npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
Authorized Use Only: CHIPSEC loads a kernel driver and reads/writes low-level hardware registers, SPI flash, and SMM. Run it only on systems you own or are explicitly authorized to assess, ideally on dedicated test hardware. Misuse (especially write/modify modules) can brick a machine. Never run write-capable modules on production systems.
Overview
CHIPSEC is the open-source Platform Security Assessment Framework created by Intel's Advanced Threat Research team. It inspects the low-level security configuration of x86 platform firmware and hardware — the layer below the operating system where bootkits and firmware implants live. CHIPSEC loads a signed kernel driver (Linux, Windows, or it can run from the UEFI shell) to read and write hardware registers, Model-Specific Registers (MSRs), PCI config space, SPI flash, and UEFI variables, then runs an automated test suite that checks whether the platform's defensive locks are actually engaged.
The threat CHIPSEC addresses is MITRE ATT&CK T1542.001 — Pre-OS Boot: System Firmware: adversaries who modify system firmware (the BIOS/UEFI image on SPI flash) to gain stealthy, persistent, OS-survivable control. Firmware implants persist across OS reinstall and disk replacement and are invisible to most EDR. CHIPSEC's value is verifying the prerequisites that prevent such implants: that the SPI flash BIOS region is write-protected (BIOS_CNTL BLE/SMM_BWP, SPI Protected Ranges), that the flash descriptor locks region access, that SMRAM/SMRR are configured, and that Secure Boot variables are protected. It also dumps the SPI flash for offline forensic comparison.
Sources: Intel/CHIPSEC project (https://github.com/chipsec/chipsec), CHIPSEC documentation (https://chipsec.github.io/).
When to Use
- Baseline firmware-security assessment of a new laptop/server platform or fleet image
- Verifying that BIOS write protection and SPI flash locks are correctly enabled by the OEM
- Firmware forensics: dumping SPI flash to compare against a known-good image
- Validating Secure Boot variable protection and S3 boot-script protection
- Hunting for evidence of a firmware implant or misconfiguration enabling one
Prerequisites
- Physical or admin/root access to the target x86 platform (Intel or AMD)
- Linux (root) or Windows (Administrator), or a UEFI shell environment
- Ability to load a kernel driver (Secure Boot may need to allow the CHIPSEC driver, or use
--no_driverfor limited checks) - Python 3.8+ and a C compiler/build tools for the kernel module on Linux
- Dedicated test hardware strongly recommended
Install CHIPSEC:
# From PyPI
pip install chipsec
# Or from source (builds the kernel helper/driver)
git clone https://github.com/chipsec/chipsec
cd chipsec
python setup.py install # builds and installs, including the Linux driver
# Verify
sudo chipsec_main --help
sudo chipsec_util --helpObjectives
- Run the full automated platform-security test suite and interpret PASS/FAIL/WARNING
- Verify BIOS write protection (BIOS_CNTL) and SPI Protected Ranges
- Verify the SPI flash descriptor locks region read/write access
- Verify SMRAM/SMRR and SMI handler protections
- Verify Secure Boot variable protection and S3 boot-script protection
- Dump SPI flash and decode it for offline analysis
- Enumerate UEFI variables and detect anomalous/unexpected entries
MITRE ATT&CK Mapping
| Technique ID | Name | Tactic |
|---|---|---|
| T1542.001 | Pre-OS Boot: System Firmware | Persistence / Defense Evasion |
CHIPSEC defends against T1542.001 by verifying that the controls preventing unauthorized firmware modification are enabled. A FAIL on common.bios_wp (BIOS not write-protected) or chipsec.modules.common.spi_lock (flash descriptor unlocked) means an attacker with OS privileges could rewrite the SPI flash and implant persistent firmware — exactly the precondition for this technique.
Workflow
Step 1: Run the full automated test suite
chipsec_main with no module argument runs every applicable security check for the detected platform and prints a summary of PASS/FAIL/WARNING/INFORMATION results.
sudo chipsec_main
# Save machine-readable output for reporting / diffing
sudo chipsec_main -j results.json -x results.xml -l chipsec.logStep 2: Run the core firmware-protection modules individually
The common module group contains the OEM-independent security checks. Run the group or specific modules:
# Run the whole common group
sudo chipsec_main -m common
# BIOS write protection: checks BIOS_CNTL BLE/SMM_BWP and SPI protected ranges
sudo chipsec_main -m common.bios_wp
# SPI flash descriptor lock (FLOCKDN) — are flash region accesses locked?
sudo chipsec_main -m common.spi_lock
# SMRR programming — protects SMRAM from cache-based attacks
sudo chipsec_main -m common.smrr
# SMM BIOS write protection
sudo chipsec_main -m common.smm
# S3 resume boot-script protection (against bootscript table attacks)
sudo chipsec_main -m common.uefi.s3bootscriptStep 3: Verify Secure Boot variable protection
# Checks that Secure Boot UEFI variables are properly protected
sudo chipsec_main -m common.secureboot.variables
# To actively test write protection of the variables (test hardware ONLY):
sudo chipsec_main -m common.secureboot.variables -a modifyStep 4: Inspect SPI flash region access permissions
# Report SPI flash regions, descriptor, and access permissions
sudo chipsec_util spi info
# Check the SPI access-control module
sudo chipsec_main -m common.spi_accessStep 5: Dump SPI flash for offline forensics
Dumping the flash lets you decode the firmware volumes and compare against a known-good OEM image.
# Dump the entire SPI flash to a file
sudo chipsec_util spi dump rom.bin
# Decode the dumped image: extracts firmware volumes, files, NVRAM variables, etc.
sudo chipsec_util decode rom.binStep 6: Enumerate and triage UEFI variables
# List all UEFI variables from the runtime interface
sudo chipsec_util uefi var-list
# List variables directly from the SPI image (offline)
sudo chipsec_util uefi var-find PK
sudo chipsec_util uefi var-read db <GUID> db.bin
# Decode the UEFI firmware structure
sudo chipsec_util uefi decode rom.binStep 7: Limited assessment without a kernel driver
Where loading the driver is impossible (locked-down Secure Boot), some checks still run read-only.
sudo chipsec_main -n # --no_driver: skip checks that need the driver
sudo chipsec_main -p <PLATFORM> # force platform code if auto-detect failsStep 8: Triage results and report
- FAIL on
bios_wp/spi_lock→ firmware is rewritable from the OS: high risk for T1542.001. - FAIL on
secureboot.variables→ Secure Boot policy can be tampered. - Compare the
spi dumpagainst the OEM's known-good image (hash firmware volumes) to detect unauthorized modification. - Record platform, BIOS version, and every FAIL/WARNING with the relevant register values for the report.
Tools and Resources
| Tool | Purpose | Source |
|---|---|---|
| chipsec_main | Automated platform-security test suite | https://github.com/chipsec/chipsec |
| chipsec_util | Manual hardware/firmware access (spi, uefi, decode) | https://chipsec.github.io/ |
| UEFITool | GUI/CLI parsing of dumped UEFI images | https://github.com/LongSoft/UEFITool |
| Binarly fwhunt | Firmware vulnerability/implant hunting rules | https://github.com/binarly-io/fwhunt-scan |
| NSA UEFI Secure Boot guidance | Hardening reference | https://media.defense.gov/ |
Core Module Reference
| Module | Checks |
|---|---|
| common.bios_wp | BIOS_CNTL BLE / SMM_BWP and SPI Protected Ranges |
| common.spi_lock | SPI flash descriptor FLOCKDN |
| common.spi_access | SPI flash region read/write permissions |
| common.smrr | System Management Range Registers programming |
| common.smm | SMM BIOS write protection |
| common.secureboot.variables | Secure Boot variable protection |
| common.uefi.s3bootscript | S3 resume boot-script protection |
Validation Criteria
- CHIPSEC installed and driver loads (or
-ndocumented if not) - Full
chipsec_mainsuite executed with JSON/XML/log output saved -
common.bios_wpresult interpreted (write protection state) -
common.spi_lock/spi_accessresult interpreted (descriptor lock) - SMRR/SMM module results recorded
- Secure Boot variable protection checked
- SPI flash dumped and decoded for offline analysis
- UEFI variables enumerated and triaged
- All FAIL/WARNING findings documented with platform/BIOS version
- Write/modify modules NOT run on production hardware
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 2
api-reference.md2.3 KB
Command Reference - CHIPSEC
chipsec_main (test suite)
| Command / Flag | Purpose |
|---|---|
chipsec_main |
Run all applicable security modules for the platform |
-m, --module <name> |
Run a specific module, e.g. -m common.bios_wp |
-m common |
Run the whole OEM-independent module group |
-mx <modules> |
Exclude listed modules |
-a, --module_args |
Pass arguments to a module (e.g. -a modify) |
-p, --platform <code> |
Force platform code when auto-detect fails |
-n, --no_driver |
Skip checks requiring the kernel driver |
-l, --log <file> |
Write output to a log file |
-j, --json <file> |
JSON results output |
-x, --xml <file> |
JUnit-style XML results output |
-v / -vv / -d |
Verbose / very verbose / debug logging |
Key security modules
| Module | Checks |
|---|---|
common.bios_wp |
BIOS_CNTL BLE / SMM_BWP and SPI Protected Ranges |
common.spi_lock |
SPI flash descriptor FLOCKDN lock |
common.spi_access |
SPI flash region access permissions |
common.smrr |
SMRR programming (SMRAM cache protection) |
common.smm |
SMM BIOS write protection |
common.secureboot.variables |
Secure Boot variable protection (-a modify to test writes) |
common.uefi.s3bootscript |
S3 resume boot-script protection |
chipsec_util (manual access)
| Command | Purpose |
|---|---|
chipsec_util spi info |
Report SPI flash regions/descriptor/permissions |
chipsec_util spi dump rom.bin |
Dump entire SPI flash to file |
chipsec_util spi read <addr> <len> out.bin |
Read SPI flash range |
chipsec_util decode rom.bin |
Decode dumped image into volumes/files/variables |
chipsec_util uefi var-list |
List UEFI variables (runtime) |
chipsec_util uefi var-find <name> |
Find a UEFI variable |
chipsec_util uefi var-read <name> <GUID> out.bin |
Read a variable |
chipsec_util uefi decode rom.bin |
Decode UEFI firmware structure from image |
chipsec_util platform |
Show detected platform info |
Result interpretation
| Result | Meaning |
|---|---|
| PASSED | Protection is correctly enabled |
| FAILED | Protection missing/misconfigured — exploitable |
| WARNING | Potential issue / needs manual review |
| INFORMATION | Informational, no pass/fail |
standards.md1.4 KB
Standards and References - Auditing UEFI Firmware with CHIPSEC
MITRE ATT&CK
| Technique ID | Name | Tactic | Rationale |
|---|---|---|---|
| T1542.001 | Pre-OS Boot: System Firmware | Persistence / Defense Evasion | CHIPSEC verifies the SPI flash and BIOS write-protection locks whose absence enables adversaries to modify system firmware for stealthy, OS-survivable persistence. |
NIST Cybersecurity Framework 2.0
| ID | Name | Rationale |
|---|---|---|
| ID.AM-02 | Inventories of software, services, and systems managed by the organization are maintained | Firmware version, SPI flash image, and platform-security configuration are part of the asset/software inventory that CHIPSEC enumerates and baselines. |
Official Resources
- CHIPSEC project: https://github.com/chipsec/chipsec
- CHIPSEC documentation: https://chipsec.github.io/
- Running CHIPSEC: https://chipsec.github.io/usage/Running-Chipsec.html
- common.bios_wp module: https://chipsec.github.io/modules/
- common.secureboot.variables module docs
- UEFITool: https://github.com/LongSoft/UEFITool
- Binarly fwhunt-scan: https://github.com/binarly-io/fwhunt-scan
Key Research
- Intel ATR: original CHIPSEC framework and BlackHat arsenal presentations
- "Exploring Your System Deeper with CHIPSEC" (CSW)
- NSA UEFI Secure Boot Customization / firmware hardening guidance
Scripts 1
agent.py4.3 KB
#!/usr/bin/env python3
"""
chipsec-audit — run a CHIPSEC firmware-posture baseline and parse results.
Wraps the real CHIPSEC CLIs:
- chipsec_main : module runner
- chipsec_util : SPI/UEFI utilities
Project: https://github.com/chipsec/chipsec
Install:
pip install chipsec # needs root and a kernel driver build
Examples:
sudo python agent.py baseline --log chipsec.log --json report.json
sudo python agent.py module --name common.bios_wp
sudo python agent.py dump --out rom.bin
"""
import argparse
import json
import os
import re
import shutil
import subprocess
import sys
# CHIPSEC prints lines like: [+] PASSED: BIOS region write protection ...
RESULT_RE = re.compile(r"\[[+\-!*]\]\s*(PASSED|FAILED|WARNING|ERROR|NOT APPLICABLE|INFORMATION)\b[:\s]*(.*)",
re.IGNORECASE)
CORE_MODULES = [
"common.bios_wp",
"common.spi_lock",
"common.spi_desc",
"common.smm",
"common.secureboot.variables",
]
def _require(tool: str) -> None:
if shutil.which(tool) is None:
sys.exit(f"error: '{tool}' not found on PATH. Install CHIPSEC: pip install chipsec")
def _warn_root() -> None:
if hasattr(os, "geteuid") and os.geteuid() != 0:
print("[!] warning: CHIPSEC needs root/Administrator to load its driver.", file=sys.stderr)
def _run(argv: list) -> subprocess.CompletedProcess:
print(f"[*] {' '.join(argv)}", file=sys.stderr)
return subprocess.run(argv, capture_output=True, text=True)
def parse_results(stdout: str) -> list:
findings = []
for line in stdout.splitlines():
m = RESULT_RE.search(line)
if m:
findings.append({"result": m.group(1).upper(), "detail": m.group(2).strip()})
return findings
def cmd_baseline(args) -> int:
_require("chipsec_main")
_warn_root()
argv = ["chipsec_main"]
if args.log:
argv += ["-l", args.log]
proc = _run(argv)
findings = parse_results(proc.stdout)
fails = [f for f in findings if f["result"] in ("FAILED", "ERROR")]
warns = [f for f in findings if f["result"] == "WARNING"]
summary = {
"total_results": len(findings),
"failed": len(fails),
"warnings": len(warns),
"failures": fails,
"warning_items": warns,
}
if args.json:
with open(args.json, "w", encoding="utf-8") as fh:
json.dump({"summary": summary, "all": findings}, fh, indent=2)
print(f"[+] report written to {args.json}", file=sys.stderr)
print(json.dumps(summary, indent=2))
return 1 if fails else 0
def cmd_module(args) -> int:
_require("chipsec_main")
_warn_root()
targets = [args.name] if args.name else CORE_MODULES
out = {}
rc = 0
for mod in targets:
proc = _run(["chipsec_main", "-m", mod])
res = parse_results(proc.stdout)
out[mod] = res
if any(r["result"] in ("FAILED", "ERROR") for r in res):
rc = 1
print(json.dumps(out, indent=2))
return rc
def cmd_dump(args) -> int:
_require("chipsec_util")
_warn_root()
_run(["chipsec_util", "spi", "info"])
proc = _run(["chipsec_util", "spi", "dump", args.out])
if proc.returncode != 0 or not os.path.exists(args.out):
print("[!] SPI dump failed", file=sys.stderr)
print(proc.stderr, file=sys.stderr)
return 1
size = os.path.getsize(args.out)
print(json.dumps({"dump": args.out, "bytes": size}, indent=2))
print("[*] decode offline with: chipsec_util uefi decode " + args.out, file=sys.stderr)
return 0
def main() -> int:
p = argparse.ArgumentParser(description="CHIPSEC firmware-posture audit helper.")
sub = p.add_subparsers(dest="cmd", required=True)
b = sub.add_parser("baseline", help="run full chipsec_main and summarize")
b.add_argument("--log", help="CHIPSEC log file path")
b.add_argument("--json", help="write parsed JSON report here")
b.set_defaults(func=cmd_baseline)
m = sub.add_parser("module", help="run one or the core security modules")
m.add_argument("--name", help="specific module, e.g. common.bios_wp (default: core set)")
m.set_defaults(func=cmd_module)
d = sub.add_parser("dump", help="dump SPI flash (read-only)")
d.add_argument("--out", default="rom.bin")
d.set_defaults(func=cmd_dump)
args = p.parse_args()
return args.func(args)
if __name__ == "__main__":
sys.exit(main())