Hi Community,
Can I use LuvOS to assess AARCH64 (ARM v8, Cortex A72) devices?
Thanks, Naren
Can I use LuvOS to assess AARCH64 (ARM v8, Cortex A72) devices?
It appears Intel is no longer involved with their LUV project:
https://github.com/intel/luv-yocto/commit/10bda4cf7d64cd36cd282463a5e2b5a536...
The ARM port has not been active for a while, AFAICT.
Current AArch64 port of LUV does not include an ARM port of CHIPSEC, one of the main components needed to "asses" a system.
You might get some coverage on ARM using Microsoft Windows, their Defender AV product just got some UEFI support, presuming that code runs on Intel and AArch64, hoping the latter given that Windows now runs on AArch64. But this is no help for Linux community.
Regardless of LUV status, ask your AArch64 vendor what tool they use instead of CHIPSEC to asses the firmware security of that system. Note the blank state they give you in response, then consider if you should invest in a platform which does not provide adequate security tools.
Linaro: please consider porting CHIPSEC to AArch64. Fork it, if you don't want to deal with an Intel project, it is GPL-licensed. A few of the Intel-centric security tests should apply to UEFI security on ARM64. You don't need all of LUV, just CHIPSEC. Just focus on UEFI-centric CHIPSEC, not the Linux OS-present version, that adds a kernel driver to situation.
CHIPSEC and security automation aside, is there even a list of ARM-based platform security tests, for manual assessment (and to aid in ARM port of CHIPSEC) of AArch64 platform firmware?
On Fri, Jul 03, 2020 at 02:10:36PM -0700, Blibbet wrote:
Can I use LuvOS to assess AARCH64 (ARM v8, Cortex A72) devices?
It appears Intel is no longer involved with their LUV project:
https://github.com/intel/luv-yocto/commit/10bda4cf7d64cd36cd282463a5e2b5a536...
The ARM port has not been active for a while, AFAICT.
Current AArch64 port of LUV does not include an ARM port of CHIPSEC, one of the main components needed to "asses" a system.
You might get some coverage on ARM using Microsoft Windows, their Defender AV product just got some UEFI support, presuming that code runs on Intel and AArch64, hoping the latter given that Windows now runs on AArch64. But this is no help for Linux community.
Regardless of LUV status, ask your AArch64 vendor what tool they use instead of CHIPSEC to asses the firmware security of that system. Note the blank state they give you in response, then consider if you should invest in a platform which does not provide adequate security tools.
Linaro: please consider porting CHIPSEC to AArch64. Fork it, if you don't want to deal with an Intel project, it is GPL-licensed. A few of the Intel-centric security tests should apply to UEFI security on ARM64. You don't need all of LUV, just CHIPSEC. Just focus on UEFI-centric CHIPSEC, not the Linux OS-present version, that adds a kernel driver to situation.
CHIPSEC and security automation aside, is there even a list of ARM-based platform security tests, for manual assessment (and to aid in ARM port of CHIPSEC) of AArch64 platform firmware?
ARM Vendors use this test suite based on luvOS.
https://github.com/ARM-software/sbsa-acs
Graeme
A LuvOS package delivered by Arm via this repo https://github.com/ARM-software/arm-enterprise-acs is run by Arm partners on their platforms to claim ServerReady (https://community.arm.com/developer/ip-products/processors/b/processors-ip-b...) compliance. I am not sure specifically what you want to assess using LuvOS, but if it is about checking SBBR compliance for UEFI FW or SBSA compliance for SoC hardware then you can use the guide in the repo that I shared to run LuvOS on your AArch64 platform. You'll find more info in the documentation.
Regards, Sakar -----Original Message----- From: Linaro-uefi linaro-uefi-bounces@lists.linaro.org On Behalf Of Graeme Gregory Sent: Saturday, July 4, 2020 6:54 PM To: Blibbet blibbet@gmail.com Cc: Narendra Jayram naren.jayram@gmail.com; linaro-uefi@lists.linaro.org Subject: Re: [Linaro-uefi] Enquiry: LuvOS
On Fri, Jul 03, 2020 at 02:10:36PM -0700, Blibbet wrote:
Can I use LuvOS to assess AARCH64 (ARM v8, Cortex A72) devices?
It appears Intel is no longer involved with their LUV project:
https://github.com/intel/luv-yocto/commit/10bda4cf7d64cd36cd282463a5e2 b5a536139fe9
The ARM port has not been active for a while, AFAICT.
Current AArch64 port of LUV does not include an ARM port of CHIPSEC, one of the main components needed to "asses" a system.
You might get some coverage on ARM using Microsoft Windows, their Defender AV product just got some UEFI support, presuming that code runs on Intel and AArch64, hoping the latter given that Windows now runs on AArch64. But this is no help for Linux community.
Regardless of LUV status, ask your AArch64 vendor what tool they use instead of CHIPSEC to asses the firmware security of that system. Note the blank state they give you in response, then consider if you should invest in a platform which does not provide adequate security tools.
Linaro: please consider porting CHIPSEC to AArch64. Fork it, if you don't want to deal with an Intel project, it is GPL-licensed. A few of the Intel-centric security tests should apply to UEFI security on ARM64. You don't need all of LUV, just CHIPSEC. Just focus on UEFI-centric CHIPSEC, not the Linux OS-present version, that adds a kernel driver to situation.
CHIPSEC and security automation aside, is there even a list of ARM-based platform security tests, for manual assessment (and to aid in ARM port of CHIPSEC) of AArch64 platform firmware?
ARM Vendors use this test suite based on luvOS.
https://github.com/ARM-software/sbsa-acs
Graeme
_______________________________________________ Linaro-uefi mailing list Linaro-uefi@lists.linaro.org https://lists.linaro.org/mailman/listinfo/linaro-uefi IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
On 7/4/20 6:23 AM, Graeme Gregory wrote:
[...] ARM Vendors use this test suite based on luvOS.
https://github.com/ARM-software/sbsa-acs
Graeme
Thanks.
Has anyone made a table comparing the SBSA-ACS tests -vs- the CHIPSEC tests, to see if SBSA-ACS includes all of the CHIPSEC tests which apply to ARM?
https://github.com/ARM-software/sbsa-acs/blob/master/docs/testcase-checklist...
-vs-
https://github.com/chipsec/chipsec/wiki/Vulnerabilities-and-CHIPSEC-Modules
https://github.com/chipsec/chipsec/tree/master/tests
Are there plans to include SBSA-ACS tests to FWTS? It has ARM targets. They also include many tests, the UEFI Forum uses FWTS for testing ACPI. There's also some UEFI tests in FWTS that'd be also be interesting to see if SBSA-ACS also covers -- or if they defer to FWTS -- but the CHIPSEC tests are security-centric whereas FWTS is platform stability-centric, and security tests question is more important.
Thanks.
On 7/4/20 6:23 AM, Graeme Gregory wrote:
On Fri, Jul 03, 2020 at 02:10:36PM -0700, Blibbet wrote:
Can I use LuvOS to assess AARCH64 (ARM v8, Cortex A72) devices?
It appears Intel is no longer involved with their LUV project:
https://github.com/intel/luv-yocto/commit/10bda4cf7d64cd36cd282463a5e2b5a536...
The ARM port has not been active for a while, AFAICT.
[...]> ARM Vendors use this test suite based on luvOS.
https://github.com/ARM-software/sbsa-acs
Graeme
One additional, LUV-centric, no CHIPSEC references: ARM-Enterprise-ACS[1] uses LUV. Intel has recently stopped contributing to LUV. Will Linaro maintain an active AArch64-branch of LUV, given Intel's dropping of LUV? Or does the recent Intel LUV change impact ARM-Enterprise-ACS?
Thanks. [1] https://github.com/ARM-software/arm-enterprise-acs
Thanks everyone for stretching helping hands here. I am currently assessing UEFI implementation from a security perspective. Sorry for not giving clarity earlier on.
I earlier tried ACS ( https://github.com/ARM-software/arm-enterprise-acs) and successfully able to run SCT scans to comply with SBBR but not other scans (including SBBR based on Firmware Test Suite). Hence, I was trying to run individual tools separately.
Thanks, Naren
On Sat, Jul 4, 2020 at 11:12 PM Blibbet blibbet@gmail.com wrote:
On 7/4/20 6:23 AM, Graeme Gregory wrote:
On Fri, Jul 03, 2020 at 02:10:36PM -0700, Blibbet wrote:
Can I use LuvOS to assess AARCH64 (ARM v8, Cortex A72) devices?
It appears Intel is no longer involved with their LUV project:
https://github.com/intel/luv-yocto/commit/10bda4cf7d64cd36cd282463a5e2b5a536...
The ARM port has not been active for a while, AFAICT.
[...]> ARM Vendors use this test suite based on luvOS.
https://github.com/ARM-software/sbsa-acs
Graeme
One additional, LUV-centric, no CHIPSEC references: ARM-Enterprise-ACS[1] uses LUV. Intel has recently stopped contributing to LUV. Will Linaro maintain an active AArch64-branch of LUV, given Intel's dropping of LUV? Or does the recent Intel LUV change impact ARM-Enterprise-ACS?
Thanks. [1] https://github.com/ARM-software/arm-enterprise-acs
-
Blibbet -
Graeme Gregory -
Narendra Jayram -
Sakar Arora