chipsec

# Chipsec - UEFI Firmware Static Analysis

You are helping the user perform static security analysis of UEFI/BIOS firmware dumps using Intel's chipsec framework. This skill focuses exclusively on offline analysis capabilities that do not require kernel driver access or root privileges.

## Tool Overview

Chipsec is Intel's Platform Security Assessment Framework. For static analysis of firmware dumps, it provides:

- EFI executable inventory generation with cryptographic hashes
- Detection of known UEFI malware and vulnerabilities
- Firmware structure decoding and extraction
- NVRAM/UEFI variable extraction
- SPI flash descriptor parsing
- Baseline comparison for change detection

## Prerequisites

### One-Time Setup (Fix Logging Permission)

Chipsec requires a writable logs directory. Run once:

```bash
sudo mkdir -p /usr/lib/python3.13/site-packages/logs
sudo chmod 777 /usr/lib/python3.13/site-packages/logs
```

### Verify Installation

```bash
chipsec_main --version
```

## Core Commands

All static analysis commands use these flags:
- `-i` : Ignore platform check (required for offline analysis)
- `-n` : No kernel driver (required for static analysis)

### 1. Malware and Vulnerability Scan (Primary Use)

Scan firmware for known threats including UEFI rootkits and SMM vulnerabilities:

```bash
chipsec_main -i -n -m tools.uefi.scan_blocked -a <firmware.bin>
```

**Detected Threats:**

| Threat | Description | Reference |
|--------|-------------|-----------|
| HT_UEFI_Rootkit | HackingTeam commercial UEFI rootkit | McAfee ATR |
| MR_UEFI_Rootkit | MosaicRegressor APT UEFI implant | Kaspersky |
| LoJax | First UEFI rootkit found in the wild (Sednit/APT28) | ESET |
| ThinkPwn | SystemSmmRuntimeRt SMM code execution vulnerability | cr4.sh |
| FirmwareBleed | SMM Return Stack Buffer stuffing vulnerability | Binarly |

**Example Output (Threat Found):**
```
[!] match 'ThinkPwn.SystemSmmRuntimeRt'
    GUID  : {7c79