ZBOOK

Improving Platform Security With UEFI Secure Boot And UEFI Variables

Improving Platform Security With UEFI Secure Boot And UEFI Variables
8m ago
10 Views
1 Downloads
692.24 KB
20 Pages
Last View : Today
Last Download : 3m ago
Upload by : Bennett Almond
Report this link
Word
Text
Jpg
Png
Download PDF
Transcription

presented by Improving Platform Security with UEFI Secure Boot and UEFI Variables UEFI Spring Plugfest – March 29-31, 2016 Presented by David Chen (Insyde Software) Updated 2011-06-01 UEFI Plugfest – March 2016 www.uefi.org 1

Agenda UEFI Plugfest – March 2016 Introduction UEFI Variables New Secure Boot Model Call For Action www.uefi.org 2

Introduction UEFI Plugfest – March 2016 www.uefi.org 3

Variables may be attacked POST RT VarA VarB UEFI Plugfest – March 2016 www.uefi.org 4

Current Secure Boot Model User Mode Setup Mode Enroll PKpub PKpub NULL SetupMode 1 SecureBoot 0 1. Delete PKpub 2. Platform-Specific PKpub Clear Secure Boot Ready To Go Secure Boot Off UEFI Plugfest – March 2016 PKpub ! NULL SetupMode 0 SecureBoot 1 www.uefi.org 5

UEFI Variables UEFI Plugfest – March 2016 www.uefi.org 6

Protect the Variables Set Variable without RT attribute BS RT BS Variable Lock Critical Variables UEFI Plugfest – March 2016 www.uefi.org 7

UEFI Secure Boot Database 2.3.1 db Update Enable 2.4 If signed by key in dbt, dbt Check cert’s timestamp! Update Enable 2.5 Update Enable If signed by key in dbr, dbr loader can Run for recovery! 2.3.1 2.3.1 2.3.1 PK KEK Update Enable If signed by key in db, driver/loader can Run! dbx If signed by key in dbx, driver/loader forbidden! Update Enable UEFI Plugfest – March 2016 www.uefi.org 8

Scenario to use dbt Before UEFI Specification v2.4 KeyPriv Images (signed earlier) dbx If signed by key in dbr, loader can Run for recovery! Images (signed later) Certification UEFI Plugfest – March 2016 www.uefi.org 9

Scenario to use dbt After UEFI Specification v.2.4 KeyPriv Images (signed earlier) dbt Images (signed later) Certification UEFI Plugfest – March 2016 www.uefi.org 10

UEFI Variables Secure Boot Modes UEFI Plugfest – March 2016 SetupMode 2.3.1 AuditMode 2.5 DeployedMode 2.5 www.uefi.org 11

New Secure Boot Model UEFI Plugfest – March 2016 www.uefi.org 12

Why Audit/Deployed Mode? Customers (ex: data center, government, etc.) have different requirement for secure boot database. But the Secure Boot Database isn’t easy to be customized with the old model! UEFI Plugfest – March 2016 www.uefi.org 13

Audit Mode User Mode PKpub ! NULL AuditMode 0 (RW) SetupMode 0 SecureBoot 1 Log more info to IEIT Audit Mode Set AuditMode to1 1. Delete PKpub 2. Platform-Specific PKpub Clear Enroll PKpub PKpub NULL AuditMode 0 (RW) SetupMode 1 SecureBoot 0 UEFI Plugfest – March 2016 www.uefi.org PKpub NULL AuditMode 1 (RO) SetupMode 1 SecureBoot 0 14

Deployed Mode PKpub ! NULL AuditMode 0 (RO) DeployedMode 1 (RO) SetupMode 0 SecureBoot 1 Platform-Specific DeployedMode Clear Set DeployedMode to1 User Mode 1. Delete PKpub 2. Platform-Specific PKpub Clear Setup Mode PKpub ! NULL AuditMode 0 (RW) DeployedMode 0 (RW) SetupMode 0 SecureBoot 1 Deployed Mode Enroll PKpub Enroll PKpub PKpub NULL AuditMode 0 (RW) DeployedMode 0 (RO) SetupMode 1 Set AuditMode to1 SecureBoot 0 PKpub NULL AuditMode 1 (RO) DeployedMode 0 (RO) SetupMode 1 SecureBoot 0 Audit Mode UEFI Plugfest – March 2016 www.uefi.org 15

Call For Action UEFI Plugfest – March 2016 www.uefi.org 16

Call For Action Critical variables need to be protected Customers need more flexible customized secure boot databases Update your spec to adopt new secure implementation to enhance your platform’s security UEFI Plugfest – March 2016 www.uefi.org 17

Thanks for attending the UEFI Spring Plugfest 2016 For more information on the Unified EFI Forum and UEFI Specifications, visit http://www.uefi.org presented by UEFI Plugfest – March 2016 www.uefi.org 18

Backup UEFI Plugfest – March 2016 www.uefi.org 19

UEFI Variables Secure Boot Databases 2.3.1 2.3.1 2.3.1 Platform Key (PK) Key Exchange Key Database (KEK) Secure Boot Signature Database (db) Secure Boot Blacklist Signature Database (dbx) 2.4 Secure Boot Timestamp Signature Database (dbt) 2.5 Secure Boot Authorized Recovery Signature Database (dbr) 2.3.1 UEFI Plugfest – March 2016 www.uefi.org 20

Secure Boot Databases Platform Key (PK) Key Exchange Key Database (KEK) Secure Boot Signature Database (db) Secure Boot Blacklist Signature Database (dbx) Secure Boot Timestamp Signature Database (dbt) Secure Boot Authorized Recovery Signature Database (dbr) UEFI Plugfest -March 2016 www.uefi.org 20 2.3.1 2.3.1 2.5 2.4 .

Related Documents:
UEFI Development Resources

UEFI Driver Writer’s Guide UEFI Driver Development Guides Documentation EFI Development Kit (EDK II) Open Source UEFI Development Kit (UDK2010) UEFI Self Certification Test (SCT) UEFI 2.3.1 Developer Platforms & Debug Tools UEFI Driver Wizard Development UEFI Plugfest – February 2012 www.uefi.org 16

90 Views
3y ago
Firmware Interface (UEFI) Capsules Updates using Unified ...

UEFI Capsule Publish UEFI Capsule Distribute UEFI Capsule Process UEFI Capsule Linux* Vendor Firmware . Run Time (RT)? OS-Present App Final OS Environment Final OS Boot Loader OS-Absent App Transient OS . using configuration data and small libraries.

31 Views
2y ago
HPE Dynamic Smart Array B140i RAID Controller User Guide

configurations: UEFI Mode and Legacy BIOS Mode. Certain boot options described in this guide require that you select a specific boot mode. By default, the boot mode is set to UEFI Mode. The system must boot in UEFI Mode to use the following options: Secure Boot, UEFI Optimized Boot, Generic USB Boot, IPv6 PXE Boot, iSCSI Boot, and Boot from URL

222 Views
3y ago
UEFI on Dell BizClient Platforms

Consistent Configuration Infrastructure. The UEFI spec defines a methodology of describing the platform configuring data in a standard way. The rendering of the data is left to the platform vendor. This allows UEFI to bring all the platform configurations like BIOS, Storage and Network options under a

48 Views
3y ago
Defending UEFI: Firmware Security for System Administrators - WordPress.com

Requirements You are an system administrator, or a systems-level security researcher. You know architectural fundamentals of: Intel hardware, IBM PC BIOS/OpROM firmware, and UEFI firmware - This isn't an introduction to UEFI. You can use a shell (bash, cmd.exe) and write scripts (batch files) for them. You can use Python to run scripts. Optional: Python, C, and C programming language skills to

5 Views
1y ago
Driver Development with EDKII

UEFI (Not!BIOS) Extensible Firmware Interface Specification (Not!OS) Pre-boot code (Not!Uboot) EDK II based platform firmware Option ROM (Not!UEFI) Legacy 16-bit executable blob rather than UEFI Driver (Not!BIOS) Vendor code loaded from device flash (Not!PlatformFlash) Expansion ROM BAR or flash on peripheral devices 22

62 Views
3y ago
Introducing the New Intel® UEFI Development Kit: Industry ...

UEFI Driver Signing Adds policy around UEFI and its 3 rd party image extensibility – Admixture of OS loaders, apps, and drivers in system – Gives IT control around these executables – Detects/prevents malware Technology includes – Supports “known-good” and “known-bad” signature databases – Policy-based updates to list

34 Views
3y ago
HEAVY-DUTY ELECTRIC POWER WINCH 4WS SERIES

AGMA and/or DIN standards IMPERIAL Series Load Rating Drum Capacity METRIC Series Power Supply Line Speed Clutch Load Rating Drum Capacity Power Supply Line Speed Clutch PERFORMANCE 4WS9M18 4WS16M20 4WS26M26 4WS1M6 4WS3M10 4WS6M12 10,000 lbs 16,000 lbs 26,200 lbs 1,500 lbs 3,700 lbs 6,400 lbs 5–10 hp 7.5–15 hp 10–25 hp.5–1.5 hp 1–3 hp .

66 Views
3y ago
Recent Views
AUTOMOTIVE INDUSTRY ANALYSIS REPORT and GUIDE
3.1 General Outlook of the Automotive Industry in the World 7 3.2 Overview of the Automotive Industry in Turkey 10 3.3 Overview of the Automotive Industry in TR42 Region 12 4 Effects of COVID-19 Outbreak on the Automotive Industry 15 5 Trends Specific to the Automotive Industry 20 5.1 Special Trends in the Automotive Industry in the World 20
1y ago
86 Views
Automotive Pathway Automotive Services Fundamentals
Automotive Pathway Automotive Services Fundamentals Course Number: IT11 Prerequisite: None Aligned Industry Credential: S/P2- Safety and Pollution Prevention and SP2- Mechanical and Pollution Prevention Description: This course introduces automotive safety, basic automotive terminology, system & component identification, knowledge and int
2y ago
228 Views
Articulation Agreements: College of Applied Technologies .
Hernando High School FL Automotive . Central Nine Career Center IN Automotive Elkhart Area Career Center IN Automotive . Kokomo Area Career Center IN Automotive North Lawrence Vo-Tech IN MLR Porter County Career Center IN Automotive Richmond High School IN Automotive Southeastern Career
2y ago
376 Views
Automotive Basics - Auto Upkeep
Automotive Basics - Course Description "Automotive Basics includes knowledge of the basic automotive systems and the theory and principles of the components that make up each system and how to service these systems. Automotive Basics includes applicable safety and environmental rules and regulations. In Automotive Basics, students will gain
1y ago
197 Views
Automotive Automotive Automotive - HSBC Bank Malaysia
This Merchant list is subject to change from time to time. Merchant(s) who are terminated from the Instalment program after the published date might still be reflected in this list. HSBC Cardholder(s) are advised to confirm the availability of HSBC Card Instalment Plan with the merchant. Automotive Automotive Automotive
1y ago
173 Views
On the Road: U.S. Automotive Parts Industry Annual Assessment
Table 12: Acquisitions of U.S. Automotive Parts Companies (SIC 3714) Table 13: Automotive Parts Exports, 2000-2010 Table 14: Automotive Parts Imports, 2000-2010 . Automotive parts consumption is linked to the demand for new vehicles, since roughly 70 percent of U.S. automotive parts production is for Original Equipment (OE) products. .
10m ago
72 Views
EMC TEST SYSTEMS FOR AUTOMOTIVE
AUTOMOTIVE EMC TEST SYSTEMS FOR AUTOMOTIVE ELECTRONICS AUTOMOTIVE EMC TEST SYSTEMS FOR AUTOMOTIVE ELECTRONICS Step 1 Step 2 Step 3: Set the parameters Step 4: Active test. Load dump pulses have high pulse energy, which can be highly destructive to electrical or electronic equipment. The LD 200N series simulates these pulses with high energy in a range of up to 1.2 seconds. The LD 200N .
3y ago
266 Views
Automotive Manufacturing - Select Georgia
Jobs created by Georgia’s automotive-related locations Toyo Tire North America Manufacturing and expansions in the last three years 32,000 Automotive-related engineers and production workers in Georgia Sources: EMSI 2020.3, press releases and Automotive Database, Georgia Power Community & Economic Development, 2020 Automotive Manufacturing
2y ago
166 Views
#1 OSAT for Automotive Packaging and Test
We Know Automotive Amkor has extensive experience with automotive process requirements shipping billions of units every year for automotive applications. Our packages meet or exceed automotive quality, reliability, burn-in and safe launch plan criteria. Amkor also has failure analysis, tri-temp test and statistical process capability in all .
1y ago
145 Views
Ipsos Automotive Center of Excellence
Global Automotive Center of Excellence -2014 Ipsos Automotive 9 Automotive Center of Excellence As global automotive markets get more sophisticated, they require vehicle manufacturers to offer the most relevant market propositions to match consumer needs. There is greater value than ever before for a global research partner, who understands
1y ago
126 Views
All about automotive engineering in a pocketbook The 8th edition has .
Automotive Automotive Handbook Handbook All about automotive engineering in a pocketbook The 8th edition has been revised and extended. Automotive Handbook Reference handbook for academic and personal use. ISBN 978--7680-4851-3 Contents - central themes Basic principles: physics, materials, machine parts, joining and bonding techniques
1y ago
135 Views
Brochure: Advanced Flash Storage Solutions for Automotive Applications
iNAND Automotive Embedded Flash Drives (EFDs) are designed to support the harsh environments, high reliability and quality required by the automotive industry. The automotive iNAND product portfolio supports both UFS and e.MMC interfaces in a small 11.5x13mm package with a wide range of capacities to provide automotive OEMs and Tier-1
1y ago
161 Views
Industry Skills Forecast and Proposed Schedule of Work Automotive
Executive summary The Automotive Retail, Service and Repair (AUR) and Automotive Manufacturing (AUM) Training Packages are critical elements in the Vocational Education and Training (VET) system, playing central roles in the training of learners that engage in the automotive industries. A productive and valuable Automotive Training
1y ago
134 Views
Automotive Programs Student Handbook - SCCIowa
include a basic knowledge of all facets of the automotive repair industry, followed by classroom practice and drills of basic skills utilized in the automotive repair industry. The curriculum includes an internship experience in an automotive repair business. The curriculum is evaluated and revised as automotive repair needs change in the industry.
10m ago
72 Views
automotIve
automotive manufacturers worldwide. Those companies that take a forward-thinking approach will gain a competitive advantage and secure a leadership position in a realigned automotive value chain. At Seco, we partner with OEMs and other vehicle-based organisations around the globe to help automotive manufacturers overcome their
3y ago
145 Views