Windows Installation¶
Note
CHIPSEC has removed support for the RWEverything (https://rweverything.com/) driver due to PCI configuration space access issues.
Install CHIPSEC Dependencies¶
Python 3.8 or higher (https://www.python.org/downloads/)
Note
CHIPSEC has deprecated support for Python2 since June 2020
To install requirements:
pip install -r windows_requirements.txt
which includes:
pywin32: for Windows API support (pip install pywin32)
setuptools (pip install setuptools)
WConio2: Optional. For colored console output (pip install Wconio2)
To compile the driver:
Visual Studio and WDK: for building the driver.
For best results use the latest available (VS2022 + SDK/WDK 11 or VS2019 + SDK/WDK 10 or 11)
Note
Make sure to install compatible VS/SDK/WDK versions and the spectre mitigation packages
To clone the repo:
git: open source distributed version control system
Building¶
Clone CHIPSEC source
git clone https://github.com/chipsec/chipsec.git
Build the Driver and Compression Tools
python setup.py build_ext -i
Note
If build errors are with signing are encountered, try running as Administrator The .vcxproj file points to the latest SDK, if this is incompatible with the WDK, change the configuration to a compatible SDK within the project properties
Turn off kernel driver signature checks¶
Enable boot menu
In CMD shell:
bcdedit /set {bootmgr} displaybootmenu yes
With Secure Boot enabled:
Method 1:
In CMD shell:
shutdown /r /t 0 /o
or Start button -> Power icon -> SHIFT key + RestartNavigate: Troubleshooting -> Advanced Settings -> Startup Settings -> Reboot
After reset choose F7 or 7 “Disable driver signature checks”
Method 2:
Disable Secure Boot in the BIOS setup screen then disable driver signature checks as with Secure Boot disabled
With Secure Boot disabled:
Method 1:
- Boot in Test mode (allows self-signed certificates)
Start CMD.EXE as Adminstrator
BcdEdit /set TESTSIGNING ON
Reboot
- If this doesn’t work, run these additional commands:
BcdEdit /set noIntegrityChecks ON
BcdEdit /set loadoptions DDISABLE_INTEGRITY_CHECKS
Method 2:
Press F8 when booting Windows and choose “No driver signatures enforcement” option to turn off driver signature checks
Alternate Build Methods¶
Build CHIPSEC kernel driver with Visual Studio
Method 1:
Open the Visual Studio project file (drivers/windows/chipsec_hlpr.vcxproj) using Visual Studio
Select Platform and configuration (X86 or x64, Release)
Go to Build -> Build Solution
Method 2:
Open a VS developer command prompt
> cd <CHIPSEC_ROOT_DIR>\drivers\windows
- Build driver using msbuild command:
> msbuild /p:Platform=x64
or
> msbuild /p:Platform=x32
If build process is completed without any errors, the driver binary will be moved into the chipsec helper directory:
<CHIPSEC_ROOT_DIR>\chipsec\helper\windows\windows_amd64 (or i386)
Build the compression tools
Method:
Navigate to the chipsec_toolscompression directory
Run python setup.py build
Copy the EfiCompressor.cp<pyver>-win_<arch>.pyd file from build/lib.win-<arch>-<pyver> to the root chipsec directory
Alternate Method to load CHIPSEC service/driver
To create and start CHIPSEC service
sc create chipsec binpath="<PATH_TO_SYS>" type= kernel DisplayName="Chipsec driver"
sc start chipsec
When finished running CHIPSEC stop/delete service:
sc stop chipsec
sc delete chipsec
Windows PCI Filter Driver¶
Filter driver background
Since July 31, 2020 Microsoft has released Windows 2020-KB4568831 (OS Build 19041.423) Preview. Microsoft recommends to not access the PCI configuration space using the legacy API, as it might result in the Windows BSOD (Blue Screen of Death). The BSOD trigger condition is “Windows version >= (OS Build 19041.423) && Secure Devices (SDEV) ACPI table && VBS enabled”. Therefore, CHIPSEC now includes a PCI filter driver which supplements the original CHIPSEC Windows Driver to access the PCI configuration space. A system requires the PCI Filter Driver if the conditions above are met.
Windows devices that receive the 2020-KB4568831 (OS Build 19041.423) Preview or later updates restrict how processes can access peripheral component interconnect (PCI) device configuration space if a Secure Devices (SDEV) ACPI table is present and Virtualization-based Security (VBS) is running. Processes that have to access PCI device configuration space must use officially supported mechanisms.The SDEV table defines secure hardware devices in ACPI. VBS is enabled on a system if security features that use virtualization are enabled. Some examples of these features are Hypervisor Code Integrity or Windows Defender Credential Guard. The new restrictions are designed to prevent malicious processes from modifying the configuration space of secure devices. Device drivers or other system processes must not try to manipulate the configuration space of any PCI devices, except by using the Microsoft-provided bus interfaces or IRP. If a process tries to access PCI configuration space in an unsupported manner (such as by parsing MCFG table and mapping configuration space to virtual memory), Windows denies access to the process and generates a Stop error. For more detail please refer below link: https://learn.microsoft.com/en-us/troubleshoot/windows-client/performance/stop-error-lenovo-thinkpad-kb4568831-uefi
Filter Driver and Main Helper Driver Architecture
Install PCI Filter Driver¶
1. Locate the Filter Driver Files: chipsec/helper/windows/windows_amd64/
2. Update The PCI Device Driver From Device Manager
3. Browse The PCI Filter Driver
4. Manually Select The PCI Bus Filter Driver
5. Install The Filter Driver From Disk
6. Installing The Filter Driver
7. Finish The Filter Driver Installing
8. Restart Computer
9. Check The Installed Device Driver From Device Manager
10. Check The Driver Device Info
Filter Driver Access PCI Config Space Test¶
Dump PCI Config Test
- PCI Enumeration Test