class bios_wp(BaseModule): def __init__(self): BaseModule.__init__(self) self.spi = SPI( self.cs ) def is_supported(self): return True def check_BIOS_write_protection(self): self.logger.start_test( "BIOS Region Write Protection" ) # # BIOS Control Register # #reg_value = chipsec.chipset.read_register(self.cs, 'BC') #chipsec.chipset.print_register(self.cs, 'BC', reg_value) #ble = chipsec.chipset.get_register_field(self.cs, 'BC', reg_value, 'BLE') ble = self.cs.get_control('BiosLockEnable', with_print=True) #bioswe = self.cs.get_register_field('BC', reg_value, 'BIOSWE') bioswe = self.cs.get_control('BiosWriteEnable') #smmbwp = chipsec.chipset.get_register_field(self.cs, 'BC', reg_value, 'SMM_BWP') smmbwp = self.cs.get_control( 'SmmBiosWriteProtection' ) # Is the BIOS flash region write protected? write_protected = 0 if 1 == ble and 0 == bioswe: if 1 == smmbwp: self.logger.log_good( "BIOS region write protection is enabled (writes restricted to SMM)" ) write_protected = 1 else: self.logger.log_important( "Enhanced SMM BIOS region write protection has not been enabled (SMM_BWP is not used)" ) else: self.logger.log_bad( "BIOS region write protection is disabled!" ) return write_protected == 1 def check_SPI_protected_ranges(self): (bios_base,bios_limit,bios_freg) = self.spi.get_SPI_region( BIOS ) self.logger.log( "\n[*] BIOS Region: Base = 0x{:08X}, Limit = 0x{:08X}".format(bios_base,bios_limit) ) self.spi.display_SPI_Protected_Ranges() pr_cover_bios = False pr_partial_cover_bios = False # for j in range(5): # (base,limit,wpe,rpe,pr_reg_off,pr_reg_value) = spi.get_SPI_Protected_Range( j ) # if (wpe == 1 and base < limit and base <= bios_base and limit >= bios_limit): # pr_cover_bios = True # if (wpe == 1 and base < limit and limit > bios_base): # pr_partial_cover_bios = True areas_to_protect = [(bios_base, bios_limit)] protected_areas = list() for j in range(5): (base,limit,wpe,rpe,pr_reg_off,pr_reg_value) = self.spi.get_SPI_Protected_Range( j ) if base > limit: continue if wpe == 1: for area in areas_to_protect: # overlap bottom start,end = area if base <= start and limit >= start: if limit >= end: areas_to_protect.remove(area) else: areas_to_protect.remove(area) area = (limit+1,end) areas_to_protect.append(area) # overlap top elif base <= end and limit >= end: if base <= start: areas_to_protect.remove(area) else: areas_to_protect.remove(area) area = (start,base-1) areas_to_protect.append(area) start,end = area # split elif base > start and limit < end: areas_to_protect.remove(area) areas_to_protect.append((start,base-1)) areas_to_protect.append((limit+1, end)) if (len(areas_to_protect) == 0): pr_cover_bios = True else: if (len(areas_to_protect) != 1 or areas_to_protect[0] != (bios_base,bios_limit)): pr_partial_cover_bios = True if pr_partial_cover_bios: self.logger.log( '' ) self.logger.log_important( "SPI protected ranges write-protect parts of BIOS region (other parts of BIOS can be modified)" ) else: if not pr_cover_bios: self.logger.log( '' ) self.logger.log_important( "None of the SPI protected ranges write-protect BIOS region" ) return pr_cover_bios # -------------------------------------------------------------------------- # run( module_argv ) # Required function: run here all tests from this module # -------------------------------------------------------------------------- def run(self, module_argv ): wp = self.check_BIOS_write_protection() spr = self.check_SPI_protected_ranges() self.logger.log('') if wp: if spr: self.logger.log_passed_check( "BIOS is write protected (by SMM and SPI Protected Ranges)" ) else: self.logger.log_passed_check( "BIOS is write protected" ) else: if spr: self.logger.log_passed_check( "SPI Protected Ranges are configured to write protect BIOS" ) else: self.logger.log_important( 'BIOS should enable all available SMM based write protection mechanisms or configure SPI protected ranges to protect the entire BIOS region' ) self.logger.log_failed_check( "BIOS is NOT protected completely" ) if wp or spr: return ModuleResult.PASSED else: return ModuleResult.FAILED
class scan_image(BaseModule): def __init__(self): BaseModule.__init__(self) self.uefi = UEFI(self.cs) self.image = None self.efi_list = None self.suspect_modules = {} def is_supported(self): return True # # callbacks to uefi_search.check_match_criteria # def genlist_callback(self, efi_module): md = {} if type(efi_module) == EFI_SECTION: #if efi_module.MD5: md["md5"] = efi_module.MD5 if efi_module.SHA256: md["sha1"] = efi_module.SHA1 if efi_module.parentGuid: md["guid"] = efi_module.parentGuid if efi_module.ui_string: md["name"] = efi_module.ui_string if efi_module.Name and efi_module.Name != SECTION_NAMES[ EFI_SECTION_PE32]: md["type"] = efi_module.Name self.efi_list[efi_module.SHA256] = md else: pass # # Generates new list of EFI executable binaries # def generate_efilist(self, json_pth): self.efi_list = {} self.logger.log( "[*] generating a list of EFI executables from firmware image...") efi_tree = build_efi_model(self.uefi, self.image, None) matching_modules = search_efi_tree(efi_tree, self.genlist_callback, EFIModuleType.SECTION_EXE, True) self.logger.log( "[*] found {:d} EFI executables in UEFI firmware image '{}'". format(len(self.efi_list), self.image_file)) self.logger.log("[*] creating JSON file '{}'...".format(json_pth)) write_file( "{}".format(json_pth), json.dumps(self.efi_list, indent=2, separators=(',', ': '), cls=UUIDEncoder)) return ModuleResult.PASSED # # Checks EFI executable binaries against allowed list # def check_list(self, json_pth): self.efi_list = {} with open(json_pth) as data_file: self.efilist = json.load(data_file) self.logger.log( "[*] checking EFI executables against the list '{}'".format( json_pth)) # parse the UEFI firmware image and look for EFI modules matching list # - match only executable EFI sections (PE/COFF, TE) # - find all occurrences of matching EFI modules efi_tree = build_efi_model(self.uefi, self.image, None) matching_modules = search_efi_tree(efi_tree, self.genlist_callback, EFIModuleType.SECTION_EXE, True) self.logger.log( "[*] found {:d} EFI executables in UEFI firmware image '{}'". format(len(self.efi_list), self.image_file)) for m in self.efi_list: if not (m in self.efilist): self.suspect_modules[m] = self.efi_list[m] guid = self.efi_list[m]["guid"] if 'guid' in self.efi_list[ m] else '?' name = self.efi_list[m]["name"] if 'name' in self.efi_list[ m] else '<unknown>' sha1 = self.efi_list[m]["sha1"] if 'sha1' in self.efi_list[ m] else '' self.logger.log_important( "found EFI executable not in the list:\n {} (sha256)\n {} (sha1)\n {{{}}}\n {}" .format(m, sha1, guid, name)) if len(self.suspect_modules) > 0: self.logger.log_warn_check( "found {:d} EFI executables not in the list '{}'".format( len(self.suspect_modules), json_pth)) return ModuleResult.WARNING else: self.logger.log_passed_check( "all EFI executables match the list '{}'".format(json_pth)) return ModuleResult.PASSED def usage(self): self.logger.log(USAGE_TEXT) # -------------------------------------------------------------------------- # run( module_argv ) # Required function: run here all tests from this module # -------------------------------------------------------------------------- def run(self, module_argv): self.logger.start_test( "simple list generation/checking for (U)EFI firmware") self.res = ModuleResult.SKIPPED op = module_argv[0] if len(module_argv) > 0 else 'generate' if op in ['generate', 'check']: if len(module_argv) > 1: json_file = module_argv[1] image_file = module_argv[2] self.logger.log( "[*] reading firmware from '{}'...".format(image_file)) else: image_file = DEF_FWIMAGE_FILE json_file = DEF_EFILIST_FILE self.spi = SPI(self.cs) (base, limit, freg) = self.spi.get_SPI_region(BIOS) image_size = limit + 1 - base self.logger.log( "[*] dumping firmware image from ROM to '{}': 0x{:08X} bytes at [0x{:08X}:0x{:08X}]" .format(image_file, image_size, base, limit)) self.spi.read_spi_to_file(base, image_size, image_file) self.image_file = image_file self.image = read_file(image_file) json_pth = os.path.abspath(json_file) if op == 'generate': if os.path.exists(json_pth): self.logger.error( "JSON file '{}' already exists. Exiting...".format( json_file)) self.res = ModuleResult.ERROR else: self.res = self.generate_efilist(json_pth) elif op == 'check': if not os.path.exists(json_pth): self.logger.error( "JSON file '{}' doesn't exists. Exiting...".format( json_file)) self.res = ModuleResult.ERROR else: self.res = self.check_list(json_pth) elif op == 'help': self.usage() else: self.logger.error( "unrecognized command-line argument to the module") self.usage() return self.res
class bios_wp(BaseModule): def __init__(self): BaseModule.__init__(self) self.spi = SPI(self.cs) def is_supported(self): return True def check_BIOS_write_protection(self): ble = self.cs.get_control('BiosLockEnable', with_print=True) bioswe = self.cs.get_control('BiosWriteEnable') smmbwp = self.cs.get_control('SmmBiosWriteProtection') # Is the BIOS flash region write protected? write_protected = 0 if (1 == ble) and (0 == bioswe): if 1 == smmbwp: self.logger.log_good( "BIOS region write protection is enabled (writes restricted to SMM)" ) write_protected = 1 else: self.logger.log_important( "Enhanced SMM BIOS region write protection has not been enabled (SMM_BWP is not used)" ) else: self.logger.log_bad("BIOS region write protection is disabled!") return write_protected == 1 def check_SPI_protected_ranges(self): (bios_base, bios_limit, _) = self.spi.get_SPI_region(BIOS) self.logger.log( "\n[*] BIOS Region: Base = 0x{:08X}, Limit = 0x{:08X}".format( bios_base, bios_limit)) self.spi.display_SPI_Protected_Ranges() pr_cover_bios = False pr_partial_cover_bios = False areas_to_protect = [(bios_base, bios_limit)] for j in range(5): (base, limit, wpe, _, _, _) = self.spi.get_SPI_Protected_Range(j) if base > limit: continue if wpe == 1: areas = areas_to_protect[:] for area in areas: (start, end) = area if (base <= start) and (limit >= start): # overlap bottom if limit >= end: areas_to_protect.remove(area) else: areas_to_protect.remove(area) area = (limit + 1, end) areas_to_protect.append(area) elif (base <= end) and (limit >= end): # overlap top if base <= start: areas_to_protect.remove(area) else: areas_to_protect.remove(area) area = (start, base - 1) areas_to_protect.append(area) elif (base > start) and (limit < end): # split areas_to_protect.remove(area) areas_to_protect.append((start, base - 1)) areas_to_protect.append((limit + 1, end)) if (len(areas_to_protect) == 0): pr_cover_bios = True else: if (len(areas_to_protect) != 1) or (areas_to_protect[0] != (bios_base, bios_limit)): pr_partial_cover_bios = True if pr_partial_cover_bios: self.logger.log('') self.logger.log_important( "SPI protected ranges write-protect parts of BIOS region (other parts of BIOS can be modified)" ) else: if not pr_cover_bios: self.logger.log('') self.logger.log_important( "None of the SPI protected ranges write-protect BIOS region" ) return pr_cover_bios # -------------------------------------------------------------------------- # run( module_argv ) # Required function: run here all tests from this module # -------------------------------------------------------------------------- def run(self, module_argv): self.logger.start_test("BIOS Region Write Protection") wp = self.check_BIOS_write_protection() spr = self.check_SPI_protected_ranges() self.logger.log('') if wp: if spr: self.logger.log_passed( "BIOS is write protected (by SMM and SPI Protected Ranges)" ) else: self.logger.log_passed("BIOS is write protected") else: if spr: self.logger.log_passed( "SPI Protected Ranges are configured to write protect BIOS" ) else: self.logger.log_important( 'BIOS should enable all available SMM based write protection mechanisms.' ) self.logger.log_important( 'Or configure SPI protected ranges to protect the entire BIOS region.' ) self.logger.log_failed("BIOS is NOT protected completely") if wp or spr: self.res = ModuleResult.PASSED else: self.res = ModuleResult.FAILED return self.res
class blacklist(BaseModule): def __init__(self): BaseModule.__init__(self) self.uefi = UEFI(self.cs) self.cfg_name = 'blacklist.json' self.image = None self.efi_blacklist = None def is_supported(self): return True def blacklist_callback(self, efi_module): return check_match_criteria(efi_module, self.efi_blacklist, self.logger) def check_blacklist(self): res = ModuleResult.PASSED self.logger.log( "[*] searching for EFI binaries that match criteria from '{}':". format(self.cfg_name)) for k in self.efi_blacklist.keys(): entry = self.efi_blacklist[k] self.logger.log(" {:16} - {}".format( k, entry['description'] if 'description' in entry else '')) #if 'match' in entry: # for c in entry['match'].keys(): self.logger.log( "[*] {}".format(entry['match'][c]) ) #if 'exclude' in entry: # self.logger.log( "[*] excluding binaries:" ) # for c in entry['exclude']: self.logger.log( "[*] {}".format(entry['exclude'][c]) ) # parse the UEFI firmware image and look for EFI modules matching the balck-list efi_tree = build_efi_model(self.uefi, self.image, None) #match_types = (spi_uefi.EFIModuleType.SECTION_EXE|spi_uefi.EFIModuleType.FILE) match_types = EFIModuleType.SECTION_EXE matching_modules = search_efi_tree(efi_tree, self.blacklist_callback, match_types) found = len(matching_modules) > 0 self.logger.log('') if found: res = ModuleResult.WARNING self.logger.log_warn_check( "Black-listed EFI binary found in the UEFI firmware image") else: self.logger.log_passed_check( "Didn't find any black-listed EFI binary") return res def usage(self): self.logger.log(USAGE_TEXT) # -------------------------------------------------------------------------- # run( module_argv ) # Required function: run here all tests from this module # -------------------------------------------------------------------------- def run(self, module_argv): self.logger.start_test( "Check for black-listed EFI binaries in UEFI firmware") self.usage() image_file = DEF_FWIMAGE_FILE if len(module_argv) == 0: # Read firmware image directly from SPI flash memory self.spi = SPI(self.cs) (base, limit, freg) = self.spi.get_SPI_region(BIOS) image_size = limit + 1 - base self.logger.log( "[*] dumping FW image from ROM to {}: 0x{:08X} bytes at [0x{:08X}:0x{:08X}]" .format(image_file, base, limit, image_size)) self.logger.log( "[*] this may take a few minutes (instead, use 'chipsec_util spi dump')..." ) self.spi.read_spi_to_file(base, image_size, image_file) elif len(module_argv) > 0: # Use provided firmware image image_file = module_argv[0] self.logger.log( "[*] reading FW image from file: {}".format(image_file)) self.image = read_file(image_file) # Load JSON config with black-listed EFI modules if len(module_argv) > 1: self.cfg_name = module_argv[1] cfg_pth = os.path.join(get_main_dir(), "chipsec/modules/tools/uefi", self.cfg_name) with open(cfg_pth, 'r') as blacklist_json: self.efi_blacklist = json.load(blacklist_json) return self.check_blacklist()
class reputation(BaseModule): def __init__(self): BaseModule.__init__(self) self.uefi = UEFI(self.cs) self.image = None self.vt_threshold = 10 self.vt = None def is_supported(self): if has_virus_total_apis: return True else: self.logger.log_important( """Can't import module 'virus_total_apis'. Please run 'pip install virustotal-api' and try again.""") return False def reputation_callback(self, efi_module): vt_report = self.vt.get_file_report(efi_module.SHA256) while vt_report["response_code"] == 204: # The Public API is limited to 4 requests per minute. if self.logger.DEBUG: self.logger.log( "VT API quota exceeded, sleeping for 1 minute... (-.-)zzZZ" ) time.sleep(60) # Retry. vt_report = self.vt.get_file_report(efi_module.SHA256) if vt_report["results"]["response_code"] == 0: # Hash is unknown to VT. self.logger.log_warn_check( "Unfamiliar EFI binary found in the UEFI firmware image\n{}". format(efi_module)) return False if vt_report["results"]["positives"] >= self.vt_threshold: self.logger.log_bad( "Suspicious EFI binary found in the UEFI firmware image\n{}". format(efi_module)) return True if self.logger.VERBOSE: self.logger.log( "Benign EFI binary found in the UEFI firmware image\n{}". format(efi_module)) return False def check_reputation(self): res = ModuleResult.PASSED # parse the UEFI firmware image and look for EFI modules matching the balck-list efi_tree = build_efi_model(self.uefi, self.image, None) match_types = EFIModuleType.SECTION_EXE matching_modules = search_efi_tree(efi_tree, self.reputation_callback, match_types) found = len(matching_modules) > 0 self.logger.log('') if found: res = ModuleResult.WARNING self.logger.log_warn_check( "Suspicious EFI binary found in the UEFI firmware image") else: self.logger.log_passed_check( "Didn't find any suspicious EFI binary") return res def usage(self): self.logger.log(USAGE_TEXT) # -------------------------------------------------------------------------- # run( module_argv ) # Required function: run here all tests from this module # -------------------------------------------------------------------------- def run(self, module_argv): self.logger.start_test( "Check for suspicious EFI binaries in UEFI firmware") self.usage() if len(module_argv) > 0: self.vt = VirusTotalPublicApi(module_argv[0]) if len(module_argv) > 1: self.vt_threshold = int(module_argv[1]) image_file = DEF_FWIMAGE_FILE if len(module_argv) > 2: # Use provided firmware image image_file = module_argv[2] self.logger.log( "[*] reading FW image from file: {}".format(image_file)) else: # Read firmware image directly from SPI flash memory self.spi = SPI(self.cs) (base, limit, freg) = self.spi.get_SPI_region(BIOS) image_size = limit + 1 - base self.logger.log( "[*] dumping FW image from ROM to {}: 0x{:08X} bytes at [0x{:08X}:0x{:08X}]" .format(image_file, base, limit, image_size)) self.logger.log( "[*] this may take a few minutes (instead, use 'chipsec_util spi dump')..." ) self.spi.read_spi_to_file(base, image_size, image_file) self.image = read_file(image_file) return self.check_reputation()