Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] A tool for encrypted laptops

Blibbet blibbet at
Fri May 9 14:19:10 PDT 2014

On 5/9/14 1:08 PM, Steve Weis wrote:
> Hi Tom. Does hibernation on a Mac protect from physical memory
> extraction by default or is this something yontma configures?

There may be an ACPI/UEFI attack here... UEFI Runtime Service drivers 
continue to run in the background while the main OS is running. A UEFI 
driver can detect these ACLU Sx states. UEFI includes a full IPv4/IPv6 
network stack (optionally bootable via PXE), UEFI apps/drivers can talk 
over the net as well as to local storage media.

So, a UEFI runtime service driver could detect hibernation, start 
getting active in background over net. IF adversary is smart enough to 
figure out how to install an EFI driver onto your system. And you don't 
detect the change. So, your EFI malware runtime service might be able to 
work while you and the OS think the system is merely hibernating.

EFI's "Fast Boot" feature is the opposite of ACPI hiberation. The B<n> 
states of EFI booting are conceptually similar to the S<n> states of 
ACPI sleeping. Without "Fast Boot", EFI still controls ACPI hibernation, 
just not as quickly (there are redundant re-init/re-scans that are not 

ACPI is controlled by the firmware.
OS suspend/resume is controlled by the firmware.

IMO, power box off completely, to be sure there's no weirdness happening 
at firmware and silicon levels. Like people remove their batteries from 
their smartphones.

PS: EFI-free Novena reached their crowdsourcing goals! You have 9 days 
to act before prices increase:
"at the conclusion of the Crowd Supply campaign on May 18, all the 
prices listed below will go up by 10%"

More information about the liberationtech mailing list