mir/Hardware-and-Firmware-Security-Guidance
2
0
Fork 0
mirror of https://github.com/nsacyber/Hardware-and-Firmware-Security-Guidance synced 2025-08-22 01:57:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
206 Commits 1 Branch 0 Tags
Commit Graph

206 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
f87939e395
Update README.md 
Rework of information. Focus more on the general guidelines for Secure Boot customization and less on specific devices.
 2024-12-23 16:28:30 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
e532b1e48a
Update README.md 
First pass at updating the secure boot content. Mentioned 2023 certs and new ESL parsers.
 2024-12-06 20:01:30 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
75270dd06b
Update README.md 2024-12-06 13:34:22 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
d8a2c68b3e
Update README.md 
Correct a pair of typos.
 2024-12-06 13:10:13 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
f145adc1ae
Update README.md 
Corrected names of anchor tags.
 2024-12-06 12:51:25 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
7401dd3a5a
Update README.md 
Added BMC hardening section.
 2024-12-06 12:47:54 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
e7826979a9
Update README.md 
Complete rewrite. Replaces obsolete side channel vulnerability information with more recent firmware and boot vulnerability information.
 2024-12-06 12:37:03 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
601b39953e
Create esl-parser.ps1 
Extensible Firmware Image (EFI) Signature List (ESL) parser written for PowerShell. Extracts multiple certificates and hashes into individual CER and binary HSH, respectively, from an ESL file. Useful to determine the contents of files intended to interact with Secure Boot.
 2024-11-22 19:26:27 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
0b30dcee72
Create esl-parser.py 
New Extensible Firmware Interface (EFI) Signature List (ESL) file parser in Python. Extracts certificates (CER) and hashes (binary HSH) from an ESL file. Useful in evaluating ESL files intended to interact with Secure Boot.
 2024-11-22 19:20:45 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
9a640ae5c3
Added sidechannel.md 
Captures information from the README.md page regarding side channel vulnerabilities in order to move it off the main page. Much of the side channel guidance is now historical and no longer relevant to fully patched or systems refreshed since 2021.
 2024-11-21 18:23:18 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
d88e578092
Update Linux.md 
Section 2.5 updated to change commands related to hashing EFI binaries. A sha256sum or OpenSSL digest covers the entire executable file. Secure Boot's checks look at executable portions of the EFI file -- a different hash. Therefore, pehash and hash-to-efi-sig-list are necessary Linux commands instead of sha256sum and openssl.
 2023-03-14 17:03:17 -04:00
D76C6399A0F334216B3A58BE07C3C3137D5E14542BC13CA38EB0800D9FFC1FE6
0d3891968e
Merge pull request #19 from DimanNe/patch-1 
Fix typo
 2021-07-19 07:55:16 -04:00
DimanNe
3f493425d5
Update Linux.md 2021-04-17 18:15:58 +01:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
b99ad909da
Newer Surface devices support customization 2021-03-16 16:03:36 -04:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
dc536287b1
Update README.md 2021-02-12 19:00:40 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
1a7039b6f1
Update README.md 2021-02-12 18:53:18 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
63ee19015c
Update README.md 2021-02-12 18:52:56 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
66c5cadcb6
Update README.md 2021-02-12 18:40:12 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
4b8e4bf95c
Update README.md 2021-02-12 18:38:59 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
58883c3e37
Update README.md 2021-02-11 17:51:04 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
5692d4cedc
Update README.md 2021-02-11 17:50:10 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
09114b9d4e
Create Windows.md 2021-02-11 15:43:43 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
74815209f5
Update Windows.md 2021-02-11 15:43:24 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
5b8b1c8abf
Update Windows.md 
More info about handling ESL files.
 2021-02-11 15:28:39 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
8ec8687dd4
Update Linux.md 2021-02-11 15:15:47 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
3241d1b18c
Update esl-parser.c 
Fix string initialization mistakes (I am rusty at C programming!).
 2021-02-11 13:29:34 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
7f38552bd4
Update esl-parser.c 2021-02-11 13:10:47 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
b159eadb2b
Update esl-parser.c 2021-02-10 22:54:37 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
cbd8636a73
Update esl-parser.c 
certcount can't go over 999.
 2021-02-10 22:53:17 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
b6d8a4d0fb
Update README.md 2021-02-10 22:52:04 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
e4b0795b8b
Update esl-parser.c 
Upgraded parser. Needed a way to parse db and dbx backups produced by Windows PowerShell. Need to look into supporting more EFI_GUID values beyond EFI_CERT_X509_GUID and EFI_CERT_SHA256_GUID.
 2021-02-10 22:40:06 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
1bc45b48b8
Create esl-parser.c 
Just throwing something together for parsing ESL files on systems that don't have access to efi-tools.
 2020-12-15 18:43:25 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
99aec44ed9
Update hex-hashes-to-esl.c 2020-12-11 16:00:38 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
66def9f4b0
Update hex-hashes-to-esl.c 
Added some extra content to support compilation on Windows.
 2020-12-11 12:23:37 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
ed059faed9
Update Windows.md 
get-filehash does not provide the appropriate hash for use with secure boot. Get-AppLockerFileInformation does properly process and hash PE files.
 2020-12-09 18:37:40 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
ba934975bd
Update README.md 
Dropped the update notice. Going to get everything finished up, or unhelpful sections removed.
 2020-12-09 13:43:15 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
3c173d7cf0
Create hex-hashes-to-esl.c 
Executable program to convert externally calculated SHA256 hashes into ESL files. The hashes are likely to come from pesign or UEFI/BIOS config. Can string together up to 64 hashes into a single ESL. Intended to help with customization automation.
 2020-12-08 17:17:34 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
805fa7296b
Delete hashes-to-efi-sig-list.c 2020-12-08 17:15:55 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
376f574ffd
Update Linux.md 
sha256sum is not the right way to calculate hashes for Secure Boot. Binary header information must be removed. Use pesign's hashing mechanism instead.
 2020-12-08 17:15:33 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
d565133357
Update README.md 
Link up the secure boot section -- it's almost done.
 2020-11-05 21:56:59 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
c4b61bf5d0
Create hashes-to-efi-sig-list.c 
Start putting together C program that complements efitools' hash-to-efi-sig-list. Process list of hashes instead of creating a hash and putting it into an ESL. Hash sources are expected to be from UEFI configuration, sha256sum, openssl, system vendor support sites.
 2020-11-05 21:40:59 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
e714e3a6a0
Update Linux.md 
Added more info and testing more quick scripts before placing them in this file.
 2020-11-03 18:17:47 -05:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
9928bdaea9
Update uchypothetical.md 
Added a new paragraph to convey that secure boot customization is not about how good or bad the current ecosystem is. Customization is all about control, use cases, needs, and fear of potential threats.
 2020-10-30 16:23:55 -04:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
0354c01a64
Update uccompile.md 
Added a note about cloud environments.
 2020-10-30 15:54:25 -04:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
4b6fc8f083
Update Windows.md 2020-10-02 01:06:44 -04:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
b1fb8f1298
Update Windows.md 
Start adding PS commands
 2020-10-02 00:32:40 -04:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
2f26c1538d
Update Windows.md 
Starting to fill in info.
 2020-09-30 18:19:41 -04:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
0c341b17d3
Update ucroles.md 2020-09-24 20:44:15 -04:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
259d81325d
Update uccompile.md 2020-09-24 20:43:57 -04:00
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973
da8f0b1f87
Update uchypothetical.md 2020-09-24 20:43:26 -04:00