Firmware Execution Security

TL;DR

Binary firmware packages can be executed on your system if they’re allowed to. This guide explains how to check what’s running, where it came from, and how to block unwanted execution.

Checking Running Firmware

1. List Loaded Modules: Use the lsmod command in a terminal to see currently loaded kernel modules. These often include firmware components.

   lsmod

2. Check dmesg Output: The dmesg command shows kernel messages, including when firmware is loaded or errors occur during loading.

   dmesg | grep -i firmware

3. Examine /proc/modules: This file contains information about loaded modules. You can view it with cat or a text editor.

   cat /proc/modules

4. Firmware Paths (if known): If you know where firmware files are stored (e.g., /lib/firmware), check the modification dates to see if anything has been recently added or changed.

   ls -l /lib/firmware

Identifying Firmware Sources

1. Package Manager History: Use your distribution’s package manager to see if firmware was installed as part of a software package.
   • Debian/Ubuntu (apt): apt history
   • Red Hat/CentOS/Fedora (yum/dnf): yum history list | grep firmware or dnf history list | grep firmware
   • Arch Linux (pacman): pacman -Qo /path/to/firmware/file to find the package owning a specific file.
2. Firmware Update Tools: Check if any firmware update tools are installed and configured (e.g., fwupd). These can automatically download and install updates.

   fwupdmgr --version

3. System Logs: Examine system logs (e.g., /var/log/syslog, /var/log/messages) for firmware-related events.

Blocking Firmware Execution

1. Blacklisting Modules: Prevent specific kernel modules from loading by creating a blacklist file. Create a file in /etc/modprobe.d/ (e.g., /etc/modprobe.d/blacklist-firmware.conf) and add the module name.

   sudo nano /etc/modprobe.d/blacklist-firmware.conf

   Add a line like: blacklist

2. Secure Boot (UEFI): Enable Secure Boot in your UEFI settings to ensure that only digitally signed firmware can be loaded.
3. Disable Automatic Updates: If you’re concerned about unwanted updates, disable automatic firmware update tools. For example, with fwupd:

   sudo systemctl stop fwupd

   sudo systemctl disable fwupd

4. File Permissions: Restrict access to the firmware directory (e.g., /lib/firmware) to prevent unauthorized modification.

   sudo chmod 755 /lib/firmware

5. AppArmor or SELinux: Use AppArmor or SELinux to create profiles that restrict the actions of processes related to firmware loading. This is an advanced technique requiring significant configuration.