Intel metadata command by orangecms · Pull Request #399 · linuxboot/fiano

orangecms · 2023-01-17T15:35:07Z

The command prints some metadata for Intel firmware images.

It includes information on cryptographic material, security configation, and whether a known leaked Boot Guard key has been used.
Note that the intent is not to replicate https://github.com/9elements/converged-security-suite but to offer a simple command to print the metadata. Intepretation would be up to other UIs, such as fiedka.app.

I have no idea what makes sense to add. Help wanted.

codecov-commenter · 2023-01-17T16:21:32Z

Codecov Report

Base: 42.20% // Head: 42.20% // No change to project coverage 👍

Coverage data is based on head (0f1122c) compared to base (8a127a6).
Patch coverage: 100.00% of modified lines in pull request are covered.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #399   +/-   ##
=======================================
  Coverage   42.20%   42.20%           
=======================================
  Files         125      125           
  Lines        8978     8978           
=======================================
  Hits         3789     3789           
  Misses       4484     4484           
  Partials      705      705

Impacted Files	Coverage Δ
pkg/intel/metadata/bg/bgkey/manifest.go	`0.00% <ø> (ø)`
pkg/intel/metadata/cbnt/cbntkey/manifest.go	`0.00% <ø> (ø)`
...ntel/metadata/bg/bgkey/manifest_manifestcodegen.go	`52.20% <100.00%> (ø)`
.../metadata/cbnt/cbntkey/manifest_manifestcodegen.go	`66.16% <100.00%> (ø)`

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

xaionaro · 2023-04-17T21:27:59Z

pkg/intel/metadata/common/manifestcodegen/pkg/analyze/scan.go

 	buildCtx := build.Default
 	buildCtx.GOPATH = strings.Join(goPaths, string(filepath.ListSeparator))
 	buildCtx.BuildTags = append(buildCtx.BuildTags, `manifestcodegen`)
+	fmt.Printf("search for `%v` in `%v` (%v) \n\n", path, goPaths, buildCtx.GOPATH)


Looks like leftover garbage :)

it's from the debug commit - to be dropped once this whole thing is ready, being a draft as of now
I had other stuff to do... but now is an interesting time to get back to BoitGuard things, so here I am back on it again :)

tlaurion · 2024-09-12T21:01:32Z

Leak article containing magnet link to private keys: https://sizeof.cat/post/leak-intel-private-keys-msi-firmware/
Next steps discussion (inviting your opinion/insights for turning this into something good, maybe...): https://matrix.to/#/!HAonmNlisbeoADmnrN:matrix.org/$x9dssPoXOOR8qgLTkAdWL3Y5bhbGB8npf8WHwnYS8Lg?via=matrix.org&via=kit.edu&via=invisiblethingslab.com

CC: @orangecms

tlaurion · 2024-09-12T21:02:04Z

@orangecms : why draft and not merged?

orangecms · 2024-09-12T21:12:01Z

@orangecms : why draft and not merged?

not sure what to reply - it's been a draft... I'd be happy to team up with someone to finish this up. Doing it all alone is quite exhausting.

tlaurion · 2024-09-12T21:15:28Z

@orangecms : why draft and not merged?

not sure what to reply - it's been a draft... I'd be happy to team up with someone to finish this up.
What areas need help? Maybe adding label "help needed" and areas where work is needed (todo) in OP with a minimal description for this PR would help?

If you didn't pointed here from a twitter/X url from somwwhere else, I would never landed here.
Not sure I can help here other then trying to get you helped by those who could help :)

Doing it all alone is quite exhausting.

Keep on, I know how lonely doing a project most alone sometimes feels. Slow and steady.
Otherwise, The goal should be to make other want to help, know where to help, what/where they should help in the goal of receiving help more easily for those that can help, isn't it? :)

tlaurion · 2024-09-12T21:21:54Z

#399 (comment)
_ No description provided. _

That doesn't help receiving needed help, that is for sure, nor the generic title "Intel metadata command" of this PR :)
Please don't burn out. Help will come, hopefully.

tlaurion · 2024-09-12T21:24:40Z

Leak article containing magnet link to private keys: https://sizeof.cat/post/leak-intel-private-keys-msi-firmware/ Next steps discussion (inviting your opinion/insights for turning this into something good, maybe...): https://matrix.to/#/!HAonmNlisbeoADmnrN:matrix.org/$x9dssPoXOOR8qgLTkAdWL3Y5bhbGB8npf8WHwnYS8Lg?via=matrix.org&via=kit.edu&via=invisiblethingslab.com

CC: @orangecms

Let me know your thoughts here or there. Don't forget to tag @tlaurion(github) or insurgo(matrix). I might otherwise miss it.

orangecms · 2024-09-12T21:44:54Z

What should I say?

I'm doing lots of stuff. Doing more and more to attract others hasn't worked out. I want to make computers more comprehensible, and that's about it. I'm not burning out or anything, I just put the priorities on what seems interesting. There is a hundred things I could use lots of help with.

If you really want to help out, let's hop on a multi-hour Jitsi session, work through this, and get it into the main branch. :-)

tlaurion · 2024-09-13T15:24:02Z

@orangecms I restate the PR should have a description and areas where help is needed should be stated to move this PR from draft-> ready for review. Unfortunately this is not my area of expertise and I do not think I have neither the interest/time/needed skills to make this go forward on my own, but doing those little things might get this move forward by others having the interest/time/skills.

orangecms · 2024-09-13T16:16:23Z

@orangecms I restate the PR should have a description and areas where help is needed should be stated to move this PR from draft-> ready for review. Unfortunately this is not my area of expertise and I do not think I have neither the interest/time/needed skills to make this go forward on my own, but doing those little things might get this move forward by others having the interest/time/skills.

Neither do I have time nor any clue. There is no public documentation, and I just put two and two together.
As I said, I put my priorities as I do, and if someone wants to pair up to get this into a good initial state, I'm open for that.
I've added a description reflecting that.

rminnich

This all seems very reasonable, time to make it not a draft?

cmds/intelmeta/main.go

orangecms · 2024-09-16T19:46:42Z

This all seems very reasonable, time to make it not a draft?

yea, let me get back to this over the next days - a similar thing is #351

essentially, Fiano has lots of APIs but not so many CLIs, and those here are simple enough to just parse a ton of stuff; that's how I started with Fiedka before fully integrating everything, since it's easy to just take fixtures and transform them

cmds/bginfo/main.go

rminnich · 2024-09-18T18:57:18Z

cmds/intelmeta/main.go

+	flagJSON = flag.Bool("j", false, "Output as JSON")
+)
+
+func getLeakedKeys() ([10][]byte, error) {


Is there a reason to specify 10 here? not just a slice?

It's just my lack of Go knowledge. This whole thing is just hacked up.

cmds/intelmeta/main.go

rminnich · 2024-09-18T19:00:42Z

pkg/intel/metadata/fit/ent_startup_ac_module_entry.go

 )

 // EntrySACM represents a FIT entry of type "Startup AC Module Entry" (0x02)
-type EntrySACM struct{ EntryBase }


SACM as a name b/c it matches the many docs. Many you can have a comment to the effect that
SACM
means
Startup Anchor Cove Module

or some such.

I will just revert this change, it isn't necessary. It helped me to change it when I worked on this because I cannot remember all those damn acronyms.

OTOH, we also have EntryDiagnosticACM - so ... I think going with EntryStartupACM is actually sensible and I'll adjust the docs, too. I didn't know that Go strongly couples doc semantics with identifiers.

cmds/bginfo/main.go

cmds/intelmeta/main.go

cmds/km/main.go