def check_blacklist( self ):
res = ModuleResult.PASSED
self.logger.log( "[*] searching for EFI binaries that match criteria from '%s':" % self.cfg_name )
for k in self.efi_blacklist.keys():
entry = self.efi_blacklist[k]
self.logger.log( " %-16s - %s" % (k,entry['description'] if 'description' in entry else '') )
#if 'match' in entry:
# for c in entry['match'].keys(): self.logger.log( "[*] %s" % entry['match'][c] )
#if 'exclude' in entry:
# self.logger.log( "[*] excluding binaries:" )
# for c in entry['exclude']: self.logger.log( "[*] %s" % entry['exclude'][c] )
# parse the UEFI firmware image and look for EFI modules matching the balck-list
efi_tree = spi_uefi.build_efi_model(self.uefi, self.image, None)
#match_types = (spi_uefi.EFIModuleType.SECTION_EXE|spi_uefi.EFIModuleType.FILE)
match_types = spi_uefi.EFIModuleType.SECTION_EXE
matching_modules = spi_uefi.search_efi_tree(efi_tree, self.blacklist_callback, match_types)
found = len(matching_modules) > 0
self.logger.log( '' )
if found:
res = ModuleResult.WARNING
self.logger.log_warn_check("Black-listed EFI binary found in the UEFI firmware image")
else:
self.logger.log_passed_check("Didn't find any black-listed EFI binary")
return res
def check_blacklist(self):
res = ModuleResult.PASSED
self.logger.log(
"[*] searching for EFI binaries that match criteria from '{}':".
format(self.cfg_name))
for k in self.efi_blacklist.keys():
entry = self.efi_blacklist[k]
self.logger.log(" {:16} - {}".format(
k, entry['description'] if 'description' in entry else ''))
#if 'match' in entry:
# for c in entry['match'].keys(): self.logger.log( "[*] {}".format(entry['match'][c]) )
#if 'exclude' in entry:
# self.logger.log( "[*] excluding binaries:" )
# for c in entry['exclude']: self.logger.log( "[*] {}".format(entry['exclude'][c]) )
# parse the UEFI firmware image and look for EFI modules matching the balck-list
efi_tree = build_efi_model(self.uefi, self.image, None)
#match_types = (spi_uefi.EFIModuleType.SECTION_EXE|spi_uefi.EFIModuleType.FILE)
match_types = EFIModuleType.SECTION_EXE
matching_modules = search_efi_tree(efi_tree, self.blacklist_callback,
match_types)
found = len(matching_modules) > 0
self.logger.log('')
if found:
res = ModuleResult.WARNING
self.logger.log_warn_check(
"Black-listed EFI binary found in the UEFI firmware image")
else:
self.logger.log_passed_check(
"Didn't find any black-listed EFI binary")
return res
def check_whitelist( self, json_pth ):
self.efi_list = {}
with open(json_pth) as data_file:
self.efi_whitelist = json.load(data_file)
self.logger.log( "[*] checking EFI executables against the list '%s'" % json_pth )
# parse the UEFI firmware image and look for EFI modules matching white-list
# - match only executable EFI sections (PE/COFF, TE)
# - find all occurrences of matching EFI modules
efi_tree = spi_uefi.build_efi_model(self.uefi, self.image, None)
matching_modules = spi_uefi.search_efi_tree(efi_tree, self.genlist_callback, spi_uefi.EFIModuleType.SECTION_EXE, True)
self.logger.log( "[*] found %d EFI executables in UEFI firmware image '%s'" % (len(self.efi_list),self.image_file) )
for m in self.efi_list:
if not (m in self.efi_whitelist):
self.suspect_modules[m] = self.efi_list[m]
guid = self.efi_list[m]["guid"] if 'guid' in self.efi_list[m] else '?'
name = self.efi_list[m]["name"] if 'name' in self.efi_list[m] else '<unknown>'
sha1 = self.efi_list[m]["sha1"] if 'sha1' in self.efi_list[m] else ''
self.logger.log_important( "found EFI executable not in the list:\n %s (sha256)\n %s (sha1)\n {%s}\n %s" % (m,sha1,guid,name))
if len(self.suspect_modules) > 0:
self.logger.log_warn_check( "found %d EFI executables not in the list '%s'" % (len(self.suspect_modules),json_pth) )
return ModuleResult.WARNING
else:
self.logger.log_passed_check( "all EFI executables match the list '%s'" % json_pth )
return ModuleResult.PASSED
def check_whitelist( self, json_pth ):
self.efi_list = {}
with open(json_pth) as data_file:
self.efi_whitelist = json.load(data_file)
self.logger.log( "[*] checking EFI executables against the list '{}'".format(json_pth) )
# parse the UEFI firmware image and look for EFI modules matching white-list
# - match only executable EFI sections (PE/COFF, TE)
# - find all occurrences of matching EFI modules
efi_tree = build_efi_model(self.uefi, self.image, None)
matching_modules = search_efi_tree(efi_tree, self.genlist_callback, EFIModuleType.SECTION_EXE, True)
self.logger.log( "[*] found {:d} EFI executables in UEFI firmware image '{}'".format(len(self.efi_list), self.image_file) )
for m in self.efi_list:
if not (m in self.efi_whitelist):
self.suspect_modules[m] = self.efi_list[m]
guid = self.efi_list[m]["guid"] if 'guid' in self.efi_list[m] else '?'
name = self.efi_list[m]["name"] if 'name' in self.efi_list[m] else '<unknown>'
sha1 = self.efi_list[m]["sha1"] if 'sha1' in self.efi_list[m] else ''
self.logger.log_important( "found EFI executable not in the list:\n {} (sha256)\n {} (sha1)\n {{{}}}\n {}".format(m, sha1, guid, name))
if len(self.suspect_modules) > 0:
self.logger.log_warn_check( "found {:d} EFI executables not in the list '{}'".format(len(self.suspect_modules), json_pth) )
return ModuleResult.WARNING
else:
self.logger.log_passed_check( "all EFI executables match the list '{}'".format(json_pth) )
return ModuleResult.PASSED
def generate_efilist( self, json_pth ):
self.efi_list = {}
self.logger.log( "[*] generating a list of EFI executables from firmware image..." )
efi_tree = spi_uefi.build_efi_model(self.uefi, self.image, None)
matching_modules = spi_uefi.search_efi_tree(efi_tree, self.genlist_callback, spi_uefi.EFIModuleType.SECTION_EXE, True)
self.logger.log( "[*] found %d EFI executables in UEFI firmware image '%s'" % (len(self.efi_list),self.image_file) )
self.logger.log( "[*] creating JSON file '%s'..." % json_pth )
chipsec.file.write_file( "%s" % json_pth, json.dumps(self.efi_list, indent=2, separators=(',', ': ')) )
return ModuleResult.PASSED
def generate_efilist( self, json_pth ):
self.efi_list = {}
self.logger.log( "[*] generating a list of EFI executables from firmware image..." )
efi_tree = build_efi_model(self.uefi, self.image, None)
matching_modules = search_efi_tree(efi_tree, self.genlist_callback, EFIModuleType.SECTION_EXE, True)
self.logger.log( "[*] found {:d} EFI executables in UEFI firmware image '{}'".format(len(self.efi_list), self.image_file) )
self.logger.log( "[*] creating JSON file '{}'...".format(json_pth) )
write_file("{}".format(json_pth), json.dumps(self.efi_list, indent=2, separators=(',', ': '), cls=UUIDEncoder))
return ModuleResult.PASSED
def generate_efilist(self, json_pth):
self.efi_list = {}
self.logger.log(
"[*] generating a list of EFI executables from firmware image...")
efi_tree = spi_uefi.build_efi_model(self.uefi, self.image, None)
matching_modules = spi_uefi.search_efi_tree(
efi_tree, self.genlist_callback,
spi_uefi.EFIModuleType.SECTION_EXE, True)
self.logger.log(
"[*] found %d EFI executables in UEFI firmware image '%s'" %
(len(self.efi_list), self.image_file))
self.logger.log("[*] creating JSON file '%s'..." % json_pth)
chipsec.file.write_file(
"%s" % json_pth,
json.dumps(self.efi_list, indent=2, separators=(',', ': ')))
return ModuleResult.PASSED
def check_reputation(self):
res = ModuleResult.PASSED
# parse the UEFI firmware image and look for EFI modules matching the balck-list
efi_tree = build_efi_model(self.uefi, self.image, None)
match_types = EFIModuleType.SECTION_EXE
matching_modules = search_efi_tree(efi_tree, self.reputation_callback,
match_types)
found = len(matching_modules) > 0
self.logger.log('')
if found:
res = ModuleResult.WARNING
self.logger.log_warn_check(
"Suspicious EFI binary found in the UEFI firmware image")
else:
self.logger.log_passed_check(
"Didn't find any suspicious EFI binary")
return res
