def check_blacklist( self ): res = ModuleResult.PASSED self.logger.log( "[*] searching for EFI binaries that match criteria from '%s':" % self.cfg_name ) for k in self.efi_blacklist.keys(): entry = self.efi_blacklist[k] self.logger.log( " %-16s - %s" % (k,entry['description'] if 'description' in entry else '') ) #if 'match' in entry: # for c in entry['match'].keys(): self.logger.log( "[*] %s" % entry['match'][c] ) #if 'exclude' in entry: # self.logger.log( "[*] excluding binaries:" ) # for c in entry['exclude']: self.logger.log( "[*] %s" % entry['exclude'][c] ) # parse the UEFI firmware image and look for EFI modules matching the balck-list efi_tree = spi_uefi.build_efi_model(self.uefi, self.image, None) #match_types = (spi_uefi.EFIModuleType.SECTION_EXE|spi_uefi.EFIModuleType.FILE) match_types = spi_uefi.EFIModuleType.SECTION_EXE matching_modules = spi_uefi.search_efi_tree(efi_tree, self.blacklist_callback, match_types) found = len(matching_modules) > 0 self.logger.log( '' ) if found: res = ModuleResult.WARNING self.logger.log_warn_check("Black-listed EFI binary found in the UEFI firmware image") else: self.logger.log_passed_check("Didn't find any black-listed EFI binary") return res
def check_blacklist(self): res = ModuleResult.PASSED self.logger.log( "[*] searching for EFI binaries that match criteria from '{}':". format(self.cfg_name)) for k in self.efi_blacklist.keys(): entry = self.efi_blacklist[k] self.logger.log(" {:16} - {}".format( k, entry['description'] if 'description' in entry else '')) #if 'match' in entry: # for c in entry['match'].keys(): self.logger.log( "[*] {}".format(entry['match'][c]) ) #if 'exclude' in entry: # self.logger.log( "[*] excluding binaries:" ) # for c in entry['exclude']: self.logger.log( "[*] {}".format(entry['exclude'][c]) ) # parse the UEFI firmware image and look for EFI modules matching the balck-list efi_tree = build_efi_model(self.uefi, self.image, None) #match_types = (spi_uefi.EFIModuleType.SECTION_EXE|spi_uefi.EFIModuleType.FILE) match_types = EFIModuleType.SECTION_EXE matching_modules = search_efi_tree(efi_tree, self.blacklist_callback, match_types) found = len(matching_modules) > 0 self.logger.log('') if found: res = ModuleResult.WARNING self.logger.log_warn_check( "Black-listed EFI binary found in the UEFI firmware image") else: self.logger.log_passed_check( "Didn't find any black-listed EFI binary") return res
def check_whitelist( self, json_pth ): self.efi_list = {} with open(json_pth) as data_file: self.efi_whitelist = json.load(data_file) self.logger.log( "[*] checking EFI executables against the list '%s'" % json_pth ) # parse the UEFI firmware image and look for EFI modules matching white-list # - match only executable EFI sections (PE/COFF, TE) # - find all occurrences of matching EFI modules efi_tree = spi_uefi.build_efi_model(self.uefi, self.image, None) matching_modules = spi_uefi.search_efi_tree(efi_tree, self.genlist_callback, spi_uefi.EFIModuleType.SECTION_EXE, True) self.logger.log( "[*] found %d EFI executables in UEFI firmware image '%s'" % (len(self.efi_list),self.image_file) ) for m in self.efi_list: if not (m in self.efi_whitelist): self.suspect_modules[m] = self.efi_list[m] guid = self.efi_list[m]["guid"] if 'guid' in self.efi_list[m] else '?' name = self.efi_list[m]["name"] if 'name' in self.efi_list[m] else '<unknown>' sha1 = self.efi_list[m]["sha1"] if 'sha1' in self.efi_list[m] else '' self.logger.log_important( "found EFI executable not in the list:\n %s (sha256)\n %s (sha1)\n {%s}\n %s" % (m,sha1,guid,name)) if len(self.suspect_modules) > 0: self.logger.log_warn_check( "found %d EFI executables not in the list '%s'" % (len(self.suspect_modules),json_pth) ) return ModuleResult.WARNING else: self.logger.log_passed_check( "all EFI executables match the list '%s'" % json_pth ) return ModuleResult.PASSED
def check_whitelist( self, json_pth ): self.efi_list = {} with open(json_pth) as data_file: self.efi_whitelist = json.load(data_file) self.logger.log( "[*] checking EFI executables against the list '{}'".format(json_pth) ) # parse the UEFI firmware image and look for EFI modules matching white-list # - match only executable EFI sections (PE/COFF, TE) # - find all occurrences of matching EFI modules efi_tree = build_efi_model(self.uefi, self.image, None) matching_modules = search_efi_tree(efi_tree, self.genlist_callback, EFIModuleType.SECTION_EXE, True) self.logger.log( "[*] found {:d} EFI executables in UEFI firmware image '{}'".format(len(self.efi_list), self.image_file) ) for m in self.efi_list: if not (m in self.efi_whitelist): self.suspect_modules[m] = self.efi_list[m] guid = self.efi_list[m]["guid"] if 'guid' in self.efi_list[m] else '?' name = self.efi_list[m]["name"] if 'name' in self.efi_list[m] else '<unknown>' sha1 = self.efi_list[m]["sha1"] if 'sha1' in self.efi_list[m] else '' self.logger.log_important( "found EFI executable not in the list:\n {} (sha256)\n {} (sha1)\n {{{}}}\n {}".format(m, sha1, guid, name)) if len(self.suspect_modules) > 0: self.logger.log_warn_check( "found {:d} EFI executables not in the list '{}'".format(len(self.suspect_modules), json_pth) ) return ModuleResult.WARNING else: self.logger.log_passed_check( "all EFI executables match the list '{}'".format(json_pth) ) return ModuleResult.PASSED
def generate_efilist( self, json_pth ): self.efi_list = {} self.logger.log( "[*] generating a list of EFI executables from firmware image..." ) efi_tree = spi_uefi.build_efi_model(self.uefi, self.image, None) matching_modules = spi_uefi.search_efi_tree(efi_tree, self.genlist_callback, spi_uefi.EFIModuleType.SECTION_EXE, True) self.logger.log( "[*] found %d EFI executables in UEFI firmware image '%s'" % (len(self.efi_list),self.image_file) ) self.logger.log( "[*] creating JSON file '%s'..." % json_pth ) chipsec.file.write_file( "%s" % json_pth, json.dumps(self.efi_list, indent=2, separators=(',', ': ')) ) return ModuleResult.PASSED
def generate_efilist( self, json_pth ): self.efi_list = {} self.logger.log( "[*] generating a list of EFI executables from firmware image..." ) efi_tree = build_efi_model(self.uefi, self.image, None) matching_modules = search_efi_tree(efi_tree, self.genlist_callback, EFIModuleType.SECTION_EXE, True) self.logger.log( "[*] found {:d} EFI executables in UEFI firmware image '{}'".format(len(self.efi_list), self.image_file) ) self.logger.log( "[*] creating JSON file '{}'...".format(json_pth) ) write_file("{}".format(json_pth), json.dumps(self.efi_list, indent=2, separators=(',', ': '), cls=UUIDEncoder)) return ModuleResult.PASSED
def generate_efilist(self, json_pth): self.efi_list = {} self.logger.log( "[*] generating a list of EFI executables from firmware image...") efi_tree = spi_uefi.build_efi_model(self.uefi, self.image, None) matching_modules = spi_uefi.search_efi_tree( efi_tree, self.genlist_callback, spi_uefi.EFIModuleType.SECTION_EXE, True) self.logger.log( "[*] found %d EFI executables in UEFI firmware image '%s'" % (len(self.efi_list), self.image_file)) self.logger.log("[*] creating JSON file '%s'..." % json_pth) chipsec.file.write_file( "%s" % json_pth, json.dumps(self.efi_list, indent=2, separators=(',', ': '))) return ModuleResult.PASSED
def check_reputation(self): res = ModuleResult.PASSED # parse the UEFI firmware image and look for EFI modules matching the balck-list efi_tree = build_efi_model(self.uefi, self.image, None) match_types = EFIModuleType.SECTION_EXE matching_modules = search_efi_tree(efi_tree, self.reputation_callback, match_types) found = len(matching_modules) > 0 self.logger.log('') if found: res = ModuleResult.WARNING self.logger.log_warn_check( "Suspicious EFI binary found in the UEFI firmware image") else: self.logger.log_passed_check( "Didn't find any suspicious EFI binary") return res