/chipsec-check

Tools to generate a Debian Linux distribution with chipsec to test hardware requirements

Primary LanguageShellBSD 2-Clause "Simplified" LicenseBSD-2-Clause

Validation environnement for hardware security requirements

This repository contains tools and documentation for validation hardware configuration of an x86 platform, and especially its security.

The goal is to facilitate security requirements verification, for example when ordering PC platforms for the French administration.

The requirements themselves are published in a separate document (in French as well)

Provided tools can be used to build a bootable USB key. This key can boot in the following modes:

  • the first around the chipsec tool edited by Intel, integrated in a Debian live distribution, which can be used to check the platform configuration registers.
  • the second one is built around the keytool.efi binary which can be use to inspect and modify the SecureBoot key list. The key can be used to check that the platform will accept new, custom SecureBoot keys

Documentation on what is tested with those tools are detailed in the (doc/output) folder:

  • modules_chipsec.pdf explains the expected output from the chipsec tool
  • CPU Options.pdf details the security-related CPU options on Intel x86 platform
  • SPI Protection.pdf details protection of the SPI flash hosting the BIOS code
  • SRAM Protection.pdf details register configuration for correct protection of the memory mapping (especially for SMRAM protection against SMM attacks)

The documentation folder also provide guidance on how to build the USB keys.

ISO of pre-built USB keys are available in the releases section. Be aware that they are signed using a key generated by the developpers and should only be use for demonstration purposes. You are really advised to generate your own CA and keys if you intend to use them for real testing.