Deploying Secure Boot: Key Creation and Management

Similar documents
CIS 4360 Secure Computer Systems Secured System Boot

Implementing Secure Boot: A Refresher on Key & Database Configuration

GSE/Belux Enterprise Systems Security Meeting

Microsoft UEFI Certification Authority

System Prep Applications A Powerful New Feature in UEFI 2.5

Manufacturing Tools in the UEFI Secure Boot Environment

EFI Secure Boot, shim and Xen Current Status and Developments

Windows 8 BIOS Boot settings

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

Firmware Implementation Techniques to Achieve Windows 8 Fast Boot

UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies

TPM v.s. Embedded Board. James Y

Strengthening the Chain of Trust. Kevin Lane HP Jeff Bobzin Insyde Software

Security Requirements for Crypto Devices

Big and Bright - Security

Windows IoT Security. Jackie Chang Sr. Program Manager

CIS 4360 Secure Computer Systems SGX

Forensics Challenges. Windows Encrypted Content John Howie CISA CISM CISSP Director, Security Community, Microsoft Corporation

This Security Policy describes how this module complies with the eleven sections of the Standard:

PreBoot Provisioning Solutions with UEFI

SecureDoc Disk Encryption Cryptographic Engine

SSN Lab Assignment: UEFI Secure Boot

PKI Credentialing Handbook

OVAL + The Trusted Platform Module

Security in NVMe Enterprise SSDs

The TPM 2.0 specs are here, now what?

Attacking and Defending the Platform

UEFI Secure Boot with Dell PowerEdge 14G with VMware ESXi 6.5

Software Vulnerability Assessment & Secure Storage

UEFI updates, Secure firmware and Secure Services on Arm

OS Security IV: Virtualization and Trusted Computing

FIPS Non-Proprietary Security Policy

Provisioning secure Identity for Microcontroller based IoT Devices

BIOS Setup. User s Guide. (For Skylake-W Platform) Rev.1.1

UEFI / Bios was denn das?

TRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE

Who s Protecting Your Keys? August 2018

Demonstration Lecture: Cyber Security (MIT Department) Trusted cloud hardware and advanced cryptographic solutions. Andrei Costin

Remote Key Loading Spread security. Unlock efficiency

Payment Card Industry (PCI) PTS PIN Security Requirements. Technical FAQs for use with Version 2

Hardware Security. A Presentation by Eli Clampett and James Carey

TCG TPM2 Software Stack & Embedded Linux. Philip Tricca

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

UEFI 2.1 Features. Added protocols. New member functions or equivalent

VMware, SQL Server and Encrypting Private Data Townsend Security

Advanced x86: BIOS and System Management Mode Internals UEFI SecureBoot. Xeno Kovah && Corey Kallenberg LegbaCore, LLC

General Firmware Overview of Recommendations for Window OS

SSH Communications Tectia SSH

EMC Symmetrix Encryption with DPM

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

UEFI ARM Update. UEFI PlugFest March 18-22, 2013 Andrew N. Sloss (ARM, Inc.) presented by

CoSign Hardware version 7.0 Firmware version 5.2

Use of Mojo PowerPoint Template. Your name, Title

Payment Card Industry (PCI) PTS PIN Security Requirements. Technical FAQs for use with Version 2

BitLocker Group Policy Settings

Embedded System Security Mobile Hardware Platform Security

Lecture Embedded System Security Trusted Platform Module

Advanced Crypto. Introduction. 5. Disk Encryption. Author: Prof Bill Buchanan. Bob. Alice. Eve.

Embedded System Security Mobile Hardware Platform Security

TUX : Trust Update on Linux Kernel

VMware, SQL Server and Encrypting Private Data Townsend Security

Seagate Secure TCG Enterprise SSC Pulsar.2 Self-Encrypting Drive FIPS 140 Module Security Policy

Bromium: Virtualization-Based Security

Department of Computer Science Institute for System Architecture, Operating Systems Group TRUSTED COMPUTING CARSTEN WEINHOLD

Making Blockchain Real for Business IBM Blockchain Offering

How Shielded VMs Protect Your Data

Updates on Server Base System Architecture and Boot Requirements. Dong Wei

Trusted Computing and O/S Security

ARX (Algorithmic Research) PrivateServer Hardware version 4.7 Firmware version 4.8.1

eidas compliant Trust Services with Utimaco HSMs


Expert Reference Series of White Papers. BitLocker: Is It Really Secure? COURSES.

Defeating Invisible Enemies: Firmware Based Security in OpenPOWER Systems. Linux Security Summit George Wilson IBM Linux Technology Center

Certifying Program Execution with Secure Processors. Benjie Chen Robert Morris Laboratory for Computer Science Massachusetts Institute of Technology

Citrix XenMobile and Windows 10

Backup, File Backup copies of individual files made in order to replace the original file(s) in case it is damaged or lost.

Trusted Disk Loading in the Emulab Network Testbed. Cody Cutler, Eric Eide, Mike Hibler, Rob Ricci

SafeNet LUNA EFT FIPS LEVEL 3 SECURITY POLICY

Arm Server Ready. Dong Wei

INF3510 Information Security. Lecture 6: Computer Security. Universitetet i Oslo Audun Jøsang

INF3510 Information Security Spring Lecture 4 Computer Security. University of Oslo Audun Jøsang

Integral Memory PLC. Crypto Dual (Underlying Steel Chassis) and Crypto Dual Plus (Underlying Steel Chassis) FIPS Security Policy

Lecture Embedded System Security Introduction to Trusted Computing

New Approaches to Connected Device Security

WINDOWS 10 ENTERPRISE New Security Features

Engineering UEFI Firmware for Windows: Best Practices and Pitfalls to Avoid

INTERNET OF THINGS KONTRON

From TPM 1.2 to 2.0 and some more. Federico Mancini AFSecurity Seminar,

HAROLD BAELE MICROSOFT CLOUD TECHNICAL CONSULTANT MICROSOFT CERTIFIED TRAINER. New protection capabilities in Windows Server 2016

Utimaco eidas Update. June Thorsten Groetker CTO. Utimaco HSM Business Unit Aachen, Germany 2017 Utimaco eidas Update, June 2017 Page 1

Creating Advanced Graphics Libraries on top of GOP

How I Learned to Stop Worrying and Love the Internet of Things

Lecture Embedded System Security Introduction to Trusted Computing

AMD Security and Server innovation

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

Dolphin DCI 1.2. FIPS Level 3 Validation. Non-Proprietary Security Policy. Version 1.0. DOL.TD DRM Page 1 Version 1.0 Doremi Cinema LLC

Distributed OS Hermann Härtig Authenticated Booting, Remote Attestation, Sealed Memory aka Trusted Computing

SSG Platform Security Division & IOTG Jan Krueger Product Manager IoT Security Solutions

ProtectV StartGuard. FIPS Level 1 Non-Proprietary Security Policy

Transcription:

presented by Deploying Secure Boot: Key Creation and Management UEFI Summer Summit July 16-20, 2012 Presented by Arie van der Hoeven (Microsoft Corporation) Updated 2011-06-01 1

Agenda Introduction Secure Boot Basics Secure Boot Keys Key Deployment Key Creation and Management Checklist 2

Introduction Today partners are testing Secure Boot using WHCK tools and Microsoft provided certificates But passing Windows requirements is just a start OEMs and ODMs need to have a plan for securely creating and managing their own keys Customers will increasingly ask about this What is your story? Reputations are on the line 3

Trusted Boot Architecture Secure Boot prevents malicious Boot code and OS loader UEFI Boot 1 Boot Policy Measurements of components including AM software are stored in the TPM BitLocker Unlocks Disk if TPM and Secure Boot Integrity in place 2 Bootmgfw.efi (Win8) Windows Kernel and Drivers AM Policy AM Software 4 5 TPM Client retrieves TPM measurements of client state on demand AM software is started before all 3 rd party software 3 3 rd Party Software/Drivers Windows Logon Client Attestation Service Client Health Claim 5

UEFI Secure Boot Keys Platform Key (PK) One only Allows modification of KEK database Key Exchange Key (KEK) Can be multiple Allows modification of db and dbx Authorized Database (db) CA, Key, or image hash to allow Forbidden Database (dbx) CA, Key, or image hash to block

Keys Required for Secure Boot Key/db Name Variable Owner Details PKpub PK OEM PK 1 only. Must be RSA 2048 or stronger Microsoft KEK CA KEK Microsoft Allows updates to db and dbx: Microsoft Windows Production CA Forbidden Signature Database db Microsoft This CA in the Signature Database (db) allows Windows 8 to boot dbx Microsoft List of known bad Keys, CAs or images from Microsoft + Required for Secure Firmware Updates Key/db Name Owner Details Secure firmware update key OEM Recommendation is to have this key be different from PK. Must be RSA 2048 or stronger

Optional Keys for Secure Boot (non WinRT only) Recommended for non WinRT Systems Key/db Name Variable Owner Notes Microsoft UEFI driver signing CA db Microsoft Microsoft signer for 3 rd party UEFI binaries via DevCenter program Optional for Customization Key/db Name Variable Owner Notes OEM or 3 rd party KEKpub KEK OEM/3 rd party OEM or 3 rd party CA db OEM/3 rd party Allows db/dbx updates e.g. for an alternate OS or Trusted 3 rd party Allows 3 rd party OS or drivers singed by a trusted 3 rd party Image Hashes db OEM Hashes of images on PC that are allowed to execute even if not signed Forbidden Signature Database (dbx) dbx OEM/3 rd party List of known bad Keys, CAs or images from OEM or partner

Key Deployment Process Create Platform Key (PK) and Secure FW Update Key Create PK Backup (Recommended) Add KEK (w/db, dbx)and sign with PKpri Protect PKpri and Secure Update (pri) Enroll PKpub Add Secure Update Key (pub) Ensure Network and Physical Security Manage and refine security practices Done? (Never really) 9

Hardware Security Modules Microsoft strongly recommends using a Hardware Security Module (HSM) for key creation Most HSMs have Federal Information Processing Standard (FIPS) Publication 140-2 level 3 compliance Requires that keys are not exported or imported from the HSM. HSMs support multiple key storage options Local on the HSM itself On the server attached to the HSM - for solutions which requires lots of keys The cryptographic module security policy shall specify a physical security policy, including: Tamper-evident seals, locks, tamper response and zeroization switches, and alarms Policy includes actions required by the operator(s) to ensure that physical security is maintained such as periodic inspections 10

Other Key Creation Options Trusted Platform Modules (TPM) or Smart Cards Crypto processors slow for manufacturing environment Not suitable for storing large number of keys May not be compliant to FIPS 140-2 level 3 Software / Crypto API generated keys Can use encrypted drives, VMs and other security options Not as secure as using an HSM Makecert Intended for testing purposes only Discouraged by Microsoft 11

Checklist Define your security strategy Identify roles Procure server and hardware for key management Recommended solution network or standalone HSM Consider whether you will need one or several HSM s for high availability and also your key back up strategy Set policy for how frequently will you be rekeying keys Have a contingency plan for Secure Boot Key compromise Identify how many PK and other keys will you be generating Use HSM to pre-generate secure boot related keys and certificates Get the Microsoft KEK and other Secure Boot related keys and certificates Sign UEFI drivers Update firmware with Secure Boot keys based on the system type Run tests including WHCK Secure Boot tests Deploy > Refine > Deploy > Refine 12

Resources Microsoft Connect http://connect.microsoft.com/ MSDN: http://msdn.microsoft.com/ Search on keyword Secure Boot http://www.microsoft.com/security UEFI 2.3.1. Specification errata C: http:/// Trusted Computing Group: http://www.trustedcomputinggroup.org/ Tianocore: http://www.tianocore.sourceforge.net UEFI and Windows: http://msdn.microsoft.com/enus/windows/hardware/gg463149 Beyond BIOS: http://www.intel.com/intelpress/sum_efi.htm 13

Thanks for attending the UEFI Summer Summit 2012 For more information on the Unified EFI Forum and UEFI Specifications, visit http:// presented by 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback