Image of Android Wireless Application Development
Image of XSLT 2.0 and XPath 2.0 Programmer's Reference (Programmer to Programmer)
Image of Advanced Programming in the UNIX Environment, Second Edition (Addison-Wesley Professional Computing Series)
Image of Linux Kernel Development (3rd Edition)

UEFI Utility to Read TPM 2.0 PCRs

In a previous post, I discussed how to retrieve Platform Configuration Register (PCR) values from a discrete TPM (Trusted Platform Module) 1.2 chip (dTPM 1.2) and provided source code for a UEFI shell utility to display the digests from the first 16 PCRs. In this post, I discuss a number of key TPM 2.0 features and provide the source code for a UEFI shell utility to display the digests from the first 24 PCRs of a TPM 2.0 implementation. What is driving the move to TPM 2.0? Simple, TPM 1.2 ((ISO/IEC 11889) only supports one hash algorithm, i.e. SHA1, and

Use 010 Editor to Obtain Header Fields From Intel Microcode Binary Files

In my last blog post, I used the well-known 010 text and hex editor (010 Editor) to examine both the documented and the undocumented header of individual Intel microcode binary blobs which I extracted from a Lenovo T450 firmware update file. I decided to see how easy or difficult it was to use the 010 Editor to output a single of header information for a group of Intel microcode blobs, i.e. all five binary blobs extracted from the Lenovo firmware update using UEFItool. This post describes my experience. Originally I hoped to be able to just write a simple 010

Examining Intel Microcode in Lenovo Firmware Updates

Recently, I decided to examine the contents of a Lenovo T450 firmware update before installing the firmware update and noticed that it included a number of Intel processor microcode updates. This blog post explores what information you can glean from these microcode updates and confirms the existence of an additional undocumented header in Intel microcode updates which was initially described by Chen and Ahn in their December 2014 paper Security Analysis of x86 Processor Microcode. Here is the contents of the latest firmware update (as of November 2016) for the Lenovo T450 laptop. It is a self extracting executable named

RNG Protocol Error in Lenovo ThinkPad Firmware

The UEFI specification defines a Random Number Generator protocol (RNG), which can be used to provide random numbers for use in nonces, key generators, signature schemes and more. This protocol was first introduced in version 2.4 of the specification. A UEFI RNG service that implements this protocol takes an optional input value that identifies an RNG algorithm and provides a RNG value based on the input value and internal state, including the state of its entropy sources. When a Deterministic Random Bit Generator (DRBG) is used on the output of the raw entropy source, its security level must be at

Lenovo ThinkPwn POC Ported to UDK2015

The Lenovo ThinkPwn zeroday (Oday) proof of concept (POC) that a UEFI application can write via SMM to SMRAM has been very widely and sensationally reported in computing news media, including SlashDot in the last week or so. The POC was developed by Dmytro Oleksiuk, an independent infosec researcher and developer, who once worked as a technician for Esage Lab and was one of the cofounders of Neuron, the first Moscow hackspace. Olelsiuk claims to be “currently engaged in the research of vulnerabilities and malware as a hobby.” His blog post on ThinkPwn is here and the actual POC source