class variables(BaseModule):
def __init__(self):
BaseModule.__init__(self)
self._uefi = UEFI(self.cs)
def is_supported(self):
supported = self.cs.helper.EFI_supported()
if not supported:
self.logger.log_skipped_check(
"OS does not support UEFI Runtime API")
return supported
def can_modify(self, name, guid, data, attrs):
self.logger.log(" > attempting to modify variable {}:{}".format(
guid, name))
datalen = len(data)
#print_buffer( data )
baddata = chr(ord(data[0]) ^ 0xFF) + data[1:]
#if datalen > 1: baddata = baddata[:datalen-1] + chr( ord(baddata[datalen-1]) ^ 0xFF )
status = self._uefi.set_EFI_variable(name, guid, baddata)
if StatusCode.EFI_SUCCESS != status:
self.logger.log(
' < modification of {} returned error 0x{:X}'.format(
name, status))
else:
self.logger.log(
' < modification of {} returned succees'.format(name))
self.logger.log(
' > checking variable {} contents after modification..'.format(
name))
newdata = self._uefi.get_EFI_variable(name, guid)
#print_buffer( newdata )
#chipsec.file.write_file( name+'_'+guid+'.bin', data )
#chipsec.file.write_file( name+'_'+guid+'.bin.bad', baddata )
#chipsec.file.write_file( name+'_'+guid+'.bin.new', newdata )
_changed = (data != newdata)
if _changed:
self.logger.log_bad(
"EFI variable {} has been modified. Restoring original contents.."
.format(name))
self._uefi.set_EFI_variable(name, guid, data)
# checking if restored correctly
restoreddata = self._uefi.get_EFI_variable(name, guid)
#print_buffer( restoreddata )
if (restoreddata != data):
self.logger.error(
"Failed to restore contents of variable {} failed!".format(
name))
else:
self.logger.log(
" contents of variable {} have been restored".format(
name))
else:
self.logger.log_good("Could not modify UEFI variable {}:{}".format(
guid, name))
return _changed
## check_secureboot_variable_attributes
# checks authentication attributes of Secure Boot EFI variables
def check_secureboot_variable_attributes(self, do_modify):
res = ModuleResult.ERROR
not_found = 0
not_auth = 0
not_wp = 0
is_secureboot_enabled = False
sbvars = self._uefi.list_EFI_variables()
if sbvars is None:
self.logger.log_warn_check('Could not enumerate UEFI variables.')
return ModuleResult.SKIPPED
for name in SECURE_BOOT_VARIABLES:
if name in sbvars.keys() and sbvars[name] is not None:
if len(sbvars[name]) > 1:
self.logger.log_failed_check(
'There should only be one instance of variable {}'.
format(name))
return ModuleResult.FAILED
for (off, buf, hdr, data, guid, attrs) in sbvars[name]:
self.logger.log(
"[*] Checking protections of UEFI variable {}:{}".
format(guid, name))
# check the status of Secure Boot
if EFI_VAR_NAME_SecureBoot == name:
is_secureboot_enabled = (data is not None
and len(data) == 1
and ord(data) == 0x1)
#
# Verify if the Secure Boot key/database variable is authenticated
#
if name in SECURE_BOOT_KEY_VARIABLES:
if IS_VARIABLE_ATTRIBUTE(
attrs,
EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS):
self.logger.log_good(
'Variable {}:{} is authenticated (AUTHENTICATED_WRITE_ACCESS)'
.format(guid, name))
elif IS_VARIABLE_ATTRIBUTE(
attrs,
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
):
self.logger.log_good(
'Variable {}:{} is authenticated (TIME_BASED_AUTHENTICATED_WRITE_ACCESS)'
.format(guid, name))
else:
not_auth += 1
self.logger.log_bad(
'Variable {}:{} is not authenticated'.format(
guid, name))
#
# Attempt to modify contents of the variables
#
if do_modify:
if self.can_modify(name, guid, data, attrs):
not_wp += 1
else:
not_found += 1
self.logger.log_important(
'Secure Boot variable {} is not found'.format(name))
continue
self.logger.log('')
self.logger.log('[*] Secure Boot appears to be {}abled'.format(
'en' if is_secureboot_enabled else 'dis'))
if len(SECURE_BOOT_VARIABLES) == not_found:
# None of Secure Boot variables were not found
self.logger.log_skipped_check(
'None of required Secure Boot variables found. Secure Boot is not enabled'
)
return ModuleResult.SKIPPED
else:
# Some Secure Boot variables exist
sb_vars_failed = (not_found > 0) or (not_auth > 0) or (not_wp > 0)
if sb_vars_failed:
if not_found > 0:
self.logger.log_bad(
"Some required Secure Boot variables are missing")
if not_auth > 0:
self.logger.log_bad(
'Some Secure Boot keying variables are not authenticated'
)
if not_wp > 0:
self.logger.log_bad(
'Some Secure Boot variables can be modified')
if is_secureboot_enabled:
self.logger.log_failed_check(
'Not all Secure Boot UEFI variables are protected')
return ModuleResult.FAILED
else:
self.logger.log_warn_check(
'Not all Secure Boot UEFI variables are protected')
return ModuleResult.WARNING
else:
self.logger.log_passed_check(
'All Secure Boot UEFI variables are protected')
return ModuleResult.PASSED
# --------------------------------------------------------------------------
# run( module_argv )
# Required function: run here all tests from this module
# --------------------------------------------------------------------------
def run(self, module_argv):
self.logger.start_test("Attributes of Secure Boot EFI Variables")
do_modify = (len(module_argv) > 0 and module_argv[0] == OPT_MODIFY)
return self.check_secureboot_variable_attributes(do_modify)
class access_uefispec(BaseModule):
def __init__(self):
BaseModule.__init__(self)
self._uefi = UEFI(self.cs)
nv = EFI_VARIABLE_NON_VOLATILE
bs = EFI_VARIABLE_BOOTSERVICE_ACCESS
rt = EFI_VARIABLE_RUNTIME_ACCESS
ta = EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
self.uefispec_vars = {
#### From UEFI Spec Table 11 "Global Variables"
"LangCodes": bs | rt,
"Lang": nv | bs | rt,
"Timeout": nv | bs | rt,
"PlatformLangCodes": bs | rt,
"PlatformLang": nv | bs | rt,
"ConIn": nv | bs | rt,
"ConOut": nv | bs | rt,
"ErrOut": nv | bs | rt,
"ConInDev": bs | rt,
"ConOutDev": bs | rt,
"ErrOutDev": bs | rt,
"Boot0001": nv | bs | rt,
"Boot0002": nv | bs | rt,
"BootOrder": nv | bs | rt,
"BootNext": nv | bs | rt,
"BootCurrent": bs | rt,
"BootOptionSupport": bs | rt,
"Driver0001": nv | bs | rt,
"DriverOrder": nv | bs | rt,
"Key0001": nv | bs | rt,
"HwErrRecSupport": nv | bs | rt, # HwErrRecSupport should be RO
"SetupMode": bs | rt, # SetupMode should be RO
"KEK": nv | bs | rt | ta,
"PK": nv | bs | rt | ta,
"SignatureSupport": bs | rt, # RO
"SecureBoot": bs | rt, # RO
"KEKDefault": bs | rt, # RO
"PKDefault": bs | rt, # RO
"dbDefault": bs | rt, # RO
"dbxDefault": bs | rt, # RO
"dbtDefault": bs | rt, # RO
"OsIndicationsSupported": bs | rt, # RO
"OsIndications": nv | bs | rt,
"VendorKeys": bs | rt # RO
}
self.uefispec_ro_vars = ("HwErrRecSupport", "SetupMode",
"SignatureSupport", "SecureBoot",
"KEKDefault", "PKDefault", "dbDefault",
"dbxDefault", "dbtDefault",
"OsIndicationsSupported", "VendorKeys")
def is_supported(self):
supported = self.cs.helper.EFI_supported()
if not supported:
self.logger.log("OS does not support UEFI Runtime API")
self.res = ModuleResult.NOTAPPLICABLE
return supported
def diff_var(self, data1, data2):
if data1 is None or data2 is None:
return data1 != data2
oldstr = ":".join("{:02x}".format(c) for c in data1)
newstr = ":".join("{:02x}".format(c) for c in data2)
if oldstr != newstr:
print(oldstr)
print(newstr)
return True
else:
return False
def can_modify(self, name, guid, data):
ret = False
#origdata = _uefi.get_EFI_variable(name, guid)
origdata = data
datalen = len(bytearray(data))
baddata = 'Z' * datalen #0x5A is ASCII 'Z'
if baddata == origdata:
baddata = 'A' * datalen #in case we failed to restore previously
status = self._uefi.set_EFI_variable(name, guid, baddata)
if status != StatusCode.EFI_SUCCESS:
self.logger.log_good(
'Writing EFI variable {} did not succeed.'.format(name))
newdata = self._uefi.get_EFI_variable(name, guid)
if self.diff_var(newdata, origdata):
self.logger.log_bad(
'Corruption of EFI variable of concern {}. Trying to recover.'.
format(name))
ret = True
self._uefi.set_EFI_variable(name, guid, origdata)
if self.diff_var(self._uefi.get_EFI_variable(name, guid),
origdata):
nameguid = name + ' (' + guid + ')'
self.logger.log_bad(
'RECOVERY FAILED. Variable {} remains corrupted. Original data value: {}'
.format(nameguid, origdata))
return ret
def check_vars(self, do_modify):
res = ModuleResult.PASSED
vars = self._uefi.list_EFI_variables()
if vars is None:
self.logger.log_warning(
'Could not enumerate UEFI Variables from runtime.')
self.logger.log_important(
"Note that UEFI variables may still exist, OS just did not expose runtime UEFI Variable API to read them.\nYou can extract variables directly from ROM file via 'chipsec_util.py uefi nvram bios.bin' command and verify their attributes manually."
)
return ModuleResult.SKIPPED
uefispec_concern = []
ro_concern = []
rw_variables = []
self.logger.log('[*] Testing UEFI variables ..')
for name in vars.keys():
if name is None: pass
if vars[name] is None:
pass
if len(vars[name]) > 1:
self.logger.log_important(
'Found two instances of the variable {}.'.format(name))
for (off, buf, hdr, data, guid, attrs) in vars[name]:
self.logger.log('[*] Variable {} ({})'.format(
name, get_attr_string(attrs)))
perms = self.uefispec_vars.get(name)
if perms is not None:
if perms != attrs:
attr_diffs = (perms ^ attrs)
extra_attr = attr_diffs & attrs
missing_attr = attr_diffs & ~extra_attr
uefispec_concern.append(name)
if extra_attr != 0:
self.logger.log_important(
' Extra attributes:' +
get_attr_string(extra_attr))
if (extra_attr & ~(
EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS |
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS
| EFI_VARIABLE_APPEND_WRITE) != 0):
res = ModuleResult.FAILED
if missing_attr != 0:
self.logger.log_important(
' Missing attributes:' +
get_attr_string(missing_attr))
if res != ModuleResult.FAILED:
res = ModuleResult.WARNING
if do_modify:
self.logger.log(
"[*] Testing modification of {} ..".format(name))
if name in self.uefispec_ro_vars:
if self.can_modify(name, guid, data):
ro_concern.append(name)
self.logger.log_bad(
"Variable {} should be read only.".format(
name))
res = ModuleResult.FAILED
else:
if self.can_modify(name, guid, data):
rw_variables.append(name)
if uefispec_concern:
self.logger.log('')
self.logger.log_bad(
'Variables with attributes that differ from UEFI spec:')
for name in uefispec_concern:
self.logger.log(' {}'.format(name))
if do_modify:
if ro_concern:
self.logger.log('')
self.logger.log_bad(
'Variables that should have been read-only and were not:')
for name in ro_concern:
self.logger.log(' {}'.format(name))
if rw_variables:
self.logger.log('')
self.logger.log_unknown(
'Variables that are read-write (manual investigation is required):'
)
for name in rw_variables:
self.logger.log(' {}'.format(name))
self.logger.log('')
if ModuleResult.PASSED == res:
self.logger.log_passed(
'All checked EFI variables are protected according to spec.')
elif ModuleResult.FAILED == res:
self.logger.log_failed(
'Some EFI variables were not protected according to spec.')
return res
def run(self, module_argv):
self.logger.start_test("Access Control of EFI Variables")
do_modify = (len(module_argv) > 0 and module_argv[0] == OPT_MODIFY)
self.res = self.check_vars(do_modify)
return self.res
class uefivar_fuzz(BaseModule):
def __init__(self):
BaseModule.__init__(self)
self._uefi = UEFI(self.cs)
def is_supported(self):
supported = self.cs.helper.EFI_supported()
if not supported:
self.logger.log_skipped_check(
"OS does not support UEFI Runtime API")
return supported
def rnd(self, n=1):
rnum = b''
for j in range(n):
rnum += struct.pack("B", random.randint(0, 255))
return rnum
def usage(self):
self.logger.log(USAGE_TEXT)
return True
def run(self, module_argv):
self.logger.start_test("Fuzz UEFI Variable Interface")
self.logger.warn(
"Are you sure you want to continue fuzzing UEFI variable interface?"
)
s = cs_input("Type 'yes' to continue > ")
if s != 'yes': return
# Default options
_NAME = 'FuzzerVarName'
_GUID = UUID('414C4694-F4CF-0525-69AF-C99C8596530F')
_ATTRIB = 0x07
_SIZE = 0x08
_DATA = struct.pack("B", 0x41) * _SIZE
ITERATIONS = 1000
SEED = int(time())
CASE = 1
BOUND_STR = 255 #tested value that can be increased or decreased to fit the limit bounds
BOUND_INT = 1000
FUZZ_NAME = True
FUZZ_GUID = True
FUZZ_ATTRIB = True
FUZZ_DATA = True
FUZZ_SIZE = True
# Init fuzzing primitives
name_prim = prim.string(value=_NAME, max_len=BOUND_STR)
attrib_prim = prim.dword(
value=_ATTRIB) # i think the attrib field is 4 bytes large?
data_prim = prim.random_data(value=_DATA,
min_length=0,
max_length=BOUND_INT)
help_text = False
if len(module_argv):
fz_cli = module_argv[0].lower()
if ('all' != fz_cli):
FUZZ_NAME = False
FUZZ_GUID = False
FUZZ_ATTRIB = False
FUZZ_DATA = False
FUZZ_SIZE = False
if ('name' == fz_cli): FUZZ_NAME = True
elif ('guid' == fz_cli): FUZZ_GUID = True
elif ('attrib' == fz_cli): FUZZ_ATTRIB = True
elif ('data' == fz_cli): FUZZ_DATA = True
elif ('size' == fz_cli): FUZZ_SIZE = True
else: help_text = self.usage()
if len(module_argv) > 1:
if (module_argv[1].isdigit()): ITERATIONS = int(module_argv[1])
else: help_text = self.usage()
if len(module_argv) > 2:
if (module_argv[2].isdigit()): SEED = int(module_argv[2])
else: help_text = self.usage()
if len(module_argv) > 3:
if (module_argv[3].isdigit()): CASE = int(module_argv[3])
else: help_text = self.usage()
if not help_text:
random.seed(SEED)
write_file('SEED.txt', str(SEED))
if not len(module_argv): fz_cli = 'all'
self.logger.log('Test : {}'.format(fz_cli))
self.logger.log('Iterations: {:d}'.format(ITERATIONS))
self.logger.log('Seed : {:d}'.format(SEED))
self.logger.log('Test case : {:d}'.format(CASE))
self.logger.log('')
for count in range(1, ITERATIONS + CASE):
if FUZZ_NAME:
_NAME = ''
if name_prim.mutate():
_NAME = name_prim.render()
else: # if mutate() returns false, we need to reload the primitive
name_prim = prim.string(value=_NAME, max_len=BOUND_STR)
_NAME = name_prim.render()
if FUZZ_GUID: _GUID = uuid4()
if FUZZ_ATTRIB:
if attrib_prim.mutate():
_ATTRIB = attrib_prim.render()
else:
attrib_prim = prim.dword(value=_ATTRIB)
_ATTRIB = attrib_prim.render()
if FUZZ_DATA:
if data_prim.mutate():
_DATA = data_prim.render()
else:
data_prim = prim.random_data(value=_DATA,
min_length=0,
max_length=BOUND_INT)
data_prim.mutate()
_DATA = data_prim.render()
if FUZZ_SIZE:
if _DATA:
_SIZE = random.randrange(len(_DATA))
else:
_SIZE = random.randrange(1024)
if (count < CASE): continue
self.logger.log(' Running test #{:d}:'.format(count))
self.logger.flush()
status = self._uefi.set_EFI_variable(_NAME, str(_GUID), _DATA,
_SIZE, _ATTRIB)
self.logger.log(status)
status = self._uefi.delete_EFI_variable(_NAME, str(_GUID))
self.logger.log(status)
return ModuleResult.PASSED