CHIPSEC Modules¶
A CHIPSEC module is just a python class that inherits from BaseModule and implements is_supported
and run
. Modules are stored under the chipsec installation directory in a subdirectory “modules”. The “modules” directory contains one subdirectory for each chipset that chipsec supports. There is also a directory for common modules that should apply to every platform.
chipsec/modules/
modules including tests or tools (that’s where most of the chipsec functionality is)
chipsec/modules/common/
modules common to all platforms
chipsec/modules/<platform>/
modules specific to <platform>
chipsec/modules/tools/
security tools based on CHIPSEC framework (fuzzers, etc.)
Internally the chipsec application uses the concept of a module name, which is a string of the form: common.bios_wp
.
This means module common.bios_wp
is a python script called bios_wp.py
that is stored at <ROOT_DIR>\chipsec\modules\common\
.
Modules can be mapped to one or more security vulnerabilities being checked. More information also found in the documentation for any individual module.
Known vulnerabilities can be mapped to CHIPSEC modules as follows:
Vulnerability Description |
CHIPSEC Module |
Example |
---|---|---|
SMI event configuration is not locked |
common.bios_smi |
|
SPI flash descriptor is not protected |
common.spi_desc |
|
SPI controller security override is enabled |
common.spi_fdopss |
|
SPI flash controller is not locked |
common.spi_lock |
|
Device-specific SPI flash protection is not used |
chipsec_util spi write (manual analysis) |
|
SMM BIOS write protection is not correctly used |
common.bios_wp |
|
Flash protected ranges do not protect bios region |
common.bios_wp |
|
BIOS interface is not locked |
common.bios_ts |
Vulnerability Description |
CHIPSEC Module |
Example |
---|---|---|
Compatibility SMRAM is not locked |
common.smm |
|
SMM cache attack |
common.smrr |
|
Memory remapping vulnerability in SMM protection |
remap |
|
DMA protections of SMRAM are not in use |
smm_dma |
|
Graphics aperture redirection of SMRAM |
chipsec_util memconfig remap |
|
Memory sinkhole vulnerability |
tools.cpu.sinkhole |
Vulnerability Description |
CHIPSEC Module |
Example |
---|---|---|
Root certificate |
common.bios_wp, common.secureboot.variables |
|
Key exchange keys |
common.secureboot.variables |
|
Controls in setup variable (CSM enable/disable, image verification policies, secure boot enable/disable, clear/restore keys) |
chipsec_util uefi var-find Setup |
|
TE header confusion |
tools.secureboot.te |
|
UEFI NVRAM is not write protected |
common.bios_wp |
|
Insecure handling of secure boot disable |
chipsec_util uefi var-list |
Vulnerability Description |
CHIPSEC Module |
Example |
---|---|---|
Secure boot configuration is stored in unprotected variable |
common.secureboot.variables, chipsec_util uefi var-list |
|
Variable permissions are not set according to specification |
common.uefi.access_uefispec |
|
Sensitive data (like passwords) are stored in uefi variables |
chipsec_util uefi var-list (manual analysis) |
|
Firmware doesn’t sanitize pointers/addresses stored in variables |
chipsec_util uefi var-list (manual analysis) |
|
Firmware hangs on invalid variable content |
chipsec_util uefi var-write, chipsec_util uefi var-delete (manual analysis) |
|
Hardware configuration stored in unprotected variables |
chipsec_util uefi var-list (manual analysis) |
|
Re-creating variables with less restrictive permissions |
chipsec_util uefi var-write (manual analysis) |
|
Variable NVRAM overflow |
chipsec_util uefi var-write (manual analysis) |
|
Critical configuration is stored in unprotected CMOS |
chipsec_util cmos, common.rtclock |
Vulnerability Description |
CHIPSEC Module |
Example |
---|---|---|
Boot block top-swap mode is not locked |
common.bios_ts |
|
Architectural features not locked |
common.ia32cfg |
|
Memory map is not locked |
memconfig |
|
IOMMU usage |
chipsec_util iommu |
|
Memory remapping is not locked |
remap |
Vulnerability Description |
CHIPSEC Module |
Example |
---|---|---|
SMI handlers use pointers/addresses from OS without validation |
tools.smm.smm_ptr |
|
Legacy SMI handlers call legacy BIOS outside SMRAM |
||
INT15 in legacy SMI handlers |
||
UEFI SMI handlers call UEFI services outside SMRAM |
||
Malicious CommBuffer pointer and contents |
||
Race condition during SMI handler |
||
Authenticated variables SMI handler is not implemented |
chipsec_util uefi var-write |
|
SmmRuntime vulnerability |
tools.uefi.scan_blocked |
Vulnerability Description |
CHIPSEC Module |
Example |
---|---|---|
Software vulnerabilities when parsing, decompressing, and loading data from ROM |
||
Software vulnerabilities in implementation of digital signature verification |
||
Pointers stored in UEFI variables and used during boot |
chipsec_util uefi var-write |
|
Loading unsigned PCI option ROMs |
chipsec_util pci xrom |
|
Boot hangs due to error condition (eg. ASSERT) |
Vulnerability Description |
CHIPSEC Module |
Example |
---|---|---|
Insufficient protection of S3 boot script table |
common.uefi.s3bootscript, tools.uefi.s3script_modify |
|
Dispatch opcodes in S3 boot script call functions in unprotected memory |
common.uefi.s3bootscript, tools.uefi.s3script_modify |
|
S3 boot script interpreter stored in unprotected memory |
||
Pointer to S3 boot script table in unprotected UEFI variable |
common.uefi.s3bootscript, tools.uefi.s3script_modify |
|
Critical setting not recorded in S3 boot script table |
chipsec_util uefi s3bootscript (manual analysis) |
|
OS waking vector in ACPI tables can be modified |
chipsec_util acpi dump (manual analysis) |
|
Using pointers on S3 resume stored in unprotected UEFI variables |
chipsec_util uefi var-write |
Vulnerability Description |
CHIPSEC Module |
Example |
---|---|---|
Software vulnerabilities when parsing firmware updates |
||
Unauthenticated firmware updates |
||
Runtime firmware update that can be interrupted |
||
Signature not checked on capsule update executable |
Vulnerability Description |
CHIPSEC Module |
Example |
---|---|---|
Software vulnerabilities when handling messages over network interfaces |
||
Booting unauthenticated firmware over unprotected network interfaces |
Vulnerability Description |
CHIPSEC Module |
Example |
---|---|---|
BIOS keyboard buffer is not cleared during boot |
common.bios_kbrd_buffer |
|
DMA attack from devices during firmware execution |
Modules¶
- List of modules
- chipsec.modules.bdw package
- chipsec.modules.byt package
- chipsec.modules.cht package
- chipsec.modules.common package
- chipsec.modules.common.cpu package
- chipsec.modules.common.pscs package
- chipsec.modules.common.pscs.bdfx77 module
- chipsec.modules.common.pscs.dbgbuslck module
- chipsec.modules.common.pscs.dsa_iax module
- chipsec.modules.common.pscs.epmask module
- chipsec.modules.common.pscs.espi_eiss module
- chipsec.modules.common.pscs.gpio_comm module
- chipsec.modules.common.pscs.hidm_lock module
- chipsec.modules.common.pscs.hsfsts module
- chipsec.modules.common.pscs.lttarget_4s module
- chipsec.modules.common.pscs.mtrr module
- chipsec.modules.common.pscs.peci_downstream module
- chipsec.modules.common.pscs.ppin_ctl_lock module
- chipsec.modules.common.pscs.pscs_skx module
- chipsec.modules.common.pscs.range_overlap module
- chipsec.modules.common.pscs.rc_bild module
- chipsec.modules.common.pscs.region_access module
- chipsec.modules.common.pscs.sample module
- chipsec.modules.common.pscs.spi_flill module
- chipsec.modules.common.pscs.spi_regions module
- chipsec.modules.common.pscs.spi_size module
- chipsec.modules.common.pscs.tseg module
- chipsec.modules.common.pscs.ucode module
- chipsec.modules.common.pscs.ucode_fit module
- chipsec.modules.common.pscs.unnamed_067_30c module
- chipsec.modules.common.pscs.unnamed_067_504 module
- chipsec.modules.common.pscs.unnamed_1080_f4 module
- chipsec.modules.common.pscs.unnamed_1087_1dc module
- chipsec.modules.common.pscs.unnamed_1090_f4 module
- chipsec.modules.common.pscs.unnamed_1100_f4 module
- chipsec.modules.common.pscs.unnamed_1107_1dc module
- chipsec.modules.common.pscs.vscc module
- chipsec.modules.common.secureboot package
- chipsec.modules.common.uefi package
- chipsec.modules.common.acpi_lock module
- chipsec.modules.common.acs_pci_check module
- chipsec.modules.common.bios_kbrd_buffer module
- chipsec.modules.common.bios_reset_cpl module
- chipsec.modules.common.bios_reset_done module
- chipsec.modules.common.bios_resilience module
- chipsec.modules.common.bios_smi module
- chipsec.modules.common.bios_ts module
- chipsec.modules.common.bios_wp module
- chipsec.modules.common.biosconfig_check module
- chipsec.modules.common.bmbound_check module
- chipsec.modules.common.bsmmrrh_check module
- chipsec.modules.common.btg module
- chipsec.modules.common.cet module
- chipsec.modules.common.cf9_lock module
- chipsec.modules.common.config_tdp module
- chipsec.modules.common.core_thread_lock module
- chipsec.modules.common.cpptv_client module
- chipsec.modules.common.crashlog module
- chipsec.modules.common.cstate_config module
- chipsec.modules.common.dcd module
- chipsec.modules.common.dco_config module
- chipsec.modules.common.debugenabled module
- chipsec.modules.common.dma_protections module
- chipsec.modules.common.dmirc module
- chipsec.modules.common.dram_ppl module
- chipsec.modules.common.edsr module
- chipsec.modules.common.errinjcon module
- chipsec.modules.common.espi_smi module
- chipsec.modules.common.extended_biosregion module
- chipsec.modules.common.far_mem_encryption module
- chipsec.modules.common.fconfig module
- chipsec.modules.common.fdmi_lock module
- chipsec.modules.common.feature_lock module
- chipsec.modules.common.flex_ratio module
- chipsec.modules.common.gpio module
- chipsec.modules.common.ia32cfg module
- chipsec.modules.common.igd_carr_check module
- chipsec.modules.common.igd_config0 module
- chipsec.modules.common.igd_dfd_restore module
- chipsec.modules.common.igd_mem_map module
- chipsec.modules.common.igd_xref module
- chipsec.modules.common.io_mapping module
- chipsec.modules.common.ltdpr module
- chipsec.modules.common.mcheck_sai module
- chipsec.modules.common.mcscramble module
- chipsec.modules.common.me_check_hmrfpoLock module
- chipsec.modules.common.me_fw_sts module
- chipsec.modules.common.me_mfg_mode module
- chipsec.modules.common.me_protection module
- chipsec.modules.common.me_version module
- chipsec.modules.common.memconfig module
- chipsec.modules.common.memlock module
- chipsec.modules.common.miscctrlsts0 module
- chipsec.modules.common.msdevfunchide module
- chipsec.modules.common.opidebug_lock module
- chipsec.modules.common.p2sb_client module
- chipsec.modules.common.pam123 module
- chipsec.modules.common.pcie_link_tuning module
- chipsec.modules.common.pmax_lock module
- chipsec.modules.common.power_misc module
- chipsec.modules.common.power_plane_lock module
- chipsec.modules.common.powerconfig module
- chipsec.modules.common.prochot module
- chipsec.modules.common.pstate_config module
- chipsec.modules.common.rcba module
- chipsec.modules.common.remap module
- chipsec.modules.common.rowhammer module
- chipsec.modules.common.rtclock module
- chipsec.modules.common.sa_arbiter_lock module
- chipsec.modules.common.sapmctl module
- chipsec.modules.common.satagc_check module
- chipsec.modules.common.sgx_bios module
- chipsec.modules.common.sgx_check module
- chipsec.modules.common.sgx_sai module
- chipsec.modules.common.slpsx_str_pol_lock module
- chipsec.modules.common.smi_gpio module
- chipsec.modules.common.smm module
- chipsec.modules.common.smm_code_chk module
- chipsec.modules.common.smm_dma module
- chipsec.modules.common.smmfctl module
- chipsec.modules.common.smrr module
- chipsec.modules.common.spd_config module
- chipsec.modules.common.spd_wd module
- chipsec.modules.common.spi_access module
- chipsec.modules.common.spi_desc module
- chipsec.modules.common.spi_fdopss module
- chipsec.modules.common.spi_frap module
- chipsec.modules.common.spi_lock module
- chipsec.modules.common.spi_noego module
- chipsec.modules.common.spi_vcl module
- chipsec.modules.common.srdl module
- chipsec.modules.common.srl_locks module
- chipsec.modules.common.strap_lock module
- chipsec.modules.common.tclockdn module
- chipsec.modules.common.tcoctl_lock module
- chipsec.modules.common.thermal_throttle_pwrmbase module
- chipsec.modules.common.thermal_throttle_tbar module
- chipsec.modules.common.tme_key_restore module
- chipsec.modules.common.total_mem_encryption module
- chipsec.modules.common.turbo_activation_ratio module
- chipsec.modules.common.txt_lock_base module
- chipsec.modules.common.ufs_luwplock module
- chipsec.modules.common.vmd module
- chipsec.modules.common.vr_config module
- chipsec.modules.common.vtgenctrl module
- chipsec.modules.dnv package
- chipsec.modules.hsw package
- chipsec.modules.hsx package
- chipsec.modules.ivb package
- chipsec.modules.knl package
- chipsec.modules.misc package
- chipsec.modules.skx package
- chipsec.modules.snb package
- chipsec.modules.spr package
- chipsec.modules.tools package
- chipsec.modules.tools.cpu package
- chipsec.modules.tools.gfx package
- chipsec.modules.tools.hw package
- chipsec.modules.tools.nvme package
- chipsec.modules.tools.reliability package
- chipsec.modules.tools.reliability.brick module
- chipsec.modules.tools.reliability.cmos module
- chipsec.modules.tools.reliability.corrupt_variable module
- chipsec.modules.tools.reliability.memtype_var module
- chipsec.modules.tools.reliability.setup_corrupt module
- chipsec.modules.tools.reliability.setup_delete module
- chipsec.modules.tools.reliability.spd module
- chipsec.modules.tools.reliability.spi module
- chipsec.modules.tools.reliability.spi_region_erase module
- chipsec.modules.tools.reliability.spi_wearout module
- chipsec.modules.tools.reliability.variables module
- chipsec.modules.tools.reliability.variables_delete module
- chipsec.modules.tools.secureboot package
- chipsec.modules.tools.smm package
- chipsec.modules.tools.uefi package
- chipsec.modules.tools.vmm package
- chipsec.modules.tools.vmm.hv package
- chipsec.modules.tools.vmm.hv.define module
- chipsec.modules.tools.vmm.hv.excluded module
- chipsec.modules.tools.vmm.hv.hypercall module
- chipsec.modules.tools.vmm.hv.hypercallfuzz module
- chipsec.modules.tools.vmm.hv.synth_dev module
- chipsec.modules.tools.vmm.hv.synth_kbd module
- chipsec.modules.tools.vmm.hv.vmbus module
- chipsec.modules.tools.vmm.hv.vmbusfuzz module
- chipsec.modules.tools.vmm.vbox package
- chipsec.modules.tools.vmm.xen package
- chipsec.modules.tools.vmm.common module
- chipsec.modules.tools.vmm.cpuid_fuzz module
- chipsec.modules.tools.vmm.ept_finder module
- chipsec.modules.tools.vmm.hypercallfuzz module
- chipsec.modules.tools.vmm.iofuzz module
- chipsec.modules.tools.vmm.msr_fuzz module
- chipsec.modules.tools.vmm.pcie_fuzz module
- chipsec.modules.tools.vmm.pcie_overlap_fuzz module
- chipsec.modules.tools.vmm.venom module
- chipsec.modules.tools.vmm.hv package
- chipsec.modules.tools.bios_wpd module
- chipsec.modules.tools.bme module
- chipsec.modules.tools.generate_test_id module
- chipsec.modules.tools.gfx_dma module
- chipsec.modules.tools.hw_seq module
- chipsec.modules.tools.igd_config0_write module
- chipsec.modules.tools.ipc_fuzz module
- chipsec.modules.tools.sgx_var module
- chipsec.modules.tools.speed_select module
- chipsec.modules.tools.spi_wrsdis module
- chipsec.modules.tools.sw_seq module
- chipsec.modules.tools.vtd_cap module
- chipsec.modules.tools.wsmt module
- chipsec.modules.biosguard module
- chipsec.modules.dci module
- chipsec.modules.mclock module
- chipsec.modules.pmc module
- chipsec.modules.spec_ctrl module