I used chipsec to evaluate my hardware.
And I got following report:
[-] Software has write access to SPI flash descriptor
[-] FAILED: SPI flash permissions allow SW to write flash descriptor
I look at the chipsec source code and find that this is read from frap
register(SPIBAR + 50h).
However I can't find the spec how to read the SPI flash descriptor itself.
I find some code from flashrom:
It reads SPI flash descriptor using MMIO, but also I don't know how to
write it.(it has no effect when write to the same register with read).
I have some suspects I have a rootkit around, but I don't know where. I tried to dump my uefi installation and I extracted some strings.
This is what I found:
<30>[ 31.343046] systemd: Set hostname to <amnesia>.
<30>[ 31.346636] systemd: Initializing machine ID from random generator.
<29>[ 32.879891] systemd: /email@example.com:9: PIDFile= references path below legacy directory /var/run/, updating /var/run/tor/tor.pid
<28>[ 32.910650] systemd: /lib/systemd/system/tails-gdm-failed-to-start.service:11: Ignoring unknown escape sequences: "MAX_LENGTH=254 ; PREFIX="Error starting GDM with your graphics card: " ; SUFFIX=". Please
take note of this error and visit https://tails.boum.org/gdm for troubleshooting." ; MAX_VIDEO_CARD_LENGTH=$(($MAX_LENGTH - $(echo -n "$PREFIX$SUFFIX" | wc -c))) ; VIDEO_CARD=$(lspci -d::0300 -nn | sed -E "s,.* VGA
compatible controller \[0300\]: *,," | cut -c "1-$MAX_VIDEO_CARD_LENGTH") ; /bin/plymouth display-message --text="$PREFIX$VIDEO_CARD$SUFFIX" "
<30>[ 30.848308] systemd: Inserted module 'autofs4'
<30>[ 31.262810] systemd: systemd 240 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 defau
<30>[ 31.282862] systemd: Detected architecture x86-64.
<30>[ 31.355048] systemd: Set hostname to <amnesia>.
<30>[ 31.356024] systemd: Initializing machine ID from random generator.
<29>[ 32.853978] systemd: /firstname.lastname@example.org:9: PIDFile= references path below legacy directory /var/run/, updating /var/run/tor/tor.pid
Is it normal systemd logs in uefi image dump ?
I have used tails 3 or 4 times then could be that uefi take the systemd logs, I don't know.
I have also found string like the following:
ASCII: %Microsoft Windows Production PCA 20110
ASCII: Canonical Ltd.1402
ASCII: +Canonical Ltd. Master Certificate Authority0
but these whould be parts of the certificates because of secure boot.
I also tried to check the image against the chipsec blacklist module, it give me a loop error about lack of ram. It was something like "can't allocate ram" or something like that.
Do I have to open a bug ?
Thank you very much for your help.