scan_blocked module

This module checks current contents of UEFI firmware ROM or specified firmware image for blocked EFI binaries which can be EFI firmware volumes, EFI executable binaries (PEI modules, DXE drivers..) or EFI sections. The module can find EFI binaries by their UI names, EFI GUIDs, MD5/SHA-1/SHA-256 hashes or contents matching specified regular expressions.

Important! This module can only detect what it knows about from its config file. If a bad or vulnerable binary is not detected then its ‘signature’ needs to be added to the config.

Usage: -i -m tools.uefi.scan_blocked [-a <fw_image>,<blockedlist>]
  • fw_image Full file path to UEFI firmware image. If not specified, the module will dump firmware image directly from ROM

  • blockedlist JSON file with configuration of blocked EFI binaries (default = blockedlist.json). Config file should be located in the same directory as this module


>>> -m tools.uefi.scan_blocked

Dumps UEFI firmware image from flash memory device, decodes it and checks for blocked EFI modules defined in the default config blockedlist.json

>>> -i --no_driver -m tools.uefi.scan_blocked -a uefi.rom,blockedlist.json

Decodes uefi.rom binary with UEFI firmware image and checks for blocked EFI modules defined in blockedlist.json config


  • -i and --no_driver arguments can be used in this case because the test does not depend on the platform and no kernel driver is required when firmware image is specified