-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Intel metadata command #399
base: main
Are you sure you want to change the base?
Conversation
84629e5
to
0b5bfca
Compare
Codecov ReportBase: 42.20% // Head: 42.20% // No change to project coverage 👍
Additional details and impacted files@@ Coverage Diff @@
## main #399 +/- ##
=======================================
Coverage 42.20% 42.20%
=======================================
Files 125 125
Lines 8978 8978
=======================================
Hits 3789 3789
Misses 4484 4484
Partials 705 705
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
@@ -43,6 +43,7 @@ func getRawPkg( | |||
buildCtx := build.Default | |||
buildCtx.GOPATH = strings.Join(goPaths, string(filepath.ListSeparator)) | |||
buildCtx.BuildTags = append(buildCtx.BuildTags, `manifestcodegen`) | |||
fmt.Printf("search for `%v` in `%v` (%v) \n\n", path, goPaths, buildCtx.GOPATH) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like leftover garbage :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's from the debug commit - to be dropped once this whole thing is ready, being a draft as of now
I had other stuff to do... but now is an interesting time to get back to BoitGuard things, so here I am back on it again :)
595edd5
to
da19e31
Compare
Leak article containing magnet link to private keys: https://sizeof.cat/post/leak-intel-private-keys-msi-firmware/ CC: @orangecms |
@orangecms : why draft and not merged? |
not sure what to reply - it's been a draft... I'd be happy to team up with someone to finish this up. Doing it all alone is quite exhausting. |
If you didn't pointed here from a twitter/X url from somwwhere else, I would never landed here.
Keep on, I know how lonely doing a project most alone sometimes feels. Slow and steady. |
That doesn't help receiving needed help, that is for sure, nor the generic title "Intel metadata command" of this PR :) |
Let me know your thoughts here or there. Don't forget to tag @tlaurion(github) or insurgo(matrix). I might otherwise miss it. |
What should I say? I'm doing lots of stuff. Doing more and more to attract others hasn't worked out. I want to make computers more comprehensible, and that's about it. I'm not burning out or anything, I just put the priorities on what seems interesting. There is a hundred things I could use lots of help with. If you really want to help out, let's hop on a multi-hour Jitsi session, work through this, and get it into the main branch. :-) |
@orangecms I restate the PR should have a description and areas where help is needed should be stated to move this PR from draft-> ready for review. Unfortunately this is not my area of expertise and I do not think I have neither the interest/time/needed skills to make this go forward on my own, but doing those little things might get this move forward by others having the interest/time/skills. |
Neither do I have time nor any clue. There is no public documentation, and I just put two and two together. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This all seems very reasonable, time to make it not a draft?
yea, let me get back to this over the next days - a similar thing is #351 essentially, Fiano has lots of APIs but not so many CLIs, and those here are simple enough to just parse a ton of stuff; that's how I started with Fiedka before fully integrating everything, since it's easy to just take fixtures and transform them |
flagJSON = flag.Bool("j", false, "Output as JSON") | ||
) | ||
|
||
func getLeakedKeys() ([10][]byte, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason to specify 10 here? not just a slice?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's just my lack of Go knowledge. This whole thing is just hacked up.
@@ -18,11 +18,11 @@ import ( | |||
) | |||
|
|||
// EntrySACM represents a FIT entry of type "Startup AC Module Entry" (0x02) | |||
type EntrySACM struct{ EntryBase } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SACM as a name b/c it matches the many docs. Many you can have a comment to the effect that
SACM
means
Startup Anchor Cove Module
or some such.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will just revert this change, it isn't necessary. It helped me to change it when I worked on this because I cannot remember all those damn acronyms.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OTOH, we also have EntryDiagnosticACM
- so ... I think going with EntryStartupACM
is actually sensible and I'll adjust the docs, too. I didn't know that Go strongly couples doc semantics with identifiers.
Signed-off-by: Daniel Maslowski <[email protected]>
manifest v2.1 Test images: https://www.gigabyte.com/Motherboard/H410M-H-V3-rev-10-12/support#support-dl-bios Key leakage test images: https://www.msi.com/Laptop/Pulse-GL76-12UX/support?sub_product=Pulse-GL76-12UEK https://download.msi.com/bos_exe/nb/E17L3IMS.10D.zip https://download.msi.com/bos_exe/nb/E17L3IMS.10E.zip Signed-off-by: Daniel Maslowski <[email protected]>
Signed-off-by: Daniel Maslowski <[email protected]>
Signed-off-by: Daniel Maslowski <[email protected]>
This makes it easier to grasp. Intel docs also spell it out. See: https://www.intel.com/content/dam/develop/external/us/en/documents/firmware-interface-table-bios-specification-r1p2p1.pdf Signed-off-by: Daniel Maslowski <[email protected]>
Signed-off-by: Daniel Maslowski <[email protected]>
Signed-off-by: Daniel Maslowski <[email protected]>
Signed-off-by: Daniel Maslowski <[email protected]>
The IndexIOAddress variant only applies for version 0. Signed-off-by: Daniel Maslowski <[email protected]>
Signed-off-by: Daniel Maslowski <[email protected]>
f45267c
to
fea7a79
Compare
Signed-off-by: Daniel Maslowski <[email protected]>
Signed-off-by: Daniel Maslowski <[email protected]>
Signed-off-by: Daniel Maslowski <[email protected]>
Thanks for all the suggestion so far! I've pushed a handful of fixups. And this whole thing had been left in a state of "I have no idea what all of this is" - really because I had never found the time to look into and make sense of everything. There is a lot of stuff I cannot know due to lack of public docs. That's why I'm still looking for help. |
Signed-off-by: Daniel Maslowski <[email protected]>
I think it makes sense to make this here part of the analysis command I drafted in #351. |
The command prints some metadata for Intel firmware images.
It includes information on cryptographic material, security configation, and whether a known leaked Boot Guard key has been used.
Note that the intent is not to replicate https://github.com/9elements/converged-security-suite but to offer a simple command to print the metadata. Intepretation would be up to other UIs, such as fiedka.app.
I have no idea what makes sense to add. Help wanted.