Improving Platform Security with UEFI Secure Boot and ... - UEFI Forum
Recommend Documents
Android/Brillo kernel flinger. SECURED boot path .... UEFI Plugfest â September 2016 www.uefi.org. 13. UEFI 2.0. PI 1.0. UEFI 2.1. PI 1.1. UEFI 2.3. UEFI 2.2.
Nov 3, 2017 - Wait ⦠we're still talking about BIOS? Why? There is still a reliance on 16-bit BIOS via the Compatibili
Feb 27, 2013 - Add that some tools require admin prvileges. Add details about the KEK & DB GUIDs. Update image verif
Table 2. Pre-boot deliverables with partition and directory paths for Windows 8 on
GPT-formatted notebooks and ..... Fast boot initializes the internal HDD ....
Windows Vista, Windows 7, and some Linux systems don't support UEFI Secure
Boot.
Oct 28, 2011 - hardware owner, and may prevent open source operating systems from ... software, while retaining the secu
App. UEFI. Driver. UEFI. Driver. OS Kernel. UEFI. Secure. Boot. OS Driver .... STTS005 Accelerating Software Development on Next Generation ... Intel, Look Inside and the Intel logo are trademarks of Intel Corporation in the United States and ...
Jan 1, 2015 - even code with ring0 privileges cannot modify flash storage or SMM at will. ... the Framework provides a b
At some future time, an operating-system- and vendor-neutral certificate authority
should be established to issue KEKs for third-party hardware and software ...
In the late 1990s, Intel™ sought an alternative to BIOS for its new Itanium™
processor. Because the ... executable, to masquerade as the default operating
system boot loader. ... The “evil maid attack” can be used to capture passwords
for.
Linux and other open operating systems will be able to take advantage of secure boot if it is implemented properly in th
App. Final OS. Environment. Final OS. Boot Loader. Driver. Execution. Environment. (DXE) .... Intel® UEFI Development Kit 2010 (Intel® UDK2010). Maximize the ...
Figure 5 - Creating Digital Signatures . ..... At a high level, there is the process of creating a digital signature, as shown below. This involves the processing of a ...
Oct 7, 2015 - Abstract data www.uefi.org. 2. LinuxCon EU 2015. ⢠UEFI Development in an Open Source .... Recovery. Device support for recovery from PEI.
Goals: â Make iSCSI and PXE network boot support IPv6. â Maintain feature parity with IPv4. â Leave protocol work to the IETF (hence this request). IETF 72. 3 ...
Protect the firmware against arbitrary programming attempts. ⢠It's up to ..... http://syscan.org/index.php/download/g
Mar 9, 2015 - Recovery from failures ... Non-blocking local disk and networking services for high throughput image delivery ... âDoing this on just one brand of hard drive would be an almost Herculean task ... Recommended UEFI Boot Flow ...
Sr. Developer, Dell Inc. Marty Nicholes .... âHow the FW Mgt App will get the compatibility value for the image to be updated is out of UEFI .... EFI# Company.
UEFI Development. Vincent Zimmer .... UEFI OS LOADER/APPLICATION/DRIVER. (OTHER). SMBIOS .... Developer Kit - What it is and How to Use it. S005. Intel.
Of the two technologies in this article, one of them includes the evolution of internet .... PC BIOS was intended for 250,000 units on a production run over two years. It ..... University and a Master of Science Degree in Computer Science from the.
stallers and infrastructure code to both provision, man- age, and ... Add-in device vendors are also challenged, because ..... rameterized by the file dhcpd.conf.
Capsule is put in memory by an application in the OS. â Mailbox event .... Visit http://developer.intel.com/technology/efi/uefi-ihv.htm for the latest .... Intel, the Intel logo are trademarks of Intel Corporation in the United States and other cou
Mar 18, 2016 - New Secure Boot Model. ⢠Call For Action ... Setup Mode. User Mode. PK pub != ... Customers (ex: data c
presented by
Improving Platform Security with UEFI Secure Boot and UEFI Variables UEFI Spring Plugfest – March 29-31, 2016 Presented by David Chen (Insyde Software) Updated 2011-06-01
UEFI Plugfest – March 2016
www.uefi.org
1
Agenda • • • •
UEFI Plugfest – March 2016
Introduction UEFI Variables New Secure Boot Model Call For Action
www.uefi.org
2
Introduction
UEFI Plugfest – March 2016
www.uefi.org
3
Variables may be attacked
POST
RT
VarA
VarB
UEFI Plugfest – March 2016
www.uefi.org
4
Current Secure Boot Model User Mode
Setup Mode Enroll PKpub
PKpub == NULL SetupMode == 1 SecureBoot == 0
1. Delete PKpub 2. Platform-Specific PKpub Clear
Secure Boot Ready To Go
Secure Boot Off UEFI Plugfest – March 2016
PKpub != NULL SetupMode == 0 SecureBoot == 1
www.uefi.org
5
UEFI Variables
UEFI Plugfest – March 2016
www.uefi.org
6
Protect the Variables • Set Variable without RT attribute
BS+RT
BS
• Variable Lock
Critical Variables UEFI Plugfest – March 2016
www.uefi.org
7
UEFI Secure Boot Database 2.3.1
db Update Enable
2.4
If signed by key in dbt, dbt Check cert’s timestamp!
Update Enable
2.5
Update Enable
If signed by key in dbr, dbr loader can Run for recovery!
2.3.1
2.3.1
2.3.1
PK
KEK Update Enable
If signed by key in db, driver/loader can Run!
dbx
If signed by key in dbx, driver/loader forbidden!
Update Enable UEFI Plugfest – March 2016
www.uefi.org
8
Scenario to use dbt Before UEFI Specification v2.4
KeyPriv
Images (signed earlier)
dbx
If signed by key in dbr, loader can Run for recovery!
Images (signed later)
Certification
UEFI Plugfest – March 2016
www.uefi.org
9
Scenario to use dbt After UEFI Specification v.2.4
KeyPriv
Images (signed earlier)
dbt
Images (signed later)
Certification
UEFI Plugfest – March 2016
www.uefi.org
10
UEFI Variables Secure Boot Modes
UEFI Plugfest – March 2016
SetupMode
2.3.1
AuditMode
2.5
DeployedMode
2.5
www.uefi.org
11
New Secure Boot Model
UEFI Plugfest – March 2016
www.uefi.org
12
Why Audit/Deployed Mode? • Customers (ex: data center, government, etc.) have different requirement for secure boot database. • But the Secure Boot Database isn’t easy to be customized with the old model!
Call For Action • Critical variables need to be protected • Customers need more flexible customized secure boot databases • Update your spec to adopt new secure implementation to enhance your platform’s security
UEFI Plugfest – March 2016
www.uefi.org
17
Thanks for attending the UEFI Spring Plugfest 2016 For more information on the Unified EFI Forum and UEFI Specifications, visit http://www.uefi.org presented by
