Monday, December 31, 2018

STM, Mu, Chaos

This should be my last blog of 2018, so I'll keep it short.

I just wanted to note a couple of news items on the SMI Transfer Monitor which I long ago noted in The NSA's evolution of the design as a checker was described earlier this year and now has a public example This work, along with the patches to Xen to support the launch of the STM provides an exciting example of this technology being enabled.

Speaking of SMM, an interesting study of building systems without SMM was mentioned by an Intel colleague in the OCP talk described at As opposed to jailing SMM code with an STM, this approach speaks to alternatives to implement capabilities formerly found in OEM SMM code in UEFI runtime and other portions of the platform.

Beyond the STM there is other interesting happenings in the world of open source firmware, including Microsoft's 'Project Mu' described in the blog posting and represented by various Github repositories There are interesting elements to be found, including test infrastructure and On the security front, UEFI crypto interfaces and a secure configuration infrastructure for zero touch management can be found. These packages meet the spirit of the more 'code first' methodology I mentioned on slide 15 of, for example. I've been told that although some folks in the Redmond area refer to UEFI as YOO-FEE, no one refers to Project Mu as MOO-FEE.

Regarding EFI topics on Github, I opined about the EFI Byte Code (EBC) many years ago, including challenges with natural integers, so I was happy to hear about an open source compiler with an EBC back-end I haven't dug in to see how they handle the sizeof(INTN) issue or if they just support x64. Either way, good stuff seeing the open source community pick up on this gap.

For my final topic I'd like to cover a talk from the Chaos Communications Conference (CCC). Watching this over the holiday has been a ritual of mine since I learned of talks like Trammell's Thunderstrike talk in 2014. This year's talk of interest was given by the organizer of OSFC Zaolin. He mentioned the EFI on U-Boot work, which I find valuable since having alternate clean-room implementations helps increase the quality of the standard. Without alternate implementations, a single code base can become the de facto standard (recall the byte swap bug from my last blog). A couple of the data items were a bit off, though, such as the timeline with  "1998 Apple EFI by Intel" when Apple didn't convert to EFI until the x86 transition in 2005

The PowerPC Macs prior to the transition used Open Firmware based upon Forth. Maybe the first article in can provide a better timeline? Beyond small nits like the latter, though, it was a great talk and advocacy for more openness in firmware. This blog also had a short mention in the talk, too.

Other talks at CCC I liked include which reinforces the argument around using safer languages in low-level code like device drivers. And of course I cannot forget Trammell's talk It was a definite counterpoint to the Portland BSides panel on this topic. When I asked Joe F. about the variety of panel members he smiled and replied "yes, we have diversity. Some of the panel members have beards, some don't." Ah, 2019.

Here's looking forward to a safe and productive 2019.

© 2018, Vincent Zimmer. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License

Tuesday, November 27, 2018

API's, Sandbox's, and 400

As with my blog entries of late, below are some random thoughts based upon readings or events.  To begin I came across the article that made me think about the API's I mentioned in the last blog and how implementations have made consistent API's. Sometimes an API is defined but later discover implementation artifacts that contradict the specification. One such API is the storage security command protocol. At the time this API was defined I worked with the OS teams on coding this, I had inadvertently done a byte swap on one of the arguments, making it big-endian. In general the UEFI specification has a little-endian ABI. Since there were a plurality of implementations that had shipped in OS's and platforms, we 'fixed' the issue by codifying this behavior, viz.,

This change reminds me of challenges in enforcing memory protection in the UEFI phase, naming making code non-writable and data pages non-executable This was fine in principal, especially for DXE which is OEM only extensible, but for the 3rd party extensible boot service phase which requires binary .efi application and driver compatibility back to those early 1998 days, we found that some applications, like OS loaders, allocate a data page and copy code into which control is passed.  This type of data page to code page is something that the UEFI image loader can provide since it understands this semantic, but a UEFI implementation enforcing protection during the application phase sees these data allocations for custom image loaders as attacks.  And this behavior is baked into years of shipped OS loaders. We saw similar classes of app compat issues in UEFI drivers when we deployed since many drivers did not call PCI Map/Unmap for common buffer DMA since on x86 host and i/o memory are coherent and regular page allocations 'just worked.'

Some of these issues lead people to post items like and but are really aspects of challenges in retrofitting security. Sandboxing is one potential security retrofit that has long interested me and for which I was reminded by Halvarflake talk A couple of examples of sandboxing in UEFI PI via SMM STM and VMM in EFI can be found in & the ancient 2008 paper For UEFI runtime we've mentioned UEFI runtime with EFI_MEMORY_ATTRIBUTES_TABLE.

So on from random readings to other events. This week I achieved my 400th US patent:

Valles, Zimmer, "Cluster anomaly detection using function interposition," Issued 11/27/2018, US patent #10,140,449

Ironic that I've been reading Ovshinky biography lately, and he's listed at 400 issued, too For some perspective on the long-game of patents, I crossed the 300 mark in 2014

And it was six years ago when I archieved 250

During this run of patents I've worked on lots of 'boot', including
EFI measured boot, UEFI secure boot, netboot6, and HTTP boot

So many boot* activities over the past decade+. I used to say things like 'boot from a tennis shoe' when I had a simple mental model to explicate, but stopped using it during the last few years since that's a potential use case (IOT?).

And on observing the arc of time, I hearken back to the early days of patenting on any milestone. For #400 I cannot but recall #1, the now expired "System and Method for Trap Address Mapping for Fault Isolation." Mil Travnicek, my original hiring manager at Intel, encouraged me to file this item in my first year at Intel. I still recall the 1/1 with Mil where he provided this feedback.

Speaking of Mil, after working for Mil on the first Itanium server firmware and moving on to EFI, I bumped into Mil in the hallway of DuPont, maybe sometime in 2000, and his query "Vincent, do you think it's a good idea doing something like EFI and moving away from compatibility? You know, we're really good at compatibility." Interesting sentiment given today's boot experience of UEFI on Aarch64, RISC-V and quite radical non-PC class x86 machine. Also, given my last posting of circa 1998 boot service compatibility and top of this blog, maybe UEFI is the new 'compatibility' box?

As a quick aside on the topic of compatibility, I enjoyed Tim Lewis on the topic

As a final thought on patents, I don't get so excited by raw number of patents alone. To me patents have always been part of a flow, and I also heard an interesting comment in a a interview with a former Apple engineer who said something like "having lots of patents means you worked for a company that files patents."

So that's enough for tonight, I'd say. Until next time....

© 2018, Vincent Zimmer. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License 

Sunday, October 14, 2018

Ghosts of....

Ghosts of GUID's past. This post, like, many of my recent ones, walks backward in time. Recent events usually stir these memories. If you're not such a fan old these mutterings, I'd pass on this mid-month posting.

To begin, I couldn't help but remember during the F-Secure talk at Blue Hat recently.

That MEMORY_ONLY_RESET_CONTROL_GUID was GuidGen.exe'd from my erstwhile cubicle in DuPont, WA I guess that I can now say 'buried' (thanks Fish for the latest pic) former campus.
This, along with other buried piles of GUIDs in the EDK code, the UEFI specification, and the PI specification emanated from that dank DuPont corner cubicle. I've seen prezo's like this Bluehat one commencing in 2007 with Heasman's UEFI Black Hat talk through a decade of folks searching for GUID's in binaries and mentioning them in prezos and papers.

At the beginning of the hardware track a researcher came up to me and asked "Are you Vincent Zimmer? You're famous, man." I replied, "Er, 'famous', or 'infamous', given the queued up talks." He replied, "Nah, famous." That was nice.

Speaking of ghosts of technology past and true rock stars, people have been remarking this year that UEFI is a '20 year old technology.' I was curious about the precision of those statements, so I looked into an early Intel Boot Initiative (IBI) tree. IBI was the original name of EFI. I found the following. 


Copyright (c) 1998  Intel Corporation

Module Name:



    Global IBI runtime & boot service interfaces


    Ken Reneris     Oct-14-1998

Revision History


// IBI Memory

    IN IBI_ALLOCATE_TYPE            Type,
    IN IBI_MEMORY_TYPE              MemoryType,
    IN UINTN                        NoPages,

    IN IBI_PHYSICAL_ADDRESS         Memory,
    IN UINTN                        NoPages

    IN OUT UINTN                    *MemoryMapSize,
    OUT UINTN                       *MapKey

    IN IBI_MEMORY_TYPE              PoolType,
    IN UINTN                        Size,
    OUT VOID                        **Buffer

    IN VOID                         *Buffer

// IBI Events

typedef enum {

    IN IBI_EVENT                Event,
    IN VOID                     *Context

    IN IBI_EVENT_TYPE           Type,
    IN IBI_TPL                  Tpl,
    IN IBI_EVENT_NOTIFY         NotifyFunction,
    IN VOID                     *NotifyContext,
    OUT IBI_EVENT               *Event

typedef enum {

    IN IBI_EVENT                Event,
    IN IBI_TIMER_DELAY          Type,
    IN UINT64                   TriggerTime

    IN IBI_EVENT                Event

    IN IBI_EVENT                Event

// Task priority level

#define TPL_NORMAL         4
#define TPL_CALLBACK       8
#define TPL_NOTIFY        16 
#define TPL_HIGH_LEVEL    31 

    IN IBI_TPL      NewTpl

    IN IBI_TPL      NewTpl

// IBI platform varibles

    { 0x8BE4DF61, 0x93CA, 0x11d2, 0xAA, 0x0D, 0x00, 0xE0, 0x98, 0x03, 0x2B, 0x8C }

// Variable attributes
#define IBI_VARIABLE_NON_VOLATILE           0x00000001
#define IBI_VARIABLE_RUNTIME_ACCESS         0x00000004

    IN CHAR16                       *VariableName,
    IN IBI_GUID                     *VendorGuid,
    OUT UINT32                      *Attributes OPTIONAL,
    IN OUT UINTN                    *DataSize,
    OUT VOID                        *Data

    IN OUT UINTN                    *VariableNameSize,
    IN OUT CHAR16                   *VariableName,
    IN OUT IBI_GUID                 *VendorGuid

    IN CHAR16                       *VariableName,
    IN IBI_GUID                     *VendorGuid,
    IN UINT32                       Attributes,
    IN UINTN                        DataSize,
    IN VOID                         *Data


It looks like today is makes one milestone of 20 years if you use source artifacts as a sign post. You'll notice the code below matches chapter 7 of pretty closely, too (i.e., replace 'IBI' with 'EFI'). The code author is the same Ken Reneris mentioned in the Beyond BIOS acknowledgement, too.

Although there's no explicit mention of IBI in the UEFI specification, it still lingers in

#define EFI_SYSTEM_TABLE_SIGNATURE 0x5453595320494249



Moving on from Bluehat and IBI, I am surprised by the feedback around Linus T's behavior

I recall one event (maybe the 2015 OSTS mentioned in when I was introduced to Linus as a 'UEFI guy, so tell him what you don't like.'  Linus said 'That UEFI runtime is really screwed up.' I replied 'I agree, especially services like SetVirtualAddress that are not idempotent, so they break things like kexec where the latter kernel cannot re-invoke the service.' He looked at me and said 'Hmmm, but I like the UEFI Shell for debugging.' I responded 'It's OK, I guess.'  At this point the Linux die-hard who had initiated the interaction was fuming and shouted 'But Linus, what about ACPI?' Linus then looked at us both and said 'But wasn't ACPI screwed up before EFI and UEFI?'  Good times.

My philosophy on getting strident feedback from open source leaders, whether Linus, Minnich, or the spectrum in-between on the net, is to not take it person 'how' the message is delivered, but 'why.' I use the analogy of the bazooka.  Don't cavil about the calibre of weapon, but try to figure out why it's aimed at me. Often it's because the party delivering the message is passionate about a legitimate concern, and my job entails trying to understand and make progress against 'fixing' the concern, if possible.

Final thoughts are on grabbing the free Friday sessions as CppCon in Bellevue. I was impressed with the wisdom behind
As recently as a day ago I had to remind someone that adding new behavior to a 20 year API without changing software visible version indicia, such as version field or GUID of the API, was a doomed path. They replied 'but everyone builds with the latest code.' To which I responded 'that makes sense within one company, but the point of standardized API's is interoperability, and for the latter you cannot dictate the provenance or age of the caller.'

Speaking of Bellevue and the Pacific Northwest, I'll leave with a couple of shots from Namely a 'before'

and 'after'
of the salmon.

© 2018, Vincent ZimmerThis work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License 

Wednesday, September 26, 2018

East, and further east

Since I last blogged the Open Compute Project Open System workstream has continued to evolve Part of the feedback from that community helped inform the decision to liberalize the Intel FSP license, too A theme here includes trying to ease system development.

A lot of those efforts were driven out of the Seattle area, but I made my first sojourn east to for I followed the Trammell Hudson's presentation, which is always tough given his presentation prowess. This reminded me of the time when the Toorcamp organizer put my EFI defense talk immediately after Dan Griffin's EFI attack talk. In the end I got to know Dan and appreciated his offensive work since great offense inspires more strident defense.

The platform security summit was a great opportunity to engage with companies concerned about the transparency of open platforms, system assurance, and firmware. There has been a lot of discussion about moving to RUST, including the sentiment from Ron Minnich about today's proliferation of ring 0 C code "Too much writing of code, too little thought about not writing code, and it's all too easy nowadays just to barf out a couple KLOCs without thinking things through."  I'm especially interest in the potential ability to do verification actions, such as

I was pondering that while traveling back from DC when I bumped into David Aucsmith
Aucsmith while awaiting a return flight to Seattle. Dave provided me the insight the use Ceremonies as a model for system provisioning back at CanSecWest in 2015 in addition to the legendary contributions he made at Intel. I asked Dave what he though of language based security, such as RUST, and he simply replied to me, "If this is such as consideration, why haven't you been coding in Ada" coreboot even has a Ada runtime and I don't see much community support, so maybe Dave is on to something.....

After returning to Seattle, I steeled myself for the 'further east' journey, namely visiting Erlangen, Germany for I am honored to have been invited to deliver the keynote for this multi-firmware community event. What a passage of time since it makes 15 years since my first Intel Developer Forum solo talk Fast forward and I get to make a solo keynote.

Ironically, my keynote preceded Trammell's security keynote and he amazing slip-streamed my image into slide 10 of his deck

I tried not to 'preach' about firmware, especially since the event was held in a Church.

I also had the opportunity to provide security overviews w/ Maggie for the security hack-a-thon at the event.

I was definitely among my firmware brethren, of which I was reminded with pages like 'booting is hard.' Yes, it is.

Here's a shot of the event location from the outside.

I mentioned the Intel Firmware Support Package (FSP) in the event. That evening event a Swiss engineer answer my query about what I was eating with "It's like an FSP. We know what's on the outside,

but often not what's on the inside."

Nice. Firmware humor on top of the technical conversation and information exchange flow. Speaking of flow, I was reminded of the importance to share knowledge when an engineer early in his career asked for a signature of

Since last blogging I'm happy to have also participated in documenting more of the Intel platform behaviors, albeit the small core SOC, too. To me it's another tactic on how to scale knowledge and empower communities.

Finally, I'm glad to be back in the Pacific Northwest this week. Today and tomorrow I'm at Blue Hat which is a short walk from the Intel office. And no presenter-angst.

So no multi-hour flights, security lines, or strange hotel rooms

If you're around Blue Hat and catch this blog, say hello.

© 2018, Vincent ZimmerThis work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License 

Monday, July 2, 2018

The march of time

Driving home from Intel Hillsboro Friday night I took a small detour through DuPont, WA. Typically night fall precludes seeing the old campus, but given the summertime extended days, I took a chance.

The campus sign is still there

but as noted in the blog post
we were moved from the campus to further north in WA a few years back. Afterward Intel sold the campus to another company.

DuPont Building 2, or "DP-2," the specific building shown in the above posting

has become


Little profundity found in the erstwhile company sign or the visitor parking sign compared to, but seeing my original Intel campus building disappear nevertheless saddened me.

The march of time.

© 2018, Vincent ZimmerThis work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License 

Friday, June 22, 2018

system firmware past / present / future

From the evening event at the living history museum
for UW alumni I snapped a few photos.

Beginning with a working Xerox Alto

and continuing into a product category that never failed to intrigue me, namely the mainframes and mini's.

Especially after re-reading

From the Xerox device
I possibly found a use for

that was defined so many years ago.

Continuing on the big iron is the CDC 6500

with its space age looking terminal

and culminating with the famous IBM 360 where instruction set compatibility was pioneered.

As part of Paul Allen endowing the computer science department we also received commemorative diplomas.  Pretty cool.

From admiring the history of computing in the SODO district of Seattle, I spent a few days in the humid suburbs of Washington DC as the platform security summit Many exciting presentations from across the industry. I was invited to speak about openness and server firmware with the following presentation

Following on the spirit of openness, I was honored to be invited to keynote the upcoming open source firmware summit The landing page for my talk will be This should follow the arc on reducing friction and providing transparency for host firmware development.

And on a final note, it appears as if the USPTO has issued its 10 millionth patent on June 19th. My first issued US patent #5,940,587 based upon my Intel work caught the tail end of the 5 million wave, whereas my last two issued Intel Patents book-ended this milestone, namely last week's #9,998,284 and this week's #10,002,002, respectively. Amazing ramp of issue rate from the patent office

© 2018, Vincent ZimmerThis work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License 

Thursday, March 22, 2018

Open platforms and 21 or Anniversary.Next^6

This covers my 6th blog aligned with my work anniversary, a successor to I always mean to post this on the anniversary day, but I'm a bit laggard this year. Luckily this is a personal blog with random musings, so I don't have to worry about conformance to an SLA or other criteria... This anniversary year marks crossing the 21 year marker. As a multiple of 7, we have both a lucky number and also a milestone for sabbatical eligibility.

The journey has taken many twists and turns, commencing in 1997 with joining Intel to work on Merced boot firmware for server platforms. Merced was Intel's first 64-bit Itanium CPU. I am awed by scope of firmware changes, from that era of bringing up a new CPU, leading to events like this week where an open source EDKII based server firmware is announced at the Open Compute Project (OCP) Conference and

For the latter, the system stack roughly follows the figure shared with the OCP Open System Firmware (OSF) effort  

The server provides a minimal viable product design based upon the Min-Platform that we introduced with client in The specific server platform is Mt. Olympus described in

Some of the design rationale for the minimum platform design approach can be found in which has been updated to cover the server port.

Here are a couple of salient pages from this week's OCP deep-dive session on this topic which describes work in the Open System Firmware (OSF) workstream

This is a forum where cloud service providers (CSP's), hardware, firmware, and software parties can engage on how to further ease development of servers in a more open, community fashion. This includes many types of lower-level boot firmware, OS hand-off interfaces, etc. Very much a pragmatic, 'getting things done' type of group.

Again back to the scale of scale. For the original Itanium we had closed source SAL, PAL, BIOS, and partially open source EFI sample. Now we can build a server image from content off the web. Quite the evolution over these last 2 decades.

Beyond the bits and bytes of the technology, the view of others on platform firmware standards like UEFI and ACPI is sometimes amusing. For example, many people type 'uEFI' (micro-EFI?) versus the full UEFI, or pronounce UEFI as 'YOO-FEE.'  We typically just pronounce each letter, U-E-F-I. Less often I've heard ACPI as ACK-PEE, including Heasman in his '07 talk This reminds me of my teen-age years, pre-internet, and growing up in Texas, when I'd read a lot of philosophy books, including Berkeley and Hegel. When I later had an opportunity to discuss these writers with others, I'd invariably mispronounce the names (e.g., HEGEL versus HAY-GEL, BERKLEY versus BARK-LEY). I guess we've all had this problem of reading a name for years but not hearing it spoken aloud.

It's time to close this tardy blog. I surely missed addressing some interesting events since my last blog posting given the many month absence from blogging. As such, the choice of topics herein less represent overall importance than proximity in time. So please assess using that lens.

© 2018, Vincent ZimmerThis work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License