Post on 07-Oct-2020
presented by
Improving Platform Security with UEFI Secure Boot and UEFI
VariablesUEFI Spring Plugfest – March 29-31, 2016
Presented by David Chen (Insyde Software)
UEFI Plugfest – March 2016 www.uefi.org 1
Updated 2011-06-01
Agenda
• Introduction
• UEFI Variables
• New Secure Boot Model
• Call For Action
UEFI Plugfest – March 2016 www.uefi.org 2
Introduction
UEFI Plugfest – March 2016 www.uefi.org 3
Variables may be attacked
POST RT
UEFI Plugfest – March 2016 www.uefi.org 4
VarA
VarB
Current Secure Boot Model
UEFI Plugfest – March 2016 www.uefi.org 5
PKpub == NULL
SetupMode == 1
SecureBoot == 0
Setup Mode User Mode
PKpub != NULL
SetupMode == 0
SecureBoot == 1
1. Delete PKpub
2. Platform-Specific
PKpub Clear
Enroll PKpub
Secure Boot OffSecure Boot
Ready To Go
UEFI Variables
UEFI Plugfest – March 2016 www.uefi.org 6
Protect the Variables
• Set Variable without RT attribute
• Variable Lock
UEFI Plugfest – March 2016 www.uefi.org 7
BS+RT BS
Critical Variables
UEFI Secure Boot Database
UEFI Plugfest – March 2016 www.uefi.org 8
PK KEK
db
dbx
dbt
dbrUpdate
Enable
Update
Enable
Update
Enable
Update
Enable
Update
Enable
2.3.1 2.3.1
2.3.1
2.3.1
2.4
2.5
If signed by key in db,
driver/loader can Run!
If signed by key in dbx,
driver/loader forbidden!
If signed by key in dbt,
Check cert’s timestamp!
If signed by key in dbr,
loader can Run for
recovery!
Scenario to use dbtBefore UEFI Specification v2.4
UEFI Plugfest – March 2016 www.uefi.org 9
Images
(signed earlier)
Images
(signed later)
KeyPriv
Certification
dbx
If signed by key in dbr,
loader can Run for
recovery!
Scenario to use dbtAfter UEFI Specification v.2.4
UEFI Plugfest – March 2016 www.uefi.org 10
Images
(signed earlier)
Images
(signed later)
KeyPriv
Certification
dbt
UEFI VariablesSecure Boot Modes
SetupMode
AuditMode
DeployedModeUEFI Plugfest – March 2016 www.uefi.org 11
2.3.1
2.5
2.5
New Secure Boot Model
UEFI Plugfest – March 2016 www.uefi.org 12
Why Audit/Deployed Mode?
• Customers (ex: data center, government, etc.) have different requirement for secure boot database.
• But the Secure Boot Database isn’t easy to be customized with the old model!
UEFI Plugfest – March 2016 www.uefi.org 13
Audit Mode
UEFI Plugfest – March 2016 www.uefi.org 14
PKpub == NULL
AuditMode==0 (RW)
SetupMode == 1
SecureBoot == 0
Audit ModeUser Mode
PKpub != NULL
AuditMode==0 (RW)
SetupMode == 0
SecureBoot == 1
1. Delete PKpub
2. Platform-Specific
PKpub Clear
Enroll PKpub
PKpub == NULL
AuditMode==1 (RO)
SetupMode == 1
SecureBoot == 0
Log more info
to IEIT
Set AuditMode to1
Deployed Mode
UEFI Plugfest – March 2016 www.uefi.org 15
PKpub == NULL
AuditMode == 0 (RW)
DeployedMode==0 (RO)
SetupMode == 1
SecureBoot == 0
Setup Mode
User Mode
PKpub != NULL
AuditMode == 0 (RW)
DeployedMode==0 (RW)
SetupMode == 0
SecureBoot == 1
1. Delete PKpub
2. Platform-Specific
PKpub Clear
Enroll PKpub
PKpub == NULL
AuditMode == 1 (RO)
DeployedMode==0 (RO)
SetupMode == 1
SecureBoot == 0Set AuditMode to1
Audit Mode
Enroll PKpub
Deployed Mode
PKpub != NULL
AuditMode == 0 (RO)
DeployedMode==1 (RO)
SetupMode == 0
SecureBoot == 1
Set DeployedMode to1
Platform-Specific DeployedMode Clear
Call For Action
UEFI Plugfest – March 2016 www.uefi.org 16
Call For Action
• Critical variables need to be protected
• Customers need more flexible customized secure boot databases
• Update your spec to adopt new secure implementation to enhance your platform’s security
UEFI Plugfest – March 2016 www.uefi.org 17
Thanks for attending the UEFI Spring Plugfest 2016
For more information on the Unified EFI Forum and UEFI Specifications, visit http://www.uefi.org
presented by
UEFI Plugfest – March 2016 www.uefi.org 18
Backup
UEFI Plugfest – March 2016 www.uefi.org 19
UEFI VariablesSecure Boot Databases
• Platform Key (PK)• Key Exchange Key Database (KEK)• Secure Boot Signature Database (db)• Secure Boot Blacklist Signature Database
(dbx)• Secure Boot Timestamp Signature Database
(dbt)• Secure Boot Authorized Recovery Signature
Database (dbr)
UEFI Plugfest – March 2016 www.uefi.org 20
2.3.1
2.3.1
2.5
2.4
2.3.1
2.3.1