used by UEFI to refer to both Intel SMM and ARM TrustZone. A privileged execution mode of the CPU.
    • AMD PSP - The AMD PSP (Platform Security Processor) is a security processor on AMD systems, which runs firmware applications such as fTPM.
    • Baseboard Management Controller
    • DASH - DMTF DASH is an out-of-band firmware management specification for desktops. [Intel AMT](https://software.intel.com/en-us/articles/developing-for-intel-active-management-technology-amt) is a compliant implementation of DASH, as is AMD SIMFIRE.
    • Intel ME - Intel ME is a management and security processor on Intel systems, which runs Intel Active Management Technology AMT, Advanced Fan Speed Control, Boot Guard & Secure Boot, Serial over LAN and firmware-based TPM (fTPM). Appears to run a variant of MINIX.
    • IPMI - IPMI is a platform firmware management technology, typically on Intel or AMD server systems. Often implemented as an embedded Linux. While widely-used, the modern replacement for IPMI is [Redfish](http://dmtf.org/standards/redfish/).
    • Redfish - DMTF Redfish is an out-of-band firmware management technology, replacing [IPMI](https://www.intel.com/content/www/us/en/servers/ipmi/ipmi-home.html)
    • SMASH - DMTF DASH is an out-of-band firmware management specification for servers, similar to DASH.
    • Measured Boot - Intel technology using TCG TPMs to secure the boot process.
    • Microcode - Microcode is a form of firmware for the CPU. Systems need microcode updates just like they need platform firmware updates, and OS updates.
    • Original Equipment Manufacturer - An OEM builds and sells original hardware.
    • Original Design Manufacturer - An ODM builds hardware and sells them to OEMs.
    • Operating System Vendor - An OSV is an Operating System Vendor, which includes firmware/OS interactions.
    • Option ROM - An Option ROM, aka an Expansion ROM, aka OpROM, aka XROM, is the firmware 'blob' of a PCI/PCIe device. An Option ROM is terminology from BIOS era, when a card would hook the BIOS platform firmware and add additional functionality for the new card. An Option ROM is a BIOS/UEFI driver on the card's flash. A card may need multiple drivers, one for each architecture and one for each platform firmware type (BIOS+x86_64, BIOS+ARM, UEFI+x86_64, UEFI+ARM, etc). Option ROMs do not account for all of the firmware on such a device, as the operating firmware for the device function such as RAID, or TCP offloading may be entirely separate.
    • PCIe - PCIe is the interface for PC boards. PCIe devices include Option ROMs of firmware. The device may have a processor invisible to the system board, it is difficult to fully trust PCIe hardware.
    • Secure Boot - Secure Boot is a term often associated with UEFI Secure Boot, an optional security feature of UEFI that helps secure the boot process. It does not require a TPM. Besides UEFI, other firmware technologies also use the term Secure Boot, sometimes in lower case. The Apple EFI-based Secure Boot implementation is not the same as the Secure Boot technology used by Windows/Linux systems.
    • SMM - Systems Management Mode (SMM) is a processor mode in Intel and AMD systems, separate from Real and various Protect Modes, that gives full control of the processor. SMM-hosted applications, such as malware, is invisible to the normal Protect Mode-based code.
    • SPI - SPI is an interface to accessing the firmware. Used by vendors during development, and used by attackers if left enabled in consumer products.
    • Trusted Execution Environment - also known as Secure Execution Environment (SEE). An example of a hypervisor or other technology that constrains firmware to be more secure. ARM TrustZone is an example of a SEE.
    • Thunderbolt - a external peripheral hardware interface developed by Intel and Apple. Combines [PCIe](https://pcisig.com/), DisplayPort and DC power.
    • Tianocore - Tianocore is the home to the UEFI Forum's open source implementation. Vendors use this code, along with closed-source drivers and value-added code.
    • TrustZone - TrustZone (TZ) is a firmware security technology used on ARM systems, a form of TEE/SEE, called Management Mode by UEFI.
    • Trusted Boot - Trusted Boot is a firmware security technology from the Trustworthy Computing Group, which uses TPMs to help secure the boot process.
    • UEFI DBX - The UEFI DBX UEFI Secure Boot blacklist file contains the latest UEFI Secure Boot PKI blacklist/expired keys. Check your vendor documentation to see how your system's vendor tools work to obtain and apply this to your system; if the vendor has no tools, ask them to provide them.
    • UEFI Forum - The UEFI Forum is an industry trade group that controls the UEFI and ACPI specifications, the UEFI SCT tests, and provides the Tianocore open source UEFI implementation.
    • USB - Universal Serial Bus (USB) is an industry standard for external peripheral devices. USB devices can be configured to be multiple devices, and rogue USB hardware like Hak5's [Rubber Ducky](https://hakshop.com/products/usb-rubber-ducky-deluxe) can trick naive operating systems.
    • ChromeOS Verified Boot - ChromiumOS and ChromeOS version of Verified Boot.
    • Trustworthy Computing Group - Trustworthy Computing Group (TCG) is an industry trade group that controls the TPM and related specifications.
    • Android Verified Boot - Android version of Verified Boot
    • ACPICA - The ACPI Component Architecture Project (ACPICA) provides a reference implementation, and a collection of cross-platform ACPI tools, such as acpidump.
    • Independent BIOS Vendor - An Independent BIOS Vendor (IBV) provides an integrated firmware solution to OEMs/ODMs. With UEFI replacing BIOS, some IBVs now refer to themselves as IFVs, Independent Firmware Vendors. Some OEMs will outsource their consumer-class device firmware to IBVs, and do their own firmware for their business-class devices. Examples include:
    • NIST - a standards-setting body for the US government. Has several security for design and operations relating to firmware in [Documentation, Books and Training](#documentation-books-and-training)
  • Threats

    • ThinkPwn - ThinkPwn is a UEFI malware PoC that originally targets ThinkPad systems. The ThinkPwn malware is one of the few existing known public UEFI blacklisted by CHIPSEC. Thinkpwn.efi is included in FPMurphy's UEFI Utilities, one malware binary amongst other useful tools, be careful if using those tools.
    • BadBIOS - BadBIOS is the alleged firmware malware reported by Dragos.
    • Evil Maid Attack - The Evil Maid attack is perhaps the most well-known firmware attack, where the victim leaves their sstem unattended and an attacker has some period of time with physical access to the system, for them to install firmware-level malware. For example, person leaves their laptop in their hotel room while out for dinner, and the attacker is posing as hotel room service.
    • Hacking Team UEFI Malware - Hacking Team is a company that sells exploits to governments and others. Amongst their offerings is a UEFI-based firmware attack for Windows PCs. The Hacking Team malware is one of the few existing known public UEFI blacklisted by [CHIPSEC](https://github.com/chipsec/chipsec).
    • Fish2 IPMI Security - a compilation of information about poor and/or insecure IPMI implementations.
    • Rowhammer - Rowhammer is a new form of memory-based security attacks against systems. Defense is ECC memory.
    • USB Rubber Ducky - a Rubber Ducky is an example of rogue USB hardware, which lets the user configure the system to trick naive operating systems into thinking it is any number of devices.
  • Tools

    • Open Source

      • Eclipse UEFI EDK2 Wizards Plugin - This Eclipse plugin helps EDK2 developers use the Eclipse IDE with CDT for doing UEFI development.
      • Firmadyne - Firmadyne is an automated and scalable system for performing emulation and dynamic analysis of Linux-based embedded firmware.
      • Linux Shim - The Shim is a UEFI boot loader, which loads another UEFI boot loader, perhaps with a different license, and signed by another vendor. There are multiple forks of Shim in the wild.
      • CHIPSEC - CHIPSEC is a security tool created by Intel, to test the security posture of Intel BIOS / UEFI. Currently the only tool that can check for multiple public firmware security vulnerabilities.
      • Pawn - Google Pawn is a Linux-centric online firmware tool that dumps the platform firmware image to a file, for later offline analysis.
      • RU.EFI - RU.EFI is a third-party freeware firmware tool that has multiple features. It works as a MS-DOS or UEFI Shell utility.
      • Sandsifter - Sandsifter is an x86 fuzzer.
      • TXT Suite - The Intel TXT validation suite tests whether the platform supports Intel TXT and FIT and checks if the TPM boot chain has been configured correctly.
      • UEFI Utilities - UEFI Utilities is a collection of UEFI Shell utilities that provide system diagnostic information. (It also includes a copy of ThinkPwn.efi, be careful.)
      • UEFI Firmware Parser - UEFI Firmware Parser examines firmware 'blobs', mainly UEFI ones.
      • UEFITool - UEFITool is a GUI program that parses firmware 'blobs', mainly UEFI ones. In addition to the UEFITool Qt GUI tool, the UEFITool source project also includes a handful of non-GUI command line tools, including UEFIDump. UEFITool has two source trees to be aware of, master and new-engine.
      • Visual UEFI - Visual UEFI is a plugin for Visual Studio that lets Visual Studio users do UEFI EDK2 development without having to know the details of the EDK2 build process, which is not like the Visual Studio build process.
      • zenfish IPMI tools - IMPI security testing tools by Dan Farmer of [SATAN](http://www.fish2.com/satan/) fame.
      • BIOS Implementation Test Suite - The Intel BIOS Implementation Test Suite (BITS) provides a bootable pre-OS environment for testing BIOSes and in particular their initialization of Intel processors, hardware, and technologies. It includes a CPython compiled as a raw BIOS application.
      • DarwinDumper - DarwinDumper is an open source project which is a collection of scripts and tools to provide a convenient method to quickly gather a system overview of your OS X System.
      • Firmware.re - Firmware.RE is a free service that unpacks, scans and analyzes almost any firmware package and facilitates the quick detection of vulnerabilities, backdoors and all kinds of embedded malware.
      • GRUB - GRUB is a Multiboot boot loader. It compiles as a BIOS or a UEFI application.
      • Fedora Guide to UEFI Secure Boot Shim
      • Linux Stub - The Linux kernel can be built so that the kernel is both a BIOS and a EFI boot loader.
      • Firmware Test Suite - FirmWare Test Suite (FWTS) is a collection of firmware tests created by [Canonical](https://canonical.com), the [Ubuntu](https://ubuntu.com) Linux OSV, to help test a system for defects that will cause [Ubuntu](https://ubuntu.com) problems. FWTS is a suite of dozens of tests, for multiple technologies. The UEFI Forum recommends FWTS as the main ACPI test resource. FWTS is a command line tool for Linux, and includes an optional CURSES UI, and an optional FWTS-live live-boot distribution. FWTS is included in Intel's LUV Linux distribution.
      • Golden Image - A golden image is the vendor's original binaries for the firmware. The term is also used for OS images. Better vendors provide images and tools to reset used hardware/grey market acquisitions to a known state. Before trusting any downloaded binary, such as a golden image, it should be compared to a hash. Most vendors do not provide a hash for their images.
      • Linux Vendor Firmware Services - aka: LVFS or fwupd, a firmware update service for Linux OEMs. AWESOMELY provides a standardized system. OEMs that use this are taking Linux compatibility and security seriously. On Microsoft Windows, a similar approach works through Windows Update.
      • Microsoft Windows Update - surprise - Windows Update is awesome! In addition to doing OS software-level updates, Windows Update can do firmware updates via standardized capsules. These updates must be verified by the firmware / hardware vendor, and can be EV signed.
      • PhoenixTool - PhoenixTool is a third party freeware to manipulate (U)EFI and few leagcy bios based firmware blobs.
      • rEFInd - rEFInd is the successor to rEFIt, a UEFI boot loader that lets you select multiple operating systems.
      • RWEverything - RWEverything (RWE) is a third-party freeware firmware tool that has multiple features. The tools works on Windows. The CHIPSEC tool, if the CHIPSEC Windows kernel driver is not loaded, can use the RWE kernel driver.
  • Documentation, Books and Training

    • Closed Source

      • Linux Foundation Workstation Security Policy - The Linux Foundation has a collection of IT Policies, for Linux systems, it includes some firmware security guidance.
      • Darkreading Firmware Security Tips - This article, which has input from the Intel CHIPSEC team, gives basic high-level guidance for firmware security. Start with this, before digging into the NIST documents.
      • Firmware Security Twitter List - Jacob Torrey hosts this list on Twitter, which contains many of the core firmware security researchers.
      • Hardware Security Training - The Hardware Security Training company is a collection of multiple hardware/firmware security trainers.
      • Intel Security Training - training from the CHIPSEC team at Intel Advanced Threat Research (ATR) team of Intel Security. The documents are an AWESOME source of information about Intel hardware/firmware security threats, focusing on UEFI and related technologies.
      • IPMI Security Best Practices - best practices for IPMI security from Dan Farmer. In need of an update. Most would apply to Redfish, or any OOB management technology.
      • Linux on UEFI - Linux on UEFI Roderick W. Smith has an online book with information on UEFI and Linux, showing how to use multiple boot loaders.
      • Low Level PC Attack Papers - an awesome timeline of hardware/firmware security research.
      • SP 800-147 - an older document, aimed primarily at BIOS.
      • SP 800-147b - an addition to [SP 800-147](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-147.pdf) specifically for servers.
      • SP 800-155 - note this standard is still in draft status, but it is still quite useable
      • SP 800-193 - note this standard is still in draft status, but quite useable and the most modern of all the documents. Start reading here.
      • NSA Common Criteria for PC BIOS Protection - This 2013 Common Criteria Standard Protection Profile (PP) for PC firmware. Addresses the primary threat that an adversary will modify or replace the BIOS on a PC client device and compromise the PC client environment in a persistent way. There aren't any firmware solutions taht meet this profile, but reading the threat model is useful background.
      • One-Stop Shop for UEFI Links - One-Stop Shop for UEFI/BIOS Specifications/Tools Maintained by UEFI.Tech Community
      • Rootkits and Bootkits - This is the only book on firmware security at the time, writen by firmware security experts.