this post was submitted on 19 Jan 2024
249 points (99.2% liked)

Technology

58133 readers
4819 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world
249
New UEFI vulnerabilities send firmware devs industry wide scrambling (arstechnica.com)
submitted 8 months ago by leo@lemmy.linuxuserspace.show to c/technology@lemmy.world
44 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] Supermariofan67@programming.dev 89 points 8 months ago (5 children)

Not at all surprised, motherboard firmware from most vendors has always been a steaming pile of shit code, often not even built to spec.

[–] SnotFlickerman@lemmy.blahaj.zone 47 points 8 months ago (4 children)

The nine vulnerabilities that comprise PixieFail reside in TianoCore EDK II, an open source implementation of the UEFI specification. The implementation is incorporated into offerings from Arm Ltd., Insyde, AMI, Phoenix Technologies, and Microsoft. The flaws reside in functions related to IPv6, the successor to the IPv4 Internet Protocol network address system. They can be exploited in what’s known as the PXE, or Preboot Execution Environment, when it’s configured to use IPv6.

Not all hardware manufacturers are effected and it's based on a specific open source implementation of UEFI.

[–] xan1242@lemmy.ml 14 points 8 months ago (1 children)

Aren't AMI, Insyde and Phoenix providers for 98% of PC (be it board or OEM) vendors though?

And AFAIR, TianoCore is basically used everywhere by everyone as a base except maybe Apple.

[–] SnotFlickerman@lemmy.blahaj.zone 2 points 8 months ago* (last edited 8 months ago) (1 children)

You may be right, I didn't think those three were that much of the market, but maybe I'm wrong.

I thought Tiano was a reference UEFI developed by Intel? So I'm not entirely sure its used by AMD, but maybe it is?

EDK and EDK II are open source projects that spun off of that reference developed by Intel.

I suppose the main thing I was trying to get across is that OP seemed to be blaming motherboard manufacturers for bad code... but this is the base open source code that is causing the issues, prior to implementation by motherboard manufacturers. Hence why it impacts so many.

[–] xan1242@lemmy.ml 5 points 8 months ago

I am pretty sure TianoCore is also used by AMD systems as a reference as well.

Here's a similar situation that happened in 2019 at Lenovo's site

https://support.lenovo.com/cl/es/solutions/LEN-22660

AMD systems are listed as well.

As for most board vendors nowadays, I think they barely do anything with the code itself and just create the setup utility and boot logos. It is highly likely that they're affected too.

load more comments (2 replies)
load more comments (2 replies)