Chipsec - UEFI Firmware Static Analysis
You are helping the user perform static security analysis of UEFI/BIOS firmware dumps using Intel's chipsec framework. This skill focuses exclusively on offline analysis capabilities that do not require kernel driver access or root privileges.
Tool Overview
Chipsec is Intel's Platform Security Assessment Framework. For static analysis of firmware dumps, it provides:
- EFI executable inventory generation with cryptographic hashes
- Detection of known UEFI malware and vulnerabilities
- Firmware structure decoding and extraction
- NVRAM/UEFI variable extraction
- SPI flash descriptor parsing
- Baseline comparison for change detection
Prerequisites
One-Time Setup (Fix Logging Permission)
Chipsec requires a writable logs directory. Run once:
sudo mkdir -p /usr/lib/python3.13/site-packages/logs
sudo chmod 777 /usr/lib/python3.13/site-packages/logs
Verify Installation
chipsec_main --version
Core Commands
All static analysis commands use these flags:
-i: Ignore platform check (required for offline analysis)-n: No kernel driver (required for static analysis)
1. Malware and Vulnerability Scan (Primary Use)
Scan firmware for known threats including UEFI rootkits and SMM vulnerabilities:
chipsec_main -i -n -m tools.uefi.scan_blocked -a <firmware.bin>
Detected Threats:
| Threat | Description | Reference |
|---|---|---|
| HT_UEFI_Rootkit | HackingTeam commercial UEFI rootkit | McAfee ATR |
| MR_UEFI_Rootkit | MosaicRegressor APT UEFI implant | Kaspersky |
| LoJax | First UEFI rootkit found in the wild (Sednit/APT28) | ESET |
| ThinkPwn | SystemSmmRuntimeRt SMM code execution vulnerability | cr4.sh |
| FirmwareBleed | SMM Return Stack Buffer stuffing vulnerability | Binarly |
Example Output (Threat Found):
[!] match 'ThinkPwn.SystemSmmRuntimeRt'
GUID : {7c79ac8c-5e6c-4e3d-ba6f-c260ee7c172e}
[!] found EFI binary matching 'ThinkPwn'
MD5 : 59f5ba825911e7d0dffe06ee0d6d9828
SHA256: 7f0e16f244151e7bfa170b7def014f6a225c5af626c223567f36a8b19f95e3ab
WARNING: Blocked EFI binary found in the UEFI firmware image
2. Generate EFI Executable Inventory
Create a JSON manifest of all EFI modules with cryptographic hashes:
chipsec_main -i -n -m tools.uefi.scan_image -a generate <output.json> <firmware.bin>
Use Cases:
- Create baseline for change detection
- Inventory all DXE drivers, PEI modules, applications
- Generate hashes for threat intelligence lookup
Output Format (efilist.json):
{
"sha256_hash": {
"sha1": "...",
"guid": "EFD652CC-0E99-40F0-96C0-E08C089070FC",
"name": "S3Resume",
"type": "S_PE32"
}
}
3. Compare Against Baseline
Check firmware against a known-good inventory:
chipsec_main -i -n -m tools.uefi.scan_image -a check <baseline.json> <firmware.bin>
Use Cases:
- Detect unauthorized firmware modifications
- Verify firmware update integrity
- Incident response - compare compromised vs clean
4. Decode Firmware Structure
Extract and analyze firmware volumes, files, and sections:
chipsec_util -i -n uefi decode <firmware.bin>
Creates output directory containing:
firmware.bin.dir/
├── firmware_volumes/ # Extracted FV regions
├── efi_files/ # Individual EFI binaries
├── nvram/ # NVRAM variables (if found)
└── ...
5. Extract NVRAM Variables
NVRAM variables are extracted as part of the uefi decode command:
chipsec_util -i -n uefi decode <firmware.bin>
NVRAM output location:
firmware.bin.dir/
├── nvram_.nvram.lst # List of NVRAM variables
├── nvram/ # Extracted variable files (if present)
└── FV/ # Firmware volumes
View extracted variables:
cat firmware.bin.dir/nvram_.nvram.lst
Note: The standalone uefi nvram command requires driver access and cannot be used for static analysis. Use uefi decode instead, which extracts NVRAM as part of the full firmware decode process.
6. Parse SPI Flash Descriptor
Analyze SPI flash regions (requires platform hint):
chipsec_util -p <PLATFORM> spidesc <firmware.bin>
Common Platform Codes:
| Code | Platform |
|---|---|
| SNB | Sandy Bridge (2nd Gen Core) |
| IVB | Ivy Bridge (3rd Gen Core) |
| HSW | Haswell (4th Gen Core) |
| BDW | Broadwell (5th Gen Core) |
| SKL | Skylake (6th Gen Core) |
| KBL | Kaby Lake (7th Gen Core) |
| CFL | Coffee Lake (8th/9th Gen Core) |
| ICL | Ice Lake (10th Gen Core) |
| TGL | Tiger Lake (11th Gen Core) |
| ADL | Alder Lake (12th Gen Core) |
| RPL | Raptor Lake (13th Gen Core) |
Shows:
- Flash regions (Descriptor, BIOS, ME, GbE, PDR)
- Region base addresses and sizes
- Flash component information
- Master access permissions
Supported Firmware Formats
| Extension | Description |
|---|---|
.bin | Raw firmware/SPI flash dumps |
.rom | SPI flash ROM dumps |
.fd | UEFI Firmware Descriptor (OVMF, EDK2) |
.cap | UEFI Capsule update files |
.scap | Signed UEFI Capsule updates |
.fv | UEFI Firmware Volume |
.flash | Full flash dumps |
Workflows
Workflow 1: Standard Security Audit
Complete firmware security assessment:
TARGET="firmware.bin"
OUTPUT_DIR="./chipsec-analysis"
mkdir -p "$OUTPUT_DIR"
# Step 1: Scan for known threats (most important)
echo "[+] Scanning for known malware/vulnerabilities..."
chipsec_main -i -n -m tools.uefi.scan_blocked -a "$TARGET" 2>&1 | tee "$OUTPUT_DIR/threat_scan.txt"
# Step 2: Generate EFI inventory
echo "[+] Generating EFI executable inventory..."
chipsec_main -i -n -m tools.uefi.scan_image -a generate "$OUTPUT_DIR/efi_inventory.json" "$TARGET"
# Step 3: Decode firmware structure
echo "[+] Decoding firmware structure..."
chipsec_util -i -n uefi decode "$TARGET"
# Step 4: Check for NVRAM in decoded output
echo "[+] Checking for extracted NVRAM variables..."
cat "$TARGET.dir/nvram_.nvram.lst" 2>/dev/null || echo "No NVRAM variables extracted"
echo "[+] Analysis complete. Results in: $OUTPUT_DIR/"
echo "[+] Decoded firmware in: $TARGET.dir/"
Workflow 2: Malware Detection Focus
Quick check for known threats:
# Run blocklist scan
chipsec_main -i -n -m tools.uefi.scan_blocked -a firmware.bin 2>&1 | tee scan_results.txt
# Check for any matches
echo "[+] Checking for threat matches..."
grep -E "match|found|WARNING" scan_results.txt
# If threats found, get details
grep -A10 "found EFI binary matching" scan_results.txt
Workflow 3: Firmware Update Verification
Compare before/after firmware update:
# Before update - create baseline
chipsec_main -i -n -m tools.uefi.scan_image -a generate baseline_before.json firmware_original.bin
# After update - compare
chipsec_main -i -n -m tools.uefi.scan_image -a check baseline_before.json firmware_updated.bin
# Also generate new inventory for diff analysis
chipsec_main -i -n -m tools.uefi.scan_image -a generate baseline_after.json firmware_updated.bin
# Compare inventories
diff baseline_before.json baseline_after.json
Workflow 4: Incident Response
Analyze potentially compromised firmware:
SUSPECT="compromised_dump.bin"
KNOWN_GOOD="golden_image.bin"
OUTPUT_DIR="./ir-analysis"
mkdir -p "$OUTPUT_DIR"
# 1. Immediate threat scan
echo "[!] Scanning for known implants..."
chipsec_main -i -n -m tools.uefi.scan_blocked -a "$SUSPECT" 2>&1 | tee "$OUTPUT_DIR/threat_scan.txt"
# 2. Generate inventory of suspect firmware
chipsec_main -i -n -m tools.uefi.scan_image -a generate "$OUTPUT_DIR/suspect_inventory.json" "$SUSPE