Whether you are new to Linux or a seasoned Linux systems administrator, knowing the hardware and firmware on your systems is essential. Firmware that is out-of-date can pose security and operational risks. I advise you to keep up with firmware updates before you are impacted by an attacker with a shiny new exploit or some elusive crash of your system. While there are numerous utilities and commands that can provide insight into the state of your firmware, with some being included in your distribution and others available from your favorite package manager, keeping them handy or even scripting them can make your job that much easier. What follows is a fairly comprehensive list, with examples, of commands that allow you to discover the state of various hardware and firmware.
Secure Boot
To report the state of Secure Boot the mokutil command is the most straightforward:
$ mokutil --sb-state SecureBoot disabled
Of course, on certain platforms mokutil will also report the configuration state of Secure Boot:
$ mokutil --sb-state SecureBoot disabled Platform is in Setup Mode
I also like the “bootctl” command because it will report the Secure Boot state in addition to the setup mode value (with more consistency) and currently active bootloaders:
$ bootctl status
systemd-boot not installed in ESP.
System:
Firmware: n/a (n/a)
Secure Boot: disabled
Setup Mode: setup
Available Boot Loaders on ESP:
ESP: /boot/efi (/dev/disk/by-partuuid/56aada5c-a01a-3b4e-b04e-40e1d4003074)
Boot Loaders Listed in EFI Variables:
Title: Manjaro
ID: 0x0000
Status: active, boot-order
Partition: /dev/disk/by-partuuid/56aada5c-a01a-3b4e-b04e-40e1d4003074
File: └─/EFI/MANJARO/GRUBX64.EFI
Title: UEFI OS
ID: 0x0001
Status: active, boot-order
Partition: /dev/disk/by-partuuid/56aada5c-a01a-3b4e-b04e-40e1d4003074
File: └─/EFI/BOOT/BOOTX64.EFI
BIOS/UEFI
Discover the current BIOS version and release date using dmidecode:
$ sudo dmidecode -s bios-version E16S3IMS.108
$ sudo dmidecode -s bios-release-date 11/18/2019
Use the following command to learn a little more information about the BIOS:
$ sudo dmidecode -t 0 # dmidecode 3.2 Getting SMBIOS data from sysfs. SMBIOS 3.1.1 present. Handle 0x0000, DMI type 0, 26 bytes BIOS Information Vendor: American Megatrends Inc. Version: P1.00 Release Date: 01/09/2019 Address: 0xF0000 Runtime Size: 64 kB ROM Size: 16 MB Characteristics: PCI is supported BIOS is upgradeable BIOS shadowing is allowed Boot from CD is supported Selectable boot is supported BIOS ROM is socketed EDD is supported 5.25"/1.2 MB floppy services are supported (int 13h) 3.5"/720 kB floppy services are supported (int 13h) 3.5"/2.88 MB floppy services are supported (int 13h) Print screen service is supported (int 5h) 8042 keyboard services are supported (int 9h) Serial services are supported (int 14h) Printer services are supported (int 17h) ACPI is supported USB legacy is supported BIOS boot specification is supported Targeted content distribution is supported UEFI is supported BIOS Revision: 5.12
Inxi is a utility that reads information from places such as /proc/cpu and presents it in a nice format while also allowing you to easily manipulate the command line switches to show different information. To get some basic information run inxi as follows:
$ inxi -M
Machine:
Type: Desktop System: ASUS product: N/A v: N/A serial:
Mobo: ASUSTeK model: PRIME TRX40-PRO v: Rev 1.xx
serial: UEFI: American Megatrends v: 1502
date: 07/13/2021
Inxi typically is not installed by default on many Linux distributions. Try using hwinfo as well:
$ sudo hwinfo --bios | less
01: None 00.0: 10105 BIOS
[Created at bios.186]
Unique ID: rdCR.lZF+r4EgHp4
Hardware Class: bios
BIOS Keyboard LED Status:
Scroll Lock: off
Num Lock: off
Caps Lock: off
SMBIOS Version: 3.2
BIOS Info: #0
Vendor: "American Megatrends Inc."
Version: "1502"
Date: "07/13/2021"
Start Address: 0xf0000
ROM Size: 16384 kB
lshw is yet another alternative:
$ sudo lshw | grep -A8 '*-firmware'
*-firmware
description: BIOS
vendor: American Megatrends Inc.
physical id: 0
version: 1502
date: 07/13/2021
size: 64KiB
capacity: 16MiB
Fwupd
Fwupd is maintained by Richard Hughes (See Below The Surface Episode # for our interview with Richard). Fwupd allows you to enumerate the devices on your system and apply updates where available. You cna find more documentation on the project’s website. Here are the basics:
Get all device information:
$ fwupdmgr get-devices
Get updates (downloads the latest metadata and checks for updates on supported devices):
$ fwupdmgr get-updates
Apply updates to supported devices (CAUTION: Applies firmware updates!):
$ fwupdmgr update
Note: Will also update the UEFI Secure Boot dbx.
Security checks:
$ fwupdmgr security --force
Intel ME
$ wget https://downloadmirror.intel.com/28632/CSME_Version_Detection_Tool_Linux.tar.gz $ mkdir intel_csme $ cd intel_csme/ $ tar zxvf ../CSME_Version_Detection_Tool_Linux.tar.gz $ sudo python3 ./intel_csme_version_detection_tool Intel(R) CSME Version Detection Tool Copyright(C) 2017-2022, Intel Corporation, All rights reserved. Application Version: 8.0.1.0 Scan date: 2023-07-26 16:58:34 GMT *** Host Computer Information *** Name: SPIDER Manufacturer: Micro-Star International Co., Ltd. Model: MS-7B98 Processor Name: Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz OS Version: Ubuntu 20.04.6 LTS (5.15.0-78-generic) *** Intel(R) ME Information *** Engine: Intel(R) Converged Security and Management Engine Version: 12.0.70.1652 *** Risk Assessment *** Based on the analysis performed by this tool: This system is vulnerable. Explanation: The detected version of the Intel(R) Converged Security and Management Engine firmware has a vulnerability listed in one or more of the public Security Advisories. Contact your system manufacturer for support and remediation of this system. For more information refer to the Intel(R) CSME Version Detection Tool User Guide or the related Intel Security Advisory list at: https://www.intel.com/content/www/us/en/support/articles/000031784/technologies.html
CPU Microcode
Typically CPU microcode updates will be applied when you apply a UEFI update. You will find instructions on how to apply these updates manually, however, I recommend you wait until the OEM has released the microcode updates via UEFI (unless there is some pressing reason to apply them manually which should be a rare exception). Below are some ways to enumerate the microcode version:
$ sudo journalctl --no-hostname -o short-monotonic --boot -0 | sed -n '1,/PM: Preparing system for sleep/p' | grep 'microcode\|smp' [ 0.000000] kernel: smpboot: Allowing 128 CPUs, 80 hotplug CPUs [ 0.123246] kernel: smpboot: CPU0: AMD Ryzen Threadripper 3960X 24-Core Processor (family: 0x17, model: 0x31, stepping: 0x0) [ 0.123341] kernel: smp: Bringing up secondary CPUs ... [ 0.243441] kernel: smp: Brought up 1 node, 48 CPUs [ 0.243441] kernel: smpboot: Max logical packages: 3 [ 0.243441] kernel: smpboot: Total of 48 processors activated (364269.00 BogoMIPS) [ 0.455115] kernel: smpboot: Estimated ratio of average max frequency by base frequency (times 1024): 1127 [ 0.475388] kernel: microcode: microcode updated early to new patch_level=0x08301072 [ 0.475403] kernel: microcode: CPU0: patch_level=0x08301072 [ 0.475678] kernel: microcode: Microcode Update Driver: v2.2.
$ sudo inxi -C -a
CPU:
Info: model: AMD Ryzen Threadripper 3960X socket: SP3r2 (sTRX4) note: check bits: 64
type: MT MCP arch: Zen 2 gen: 3 level: v3 note: check built: 2020-22 process: TSMC n7 (7nm)
family: 0x17 (23) model-id: 0x31 (49) stepping: 0 microcode: 0x8301072
Note: Also displays a subset of CPU vulnerabilities and indicates if the CPU is vulnerable or not.
$ head -n7 /proc/cpuinfo processor : 0 vendor_id : AuthenticAMD cpu family : 23 model : 49 model name : AMD Ryzen Threadripper 3960X 24-Core Processor stepping : 0 microcode : 0x8301072
TPM
$ sudo dmidecode -t 43 # dmidecode 3.5 Getting SMBIOS data from sysfs. SMBIOS 3.2.0 present. Handle 0x0035, DMI type 43, 31 bytes TPM Device Vendor ID: Specification Version: 2.0 Firmware Revision: 3.37 Description: AMD Characteristics: Family configurable via platform software support OEM-specific Information: 0x00000000
Obtain the latest version of the tpm-vuln-checker from the Github repo: https://github.com/immune-gmbh/tpm-vuln-checker. Then you can run the command as follows to determine the version of TPM on your system and if it contains any vulnerabilities:
$ sudo ./tpm-vuln-checker check [sudo] password for paulda: TPM Manufacturer: AMD TPM Spec Revision: 1.38 TPM Family: 2.0 TPM Type: dTPM Starting TPM vulnerabilities checks.. This may take few seconds! CVE 2023-1017/2023-1018: Vulnerable Please apply the latest BIOS update to update the TPM firmware. OEMs/ODMs ship TPM updates as part of BIOS updates. CVE 2017-15361: Not Vulnerable
Other Commands
Full system info:
$ sudo inxi -a -v 8
System: Host: SPIDER Kernel: 5.15.0-76-generic x86_64 bits: 64 compiler: N/A
parameters: BOOT_IMAGE=/boot/vmlinuz-5.15.0-76-generic root=UUID=f9013c95-32a3-4829-967a-8a15dd918388 ro quiet
splash vt.handoff=7
Console: tty 2 wm: gnome-shell dm: GDM3 3.36.3 Distro: Ubuntu 20.04.6 LTS (Focal Fossa)
Machine: Type: Desktop System: Micro-Star product: MS-7B98 v: 1.0 serial: N/A
Mobo: Micro-Star model: Z390-A PRO (MS-7B98) v: 1.0 serial: 07B9812_L11E392535 UEFI: American Megatrends v: 1.D0
date: 01/19/2021
Memory:
$ lshw -class memory
*-memory
description: System Memory
physical id: 39
slot: System board or motherboard
size: 64GiB
*-bank:0
description: DIMM DDR4 Synchronous 2667 MHz (0.4 ns)
product: F4-3200C16-16GVK
vendor: Fujitsu
physical id: 0
serial: 00000000
slot: ChannelA-DIMM0
size: 16GiB
width: 64 bits
clock: 2667MHz (0.4ns)
$ sudo inxi -m -a
Memory: RAM: total: 62.74 GiB used: 2.42 GiB (3.9%)
Array-1: capacity: 64 GiB slots: 4 EC: None max module size: 16 GiB note: est.
Device-1: ChannelA-DIMM0 size: 16 GiB speed: 2667 MT/s type: DDR4 detail: synchronous bus width: 64 bits
total: 64 bits manufacturer: 04CD part-no: F4-3200C16-16GVK serial: N/A
Device-2: ChannelA-DIMM1 size: 16 GiB speed: 2667 MT/s type: DDR4 detail: synchronous bus width: 64 bits
total: 64 bits manufacturer: 04CD part-no: F4-3200C16-16GVK serial: N/A
Device-3: ChannelB-DIMM0 size: 16 GiB speed: 2667 MT/s type: DDR4 detail: synchronous bus width: 64 bits
total: 64 bits manufacturer: 04CD part-no: F4-3200C16-16GVK serial: N/A
Device-4: ChannelB-DIMM1 size: 16 GiB speed: 2667 MT/s type: DDR4 detail: synchronous bus width: 64 bits
total: 64 bits manufacturer: 04CD part-no: F4-3200C16-16GVK serial: N/A
PCI:
$ sudo lspci -nnmmvkD | less Slot: 0000:00:00.0 Class: Host bridge [0600] Vendor: Intel Corporation [8086] Device: 8th Gen Core 8-core Desktop Processor Host Bridge/DRAM Registers [Coffee Lake S] [3e30] SVendor: Micro-Star International Co., Ltd. [MSI] [1462] SDevice: 8th Gen Core 8-core Desktop Processor Host Bridge/DRAM Registers [Coffee Lake S] [7b98] Rev: 0d Driver: skl_uncore Module: ie31200_edac
$ sudo inxi --slots -a
PCI Slots: Slot: 0 type: x16 PCI Express J6B2 status: In Use length: Long
Slot: 1 type: x1 PCI Express J6B1 status: In Use length: Short
Slot: 2 type: x1 PCI Express J6D1 status: In Use length: Short
Slot: 3 type: x1 PCI Express J7B1 status: In Use length: Short
Slot: 4 type: x1 PCI Express J8B4 status: In Use length: Short
Slot: 5 type: x1 PCI Express J8D1 status: In Use length: Short
Slot: 6 type: 32-bit PCI J8B3 status: In Use length: Short
Storage Devices:
Tip: Use “lsblk” to list the available storage devices.
$ sudo smartctl --xall /dev/nvme0 | grep -i firmware Firmware Version: 4B2QEXM7 Firmware Updates (0x16): 3 Slots, no Reset required
CPU Information:
$ cpuid | less
CPU 0:
vendor_id = "GenuineIntel"
version information (1/eax):
processor type = primary processor (0)
family = 0x6 (6)
model = 0xe (14)
stepping id = 0xd (13)
extended family = 0x0 (0)
extended model = 0x9 (9)
(family synth) = 0x6 (6)
(model synth) = 0x9e (158)
(simple synth) = Intel Core (unknown type) (Kaby Lake / Coffee Lake) {Skylake}, 14nm
Summary
Running all of these commands manually, and then manually checking if the latest firmware updates are applied is a resource-intensive task. While some open-source projects like Fwupd help automate this process there is a wide variety of hardware and firmware included with computers and servers. Eclypsiums’ software platform helps automate this task and provides enterprises with a full solution to manage and maintain the firmware supply chain in your environment.
The post Linux Commands To Check The State Of Firmware appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.
Article Link: Linux Commands To Check The State Of Firmware - Eclypsium | Supply Chain Security for the Modern Enterprise