CHIPSEC: Platform Security Assessment Framework

CHIPSEC is a framework for analyzing the security of PC platforms including hardware, system firmware (BIOS/UEFI), and platform components. It includes a security test suite, tools for accessing various low level interfaces, and forensic capabilities. It can be run on Windows, Linux, and UEFI shell. Instructions for installing and using CHIPSEC can be found in the manual.

NOTE: This software is for security testing purposes. Use at your own risk.

Read WARNING.txt before using.

Questions? Enter a new issue labeled as question, or e-mail chipsec@intel.com.

Announcements

Oct 2015: Version 1.2.2 released!

This version includes the following new or updated modules:

1. Updated tools.smm.smm_ptr to perform exhaustive fuzzing of SMI handler for insufficient input validation pointer vulnerabilities
2. Updated smm_dma to remove TSEGMB 8MB alignment check and to use XML "controls". Please recheck failures in smm_dma.py with the new version.
3. Updated common.bios_smi, common.spi_lock, and common.bios_wp to use XML "controls"
4. Updated common.uefi.s3bootscript which automatically tests protections of UEFI S3 Resume Boot Script table
5. Updated tools.uefi.s3script_modify which allows further manual testing of protections of UEFI S3 Resume Boot Script table
6. Added the following VMM security testing modules:
   • tools.vmm.cpuid_fuzz to test CPUID instruction emulation by VMMs
   • tools.vmm.iofuzz to test port I/O emulation by VMMs
   • tools.vmm.msr_fuzz to test CPU Model Specific Registers (MSR) emulation by VMMs
   • tools.vmm.pcie_fuzz to test PCIe device memory-mapped I/O (MMIO) and I/O ranges emulation by VMMs
   • tools.vmm.pcie_overlap_fuzz to test handling of overlapping PCIe device MMIO ranges by VMMs
7. Added tools.vmm.venom to test for VENOM vulnerability

This version includes the following new functionality:

1. Added hal.cpu component to access x86 CPU functionality. Removed hal.cr which merged to hal.cpu
2. Added chipsec_util cpu utility, removed chipsec_util cr
3. Added S3 boot script opcodes encoding functionality in hal.uefi_platform
4. Added hal.iommu, cfg/iommu.xml and chipsec_util iommu to access IOMMU/VT-d hardware
5. Added chipsec_util io list to list predefined I/O BARs
6. Added support for Broadwell, Skylake, IvyTown, Jaketown and Haswell Server CPU families
7. Added ability to define I/O BARs in XML configuration using register attriute similarly to MMIO BARs
8. Added UEFI firmware volume assembling functionality in hal.uefi
9. Implemented alloc_phys_mem in EFI helper

This version includes the following fixes:

1. When calling alloc_phys_mem, the argument to set maximum physical address (max_pa) for allocation is ignored on linux. A message will be printed in dmesg if the allocation is above the max_pa that is passed in, but the call will return anyway.

This version has the following known issues:

1. Decompression of images in SPI flash parsing is not available in UEFI shell.
2. UEFI Shell environment does not support cpuid or get_thread_count. There are functions that simply warn that they are not supported.
3. Size of PCIEXBAR (MMCFG) is calculated incorrectly

June 2015: Version 1.2.0 released!

This version includes the following new or updated modules:

1. Merged common.secureboot.keys module into common.secureboot.variables module
2. Updated tools.secureboot.te module to be able to test PE/TE issue on Linux or UEFI shell
3. Updated tools.smm.smm_ptr module

This version includes the following updates:

1. Added the controls abstraction. Modules are encouraged to use get_control and set_control when interacting with platform registers. This permits greater flexibility in case the register that controls a given feature or configuration changes between platform generations. The controls are defined in the platform XML file. At this time, only a small number of controls are defined. We plan to move existing modules over to this new mechanism.
2. Added XML Schema for the XML configuration files
3. Support for reading, writing, and listing UEFI variables from the UEFI Shell environment has been added.
4. Added support for decompression while SPI flash parsing via decode or uefi decode commands in Linux
5. Added basic ACPI table parsing to HAL (RSDP, RSDT/XSDT, APIC, DMAR)
6. Added UEFI tables searching and parsing to HAL (EFI system table, runtime services table, boot services table, DXE services table, EFI configuration table)
7. Added DIMM Serial Presence Detect (SPD) ROM dumping and parsing to HAL
8. Added uefi s3bootscript command parsing the S3 boot script to chipsec_util.py #. Added virtual-to-physical address translation function to Linux/EFI/Windows helpers
9. Added support of server platforms (Haswell server and Ivy Town) to chipset.py

This version has the following known issues:

1. Decompression of images in SPI flash parsing is not available in UEFI shell.
2. When calling alloc_phys_mem, the argument to set maximum physical address (max_pa) for allocation is ignored on linux. A message will be printed in dmesg if the allocation is above the max_pa that is passed in, but the call will return anyway.
3. UEFI Shell environment does not support cpuid or get_thread_count. There are functions that simply warn that they are not supported.
4. Size of PCIEXBAR (MMCFG) is calculated incorrectly

March 2015: A New Class of Vulnerabilities in SMI Handlers and release of smm_ptr tool.

August 2014: Summary of Attacks Against BIOS and Secure Boot and related CHIPSEC modules at DEFCON 22

March 2014: Announcement at CanSecWest 2014 and first public release!