I have been using chipsec as an integrity verification tool. I know its not how it was intended to be used, but I'm not aware of any other tools that will do the kind of deep dive into BIOS and UEFI that chipsec does. In theory any malware should leave some type of traces that would show up as changes in chipsec results. The problem is that ordinary use may also make some changes, and I am having a hard time determining what types of changes should be expected from ordinary use. I would appreciate any advice.

I have written some test scripts below:

#!/bin/bash

OUTPUT=/root/verify_certs.log

chipsec_util uefi var-read db d719b2cb-3d3a-4596-a3bc-dad00e67656f db.bin >> db.ascii

diff db.bin ./current/db.bin >> $OUTPUT

hexdump db.bin | diff - ./current/db.hex >> $OUTPUT

rm db.bin

rm db.ascii

#!/bin/bash

OUTPUT=/root/verify_efivars.log

chipsec_util uefi var-list

for x in `cat dir2`

do

sha256sum $x >> shasums.1

done

cat shasums.1 | sed s/\\/root\\/efi_variables.dir\\///g | awk '{ print $2 , $1 }' | sort > shasums.tmp

rm shasums.1

diff shasums shasums.tmp >> $OUTPUT

diff efi_variables.lst ./current/efi_variables.lst >> $OUTPUT

#!/bin/bash

OUTPUT=/root/verify_chipsec

cd tmp

chipsec_util acpi list > acpi_list

chipsec_util acpi table APIC > acpi_table_APIC

chipsec_util acpi table BATB > acpi_table_BATB

chipsec_util acpi table BGRT > acpi_table_BGRT

chipsec_util acpi table CRAT > acpi_table_CRAT

chipsec_util acpi table DSDT > acpi_table_DSDT

chipsec_util acpi table FACP > acpi_table_FACP

chipsec_util acpi table FPDT > acpi_table_FPDT

chipsec_util acpi table HPET > acpi_table_HPET

chipsec_util acpi table MCFG > acpi_table_MCFG

chipsec_util acpi table MSDM > acpi_table_MSDM

chipsec_util acpi table SBST > acpi_table_SBST

chipsec_util acpi table SSDT > acpi_table_SSDT

chipsec_util acpi table TCPA > acpi_table_TCPA

chipsec_util acpi table TPM2 > acpi_table_TPM2

chipsec_util acpi table UEFI > acpi_table_UEFI

chipsec_util acpi table VFCT > acpi_table_VFCT

chipsec_util acpi table XSDT > acpi_table_XSDT

chipsec_util cmos dump > cmos_dump

chipsec_util ec dump > ec_dump

chipsec_util gdt > gdt

chipsec_util io list > io_list

chipsec_util iommu config GFXVTD > iommu_config_GFXVTD

chipsec_util iommu config VTD > iommu_config_VTD

chipsec_util iommu list > iommu_list

chipsec_util iommu status GFXVTD > iommu_status_GFXVTD

chipsec_util iommu status VTD > iommu_status_VTD

chipsec_util mmcfg > mmcfg

chipsec_util mmio dump DMIBAR > mmio_dump_DMIBAR

chipsec_util mmio dump GFXVTBAR > mmio_dump_GFXVTBAR

chipsec_util mmio dump GMADR > mmio_dump_GMADR

chipsec_util mmio dump GTTMMADR > mmio_dump_GTTMMADR

chipsec_util mmio dump HDABAR > mmio_dump_HDABAR

chipsec_util mmio dump HDBAR > mmio_dump_HDBAR

chipsec_util mmio dump MCHBAR > mmio_dump_MCHBAR

chipsec_util mmio dump MMCFG > mmio_dump_MMCFG

chipsec_util mmio dump PXPEPBAR > mmio_dump_PXPEPBAR

chipsec_util mmio dump RCBA > mmio_dump_RCBA

chipsec_util mmio dump RCBA_RTC > mmio_dump_RCBA_RTC

chipsec_util mmio dump SPIBAR > mmio_dump_SPIBAR

chipsec_util mmio dump VTBAR > mmio_dump_VTBAR

chipsec_util mmio list > mmio_list

chipsec_util pci dump > pci_dump

chipsec_util pci enumerate > pci_enumerate

chipsec_util pci xrom > pci_xrom

chipsec_util platform > chipsec_platform

chipsec_util spi info > spi_info

chipsec_util ucode id > ucode_id

for x in `cat testfiles`

do

echo -e "##### $x #####\\n" >> $OUTPUT

diff $x /root/current/$x >> $OUTPUT

grep -v elapsed $OUTPUT > $OUTPUT.log

rm $OUTPUT

done

The output log files are here:

https://pastebin.com/wV4wdPeW

https://pastebin.com/nBa3BwLb

Sent with ProtonMail Secure Email.