BITS and CHIPSEC as coreboot payloads
0 likes230 views
The document discusses the validation of firmware quality using the Bits and Chipsec frameworks as payloads for coreboot. It highlights the challenges of insufficient validation in open source firmware and presents methodologies for testing various firmware components. The authors emphasize the importance of using established tools for effective firmware validation and suggest future steps for improving the process.
![[CHIPSEC] *************************** SUMMARY ***************************
[CHIPSEC] Time elapsed 2.762
[CHIPSEC] Modules total 17
[CHIPSEC] Modules failed to run 0:
[CHIPSEC] Modules passed 4:
[+] PASSED: chipsec.modules.common.spi_fdopss
[+] PASSED: chipsec.modules.common.bios_ts
[+] PASSED: chipsec.modules.common.bios_kbrd_buffer
[+] PASSED: chipsec.modules.common.smrr
[CHIPSEC] Modules information 0:
[CHIPSEC] Modules failed 5:
[-] FAILED: chipsec.modules.common.memlock
[-] FAILED: chipsec.modules.common.bios_wp
[-] FAILED: chipsec.modules.common.spi_access
[-] FAILED: chipsec.modules.common.spi_desc
[-] FAILED: chipsec.modules.common.spi_lock
[CHIPSEC] Modules with warnings 0:
[CHIPSEC] Modules not implemented 8:
[*] NOT IMPLEMENTED: chipsec.modules.common.ia32cfg
[*] NOT IMPLEMENTED: chipsec.modules.common.bios_smi
[*] NOT IMPLEMENTED: chipsec.modules.common.smm
[*] NOT IMPLEMENTED: chipsec.modules.common.rtclock
[*] NOT IMPLEMENTED: chipsec.modules.memconfig
[*] NOT IMPLEMENTED: chipsec.modules.remap
[*] NOT IMPLEMENTED: chipsec.modules.smm_dma
[*] NOT IMPLEMENTED: chipsec.modules.debugenabled
[CHIPSEC] Modules not applicable 0:
[CHIPSEC] *****************************************************************
Results
16 / 18
OSFC 2018
CC BY 4.0 | Piotr Król and Michał Żygowski](https://image.slidesharecdn.com/bitsandchipsecascorebootpayloads-180924093721/85/BITS-and-CHIPSEC-as-coreboot-payloads-16-320.jpg)
BITS and CHIPSEC as coreboot payloads
- 1. BITS and CHIPSEC as coreboot payloads OSFC 2018 Piotr Król and Michał Żygowski 1 / 18
- 2. Introduction Motivation BITS features CHIPSEC features Enabling BITS as payload Enabling CHIPSEC as payload BITS and CHIPSEC in action (demo) Summary Agenda 2 / 18 OSFC 2018 CC BY 4.0 | Piotr Król and Michał Żygowski
- 3. Piotr Król Michał Żygowski Founder & Embedded Systems Consultant Firmware Engineer michal.zygowski@3mdeb.com linkedin.com/in/michał-żygowski- 88954416b @pietrushnic piotr.krol@3mdeb.com linkedin.com/in/krolpiotr facebook.com/piotr.krol.756859 Introduction 3 / 18 OSFC 2018 CC BY 4.0 | Piotr Król and Michał Żygowski
- 4. How we validate quality of our firmware? Not enough validation in open source firmware Firmware security is about validation and formal development process BITS and CHIPSEC are recognized frameworks for quality checks Linux UEFI Validation (LUV), what about coreboot? Certification issues Motivation 4 / 18 OSFC 2018 CC BY 4.0 | Piotr Król and Michał Żygowski
- 5. OS is external firmware customer firmware is treated as part of hardware and should work out of the box OS may introduce another point of failures In following presentation we would like to present our achievements while using BITS and CHIPSEC as validation payloads for MinnowBoard Turbot. http://blog.qatestlab.com/wp-content/uploads/2011/02/validation.jpg Why we should avoid running tests in OS? 5 / 18 OSFC 2018 CC BY 4.0 | Piotr Król and Michał Żygowski
- 6. system tables ACPI SMBIOS MultiProcessor tables $PIR (PCI Interrupt Routing) table Runtime and Boot Services (Tianocore payload) any other structure that firmware present to OS hardware configuration SPI protection SMRAM protection other spectre mitigation presence vendor specific features (USB DCI, ME, PSP) What we should test? 6 / 18 OSFC 2018 CC BY 4.0 | Piotr Król and Michał Żygowski
- 7. BITS (BIOS Implementation Test Suite) consist of a GRUB2 bootloader extended with runtime Python support. Consist of Python scripts that validate: ACPI SMRR configuration SMI latency MP Table MSRs Typically it is run using bootable USB created using BITS ISO image Can be run through GRUB menu entries or using batch mode Results can be read directly on screen or saved to filesystem Extensibility: Python interpreter in GRUB2 BITS intro 7 / 18 OSFC 2018 CC BY 4.0 | Piotr Król and Michał Żygowski
- 8. BITS is quite big in size 45MB - not suitable for SPI flash was solved by utilizing only core (GRUB2+Python) Environment is not user friendly - each modification requires SPI reflashing network boot or using USB for development can solve that live Python usage Build system has real problems since it depends on obsolete libraries we used Docker container for compilation http://clipground.com/images/constraint-clipart-1.jpg Constraints 8 / 18 OSFC 2018 CC BY 4.0 | Piotr Król and Michał Żygowski
- 9. checks SPI and firmware protection verifies integrity of flash descriptor tests SMM, SMIs and SMM cache poisoning checks MSRs, SMRRs and memory configuration other various tools: NMI sending IOMMU check TPM, EC utility CMOS, PCI, SPD utility etc. CHIPSEC features 9 / 18 OSFC 2018 CC BY 4.0 | Piotr Król and Michał Żygowski
- 10. utilize GRUB from coreboot - already suitable for SPI flash re-add couple functions required by BITS grub_strcat disable support for software floating point arithmetics using compiler flags small fixes to printf arguments parsing port Python support for GRUB adjust build system hack BITS to correctly handle paths in SPI flash isdir hack enable serial output in toplevel config LZMA compression Enabling BITS as payload 10 / 18 OSFC 2018 CC BY 4.0 | Piotr Król and Michał Żygowski
- 11. add Python source code to BITS resolve dependency from Python standard library BITS has different needs than CHIPSEC add missing Python standard libraries (xml, JSON, subprocess, distutils...) Implement BITS OS helper Use some methods from BITS as backend for CHIPSEC calls Enabling CHIPSEC as payload 11 / 18 OSFC 2018 CC BY 4.0 | Piotr Król and Michał Żygowski
- 12. Initial size of USB image - 45MB Cutting off not needed pieces: 12.6MB UEFI support LZMA compression: 3.6MB Solving size issue 12 / 18 OSFC 2018 CC BY 4.0 | Piotr Król and Michał Żygowski
- 13. FMAP REGION: COREBOOT Name Offset Type Size Comp cbfs master header 0x0 cbfs header 32 none fallback/romstage 0x80 stage 31372 none cpu_microcode_blob.bin 0x7b80 microcode 104448 none fallback/ramstage 0x21400 stage 61533 none config 0x304c0 raw 669 none revision 0x307c0 raw 582 none cmos_layout.bin 0x30a40 cmos_layout 1208 none fallback/dsdt.aml 0x30f40 raw 12528 none fallback/payload 0x34080 simple elf 3643338 none <--- HERE (empty) 0x3ad8c0 null 74968 none fsp.bin 0x3bfdc0 fsp 229376 none (empty) 0x3f7e00 null 30936 none bootblock 0x3ff700 bootblock 1720 none BITS and CHIPSEC in CBFS 13 / 18 OSFC 2018 CC BY 4.0 | Piotr Król and Michał Żygowski
- 14. BITS and CHIPSEC in GRUB 14 / 18 OSFC 2018 CC BY 4.0 | Piotr Król and Michał Żygowski
- 15. BITS and CHIPSEC demo 15 / 18 OSFC 2018 CC BY 4.0 | Piotr Król and Michał Żygowski
- 16. [CHIPSEC] *************************** SUMMARY *************************** [CHIPSEC] Time elapsed 2.762 [CHIPSEC] Modules total 17 [CHIPSEC] Modules failed to run 0: [CHIPSEC] Modules passed 4: [+] PASSED: chipsec.modules.common.spi_fdopss [+] PASSED: chipsec.modules.common.bios_ts [+] PASSED: chipsec.modules.common.bios_kbrd_buffer [+] PASSED: chipsec.modules.common.smrr [CHIPSEC] Modules information 0: [CHIPSEC] Modules failed 5: [-] FAILED: chipsec.modules.common.memlock [-] FAILED: chipsec.modules.common.bios_wp [-] FAILED: chipsec.modules.common.spi_access [-] FAILED: chipsec.modules.common.spi_desc [-] FAILED: chipsec.modules.common.spi_lock [CHIPSEC] Modules with warnings 0: [CHIPSEC] Modules not implemented 8: [*] NOT IMPLEMENTED: chipsec.modules.common.ia32cfg [*] NOT IMPLEMENTED: chipsec.modules.common.bios_smi [*] NOT IMPLEMENTED: chipsec.modules.common.smm [*] NOT IMPLEMENTED: chipsec.modules.common.rtclock [*] NOT IMPLEMENTED: chipsec.modules.memconfig [*] NOT IMPLEMENTED: chipsec.modules.remap [*] NOT IMPLEMENTED: chipsec.modules.smm_dma [*] NOT IMPLEMENTED: chipsec.modules.debugenabled [CHIPSEC] Modules not applicable 0: [CHIPSEC] ***************************************************************** Results 16 / 18 OSFC 2018 CC BY 4.0 | Piotr Król and Michał Żygowski
- 17. Bare metal (Micro)Python support is important for firmware validation There is not enough validation in firmware We should utilize existing tools that were proved in industry Further steps Mainlining process Consider BITS and CHIPSEC port to MicroPython Fix platform bugs and misconfiguration Summary 17 / 18 OSFC 2018 CC BY 4.0 | Piotr Król and Michał Żygowski
- 18. Q&A 18 / 18 OSFC 2018 CC BY 4.0 | Piotr Król and Michał Żygowski