auditing-uefi-firmware-with-chipsec

Installation
SKILL.md

Auditing UEFI Firmware with CHIPSEC

Authorized Use Only: CHIPSEC loads a kernel driver and reads/writes low-level hardware registers, SPI flash, and SMM. Run it only on systems you own or are explicitly authorized to assess, ideally on dedicated test hardware. Misuse (especially write/modify modules) can brick a machine. Never run write-capable modules on production systems.

Overview

CHIPSEC is the open-source Platform Security Assessment Framework created by Intel's Advanced Threat Research team. It inspects the low-level security configuration of x86 platform firmware and hardware — the layer below the operating system where bootkits and firmware implants live. CHIPSEC loads a signed kernel driver (Linux, Windows, or it can run from the UEFI shell) to read and write hardware registers, Model-Specific Registers (MSRs), PCI config space, SPI flash, and UEFI variables, then runs an automated test suite that checks whether the platform's defensive locks are actually engaged.

The threat CHIPSEC addresses is MITRE ATT&CK T1542.001 — Pre-OS Boot: System Firmware: adversaries who modify system firmware (the BIOS/UEFI image on SPI flash) to gain stealthy, persistent, OS-survivable control. Firmware implants persist across OS reinstall and disk replacement and are invisible to most EDR. CHIPSEC's value is verifying the prerequisites that prevent such implants: that the SPI flash BIOS region is write-protected (BIOS_CNTL BLE/SMM_BWP, SPI Protected Ranges), that the flash descriptor locks region access, that SMRAM/SMRR are configured, and that Secure Boot variables are protected. It also dumps the SPI flash for offline forensic comparison.

Sources: Intel/CHIPSEC project (https://github.com/chipsec/chipsec), CHIPSEC documentation (https://chipsec.github.io/).

When to Use

  • Baseline firmware-security assessment of a new laptop/server platform or fleet image
  • Verifying that BIOS write protection and SPI flash locks are correctly enabled by the OEM
  • Firmware forensics: dumping SPI flash to compare against a known-good image
  • Validating Secure Boot variable protection and S3 boot-script protection
  • Hunting for evidence of a firmware implant or misconfiguration enabling one
Installs
36
GitHub Stars
24.2K
First Seen
11 days ago
auditing-uefi-firmware-with-chipsec — mukul975/anthropic-cybersecurity-skills