Linux Supply Chain Validation Cheat Sheet

MalBot · March 20, 2024, 4:15pm

Linux provides several tools and techniques that allow users to query systems for information about hardware and firmware (This post builds on our previous post Linux Commands To Check The State Of Firmware). Just this information alone does not validate the supply chain, but provides data that can be used for varying levels of validation given some further manual investigation. There are some tools in this guide that provide a deeper level of validation, such as LVFS and tools specifically designed to check for vulnerabilities or mis-configurations. As there are several Linux distributions available today and many different ways to configure said systems, the commands below may not work exactly as described here, some may be included in your distribution, while others may need to be installed.

Secure Boot

To report the state of Secure Boot the mokutil command is the most straightforward:

$ mokutil –sb-state
SecureBoot disabled

Of course, on certain platforms mokutil will also report the configuration state of Secure Boot:

$ mokutil –sb-state
SecureBoot disabled
Platform is in Setup Mode

The “bootctl” command will report the Secure Boot state in addition to the setup mode value (with more consistency) and list currently active bootloaders:

$ bootctl status
systemd-boot not installed in ESP.
System:
     Firmware: n/a (n/a)
  Secure Boot: disabled
  Setup Mode: setup
<snip>
Available Boot Loaders on ESP:
          ESP: /boot/efi (/dev/disk/by-partuuid/56aada5c-a01a-3b4e-b04e-40e1d4003074)

Boot Loaders Listed in EFI Variables:

        Title: Manjaro
           ID: 0x0000
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/56aada5c-a01a-3b4e-b04e-40e1d4003074
         File: └─/EFI/MANJARO/GRUBX64.EFI

        Title: UEFI OS
           ID: 0x0001
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/56aada5c-a01a-3b4e-b04e-40e1d4003074
         File: └─/EFI/BOOT/BOOTX64.EFI

Validate The BIOS/UEFI

Discover the current BIOS version and release date using dmidecode:

$ sudo dmidecode -s bios-version
E16S3IMS.108

$ sudo dmidecode -s bios-release-date
11/18/2019

Use the following command to learn a little more information about the BIOS:

$ sudo dmidecode -t 0
# dmidecode 3.2
Getting SMBIOS data from sysfs.
SMBIOS 3.1.1 present.

Handle 0x0000, DMI type 0, 26 bytes
BIOS Information
Vendor: American Megatrends Inc.
Version: P1.00
Release Date: 01/09/2019
Address: 0xF0000
Runtime Size: 64 kB
ROM Size: 16 MB
Characteristics:
PCI is supported
BIOS is upgradeable
BIOS shadowing is allowed
Boot from CD is supported
Selectable boot is supported
BIOS ROM is socketed
EDD is supported
5.25″/1.2 MB floppy services are supported (int 13h)
3.5″/720 kB floppy services are supported (int 13h)
3.5″/2.88 MB floppy services are supported (int 13h)
Print screen service is supported (int 5h)
8042 keyboard services are supported (int 9h)
Serial services are supported (int 14h)
Printer services are supported (int 17h)
ACPI is supported
USB legacy is supported
BIOS boot specification is supported
Targeted content distribution is supported
UEFI is supported
BIOS Revision: 5.12

Inxi is a utility that reads information from places such as /proc/cpu and presents it in a nice format while also allowing you to easily manipulate the command line switches to show different information. To get some basic information run inxi as follows:

$ inxi -M
Machine:\
Type: Desktop System: ASUS product: N/A v: N/A serial: <superuser required>
Mobo: ASUSTeK model: PRIME TRX40-PRO v: Rev 1.xx
serial: <superuser required> UEFI: American Megatrends v: 1502
date: 07/13/2021

Inxi typically is not installed by default on many Linux distributions. Try using hwinfo as well:

$ sudo hwinfo –bios | less
01: None 00.0: 10105 BIOS
  [Created at bios.186]
  Unique ID: rdCR.lZF+r4EgHp4
  Hardware Class: bios
  BIOS Keyboard LED Status:
    Scroll Lock: off
    Num Lock: off
    Caps Lock: off
  SMBIOS Version: 3.2
  BIOS Info: #0
    Vendor: “American Megatrends Inc.”
    Version: “1502”
    Date: “07/13/2021”
    Start Address: 0xf0000
    ROM Size: 16384 kB

lshw is yet another alternative:

$ sudo lshw | grep -A8 ‘*-firmware’
     *-firmware
          description: BIOS
          vendor: American Megatrends Inc.
          physical id: 0
          version: 1502
          date: 07/13/2021
          size: 64KiB
          capacity: 16MiB

Chipsec

Install Chipsec according to the manual. Install Chipsec according to the manual. You can run individual modules, for example checking for ME Manufacturing mode:

$ sudo ./chipsec_main.py -m common.me_mfg_mode

Check the SPI write protections:

$ sudo ./chipsec_main.py -m common.bios_wp

Dump the SPI flash and review layout and permissions:

$ sudo ./chipsec_util.py spidesc fd.bin

Review other SPI flash protection settings:

$ sudo ./chipsec_main.py -m common.bios_wp

Run all the checks:

$ sudo ./chipsec_main.py

Fwupd

Fwupd is maintained by Richard Hughes (See Below The Surface Episode #8 for our interview with Richard). Fwupd allows you to enumerate the devices on your system and apply updates where available. You can find more documentation on the project’s website. Here are the basics:

Get all device information:

$ fwupdmgr get-devices

Get updates (downloads the latest metadata and checks for updates on supported devices):

$ fwupdmgr get-updates

Apply updates to supported devices (CAUTION: Applies firmware updates!):

$ fwupdmgr update

Note: Will also update the UEFI Secure Boot dbx.

Security checks:

$ fwupdmgr security –force

Intel ME

The following tool, provided by Intel, will enumerate information about Intel ME (provided you have an Intel processor with ME, or CSME, capabilities).

$ wget https://downloadmirror.intel.com/28632/CSME_Version_Detection_Tool_Linux.tar.gz
$ mkdir intel_csme
$ cd intel_csme/
$ tar zxvf ../CSME_Version_Detection_Tool_Linux.tar.gz
$ sudo python3 ./intel_csme_version_detection_tool

CPU Microcode

Typically CPU microcode updates will be applied when you apply a UEFI update. You will find instructions on how to apply these updates manually, however, it is recommended you wait until the OEM has released the microcode updates via UEFI (unless there is some pressing reason to apply them manually which should be a rare exception). Below are some ways to enumerate the microcode version:

$ sudo journalctl –no-hostname -o short-monotonic –boot -0 | sed -n ‘1,/PM: Preparing system for sleep/p’ | grep ‘microcode\|smp

Inxi displays CPU information and includes a subset of CPU vulnerabilities and indicates if the CPU is vulnerable or not.

$ sudo inxi -C -a

CPU:
  Info: model: AMD Ryzen 9 7940HS w/ Radeon 780M Graphics socket: FP8 bits: 64
    type: MT MCP arch: Zen 4 gen: 5 level: v4 note: check built: 2022+
    process: TSMC n5 (5nm) family: 0x19 (25) model-id: 0x74 (116) stepping: 1
    microcode: 0xA704103
Vulnerabilities:
  Type: gather_data_sampling status: Not affected
  Type: itlb_multihit status: Not affected
  Type: l1tf status: Not affected
  Type: mds status: Not affected
  Type: meltdown status: Not affected
  Type: mmio_stale_data status: Not affected
  Type: retbleed status: Not affected
  Type: spec_rstack_overflow status: Vulnerable: Safe RET, no microcode
  Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via
    prctl
  Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer
    sanitization
  Type: spectre_v2 mitigation: Enhanced / Automatic IBRS, IBPB:
    conditional, STIBP: always-on, RSB filling, PBRSB-eIBRS: Not affected
  Type: srbds status: Not affected
  Type: tsx_async_abort status: Not affected

You could also look in /proc/cpuinfo yourself:

$ head -n7 /proc/cpuinfo
processor : 0
vendor_id : AuthenticAMD
cpu family : 23
model : 49
model name : AMD Ryzen Threadripper 3960X 24-Core Processor
stepping : 0
microcode : 0x8301072

TPM

You can use dmidecode to retrieve information about the TPM:

$ sudo dmidecode -t 43
# dmidecode 3.5
Getting SMBIOS data from sysfs.
SMBIOS 3.2.0 present.

Handle 0x0035, DMI type 43, 31 bytes
TPM Device
Vendor ID:
Specification Version: 2.0
Firmware Revision: 3.37
Description: AMD
Characteristics:
Family configurable via platform software support
OEM-specific Information: 0x00000000

To perform a quick vulnerability check obtain the latest version of the tpm-vuln-checker from the Github repo: https://github.com/immune-gmbh/tpm-vuln-checker. Then you can run the command as follows to determine the version of TPM on your system and if it contains any vulnerabilities:

$ sudo ./tpm-vuln-checker check
[sudo] password for paulda:
TPM Manufacturer: AMD
TPM Spec Revision: 1.38
TPM Family: 2.0
TPM Type: dTPM

Starting TPM vulnerabilities checks.. This may take a few take few seconds!

CVE 2023-1017/2023-1018: Vulnerable
Please apply the latest BIOS update to update the TPM firmware. OEMs/ODMs ship TPM updates as part of BIOS updates.
CVE 2017-15361: Not Vulnerable

Package Validation

RedHat-based systems:

$ sudo rpm -Va

Debian Systems:

$ sudo dpkg –verify
$ sudo debsums | grep -v “OK$”

Arch systems:

# Install check-pacman-mtree from AUR, then run:

$ sudo check-pacman-mtree.lua -a

# Install pacutils then run:

$ sudo paccheck –sha256sum –quiet

Other Commands

Full system info:

$ sudo inxi -a -v 8
System: Host: SPIDER Kernel: 5.15.0-76-generic x86_64 bits: 64 compiler: N/A
           parameters: BOOT_IMAGE=/boot/vmlinuz-5.15.0-76-generic root=UUID=f9013c95-32a3-4829-967a-8a15dd918388 ro quiet
           splash vt.handoff=7
           Console: tty 2 wm: gnome-shell dm: GDM3 3.36.3 Distro: Ubuntu 20.04.6 LTS (Focal Fossa)
Machine: Type: Desktop System: Micro-Star product: MS-7B98 v: 1.0 serial: N/A
           Mobo: Micro-Star model: Z390-A PRO (MS-7B98) v: 1.0 serial: 07B9812_L11E392535 UEFI: American Megatrends v: 1.D0
           date: 01/19/2021

<snip>

Memory:

$ lshw -class memory
<snip>
*-memory
       description: System Memory
       physical id: 39
       slot: System board or motherboard
       size: 64GiB
     *-bank:0
          description: DIMM DDR4 Synchronous 2667 MHz (0.4 ns)
          product: F4-3200C16-16GVK
          vendor: Fujitsu
          physical id: 0
          serial: 00000000
          slot: ChannelA-DIMM0
          size: 16GiB
          width: 64 bits
          clock: 2667MHz (0.4ns)
<snip>

$ sudo inxi -m -a
Memory: RAM: total: 62.74 GiB used: 2.42 GiB (3.9%)
           Array-1: capacity: 64 GiB slots: 4 EC: None max module size: 16 GiB note: est.
           Device-1: ChannelA-DIMM0 size: 16 GiB speed: 2667 MT/s type: DDR4 detail: synchronous bus width: 64 bits
           total: 64 bits manufacturer: 04CD part-no: F4-3200C16-16GVK serial: N/A
           Device-2: ChannelA-DIMM1 size: 16 GiB speed: 2667 MT/s type: DDR4 detail: synchronous bus width: 64 bits
           total: 64 bits manufacturer: 04CD part-no: F4-3200C16-16GVK serial: N/A
           Device-3: ChannelB-DIMM0 size: 16 GiB speed: 2667 MT/s type: DDR4 detail: synchronous bus width: 64 bits
           total: 64 bits manufacturer: 04CD part-no: F4-3200C16-16GVK serial: N/A
           Device-4: ChannelB-DIMM1 size: 16 GiB speed: 2667 MT/s type: DDR4 detail: synchronous bus width: 64 bits
           total: 64 bits manufacturer: 04CD part-no: F4-3200C16-16GVK serial: N/A

PCI:

$ sudo lspci -nnmmvkD | less
Slot: 0000:00:00.0
Class: Host bridge [0600]
Vendor: Intel Corporation [8086]
Device: 8th Gen Core 8-core Desktop Processor Host Bridge/DRAM Registers [Coffee Lake S] [3e30]
SVendor: Micro-Star International Co., Ltd. [MSI] [1462]
SDevice: 8th Gen Core 8-core Desktop Processor Host Bridge/DRAM Registers [Coffee Lake S] [7b98]
Rev: 0d
Driver: skl_uncore
Module: ie31200_edac

<snip>

$ sudo inxi –slots -a
PCI Slots: Slot: 0 type: x16 PCI Express J6B2 status: In Use length: Long
           Slot: 1 type: x1 PCI Express J6B1 status: In Use length: Short
           Slot: 2 type: x1 PCI Express J6D1 status: In Use length: Short
           Slot: 3 type: x1 PCI Express J7B1 status: In Use length: Short
           Slot: 4 type: x1 PCI Express J8B4 status: In Use length: Short
           Slot: 5 type: x1 PCI Express J8D1 status: In Use length: Short
           Slot: 6 type: 32-bit PCI J8B3 status: In Use length: Short

Storage Devices:

Tip: Use “lsblk” to list the available storage devices, then the following command to retrieve software information:

$ sudo smartctl –xall /dev/nvme0 | grep -i firmware
Firmware Version: 4B2QEXM7
Firmware Updates (0x16): 3 Slots, no Reset required

CPU Information:

$ cpuid | less
CPU 0:
   vendor_id = “GenuineIntel”
   version information (1/eax):
      processor type = primary processor (0)
      family = 0x6 (6)
      model = 0xe (14)
      stepping id = 0xd (13)
      extended family = 0x0 (0)
      extended model = 0x9 (9)
      (family synth) = 0x6 (6)
      (model synth) = 0x9e (158)
      (simple synth) = Intel Core (unknown type) (Kaby Lake / Coffee Lake) {Skylake}, 14nm
<snip>

Summary

Running all of these commands manually, and then manually checking if the latest firmware updates are applied is a resource-intensive task. While some open-source projects like Fwupd help automate this process there is a wide variety of hardware and firmware included with computers and servers to check! This is also not a run-once activity, consistently checking the firmware and software is important.

Resources

If you’d like to dive deeper into analyzing firmware, emulating firmware, and verifying firmware, below is a comprehensive list of tools and projects: