Microsoft UEFI Certification Authority

Similar documents
Manufacturing Tools in the UEFI Secure Boot Environment

Implementing Secure Boot: A Refresher on Key & Database Configuration

Strengthening the Chain of Trust. Kevin Lane HP Jeff Bobzin Insyde Software

Deploying Secure Boot: Key Creation and Management

System Prep Applications A Powerful New Feature in UEFI 2.5

PreBoot Provisioning Solutions with UEFI

UEFI and the Security Development Lifecycle

CIS 4360 Secure Computer Systems Secured System Boot

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

UEFI ARM Update. UEFI PlugFest March 18-22, 2013 Andrew N. Sloss (ARM, Inc.) presented by

ARM Trusted Firmware ARM UEFI SCT update

GSE/Belux Enterprise Systems Security Meeting

Introduction to Device Trust Architecture

Cisco Secure Boot and Trust Anchor Module Differentiation

AMD Security and Server innovation

EFI Secure Boot, shim and Xen Current Status and Developments

SSN Lab Assignment: UEFI Secure Boot

ARM Server s Firmware Security

Firmware Implementation Techniques to Achieve Windows 8 Fast Boot

UEFI What is it? Spring 2017 UEFI Seminar and Plugfest March 27-31, 2017 Presented by Dong Wei (ARM) presented by. Updated

Tailoring TrustZone as SMM Equivalent

Leveraging Windows Update to Distribute Firmware Updates Model Based Servicing (MBS)

UEFI Plugfest March

THE CHAIN OF TRUST. Keeping Computing Systems More Secure. Authors: Richard Wilkins, Ph.D. Phoenix Technologies, Ltd.

SECURING DEVICES IN THE INTERNET OF THINGS

SECURING DEVICES IN THE INTERNET OF THINGS

Delivering High-mix, High-volume Secure Manufacturing in the Distribution Channel

Engineering UEFI Firmware for Windows: Best Practices and Pitfalls to Avoid

Digital Certificates Demystified

General Firmware Overview of Recommendations for Window OS

Windows IoT Security. Jackie Chang Sr. Program Manager

TRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE

WINDOWS 10 ENTERPRISE New Security Features

egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO

Windows To Go and USB Boot

Firmware Test Suite - Uses, Development, Contribution and GPL

Hardware Prototyping Using a Windows-Hosted UEFI environment

Comodo Certificate Manager

Microsoft Sample Code on GitHub and Walkthrough on Firmware Updates to Windows Update (WU)

Laura Arribas Vodafone WAC 6th ETSI Security Workshop January ETSI, Sophia Antipolis, France

Windows 10 Security & Audit

Connecting Securely to the Cloud

Backup, File Backup copies of individual files made in order to replace the original file(s) in case it is damaged or lost.

ARM Security Solutions and Numonyx Authenticated Flash

Windows 8 BIOS Boot settings

Terra: A Virtual Machine-Based Platform for Trusted Computing by Garfinkel et al. (Some slides taken from Jason Franklin s 712 lecture, Fall 2006)

Securing Devices in the Internet of Things

An Introduction to Platform Security

Attacking and Defending the Platform

Creating Advanced Graphics Libraries on top of GOP

MODERN DESKTOP SECURITY

Standardized Firmware for ARMv8 based Volume Servers

Hypervisor Security First Published On: Last Updated On:

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

UEFI Test Tools For Linux Developers

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

ECA Trusted Agent Handbook

How do you decide what s best for you?

PKI Credentialing Handbook

System Firmware and Device Firmware Updates using Unified Extensible Firmware Interface (UEFI) Capsules

Implementing Advanced USB Interrupt Transfers

Protecting Keys/Secrets in Network Automation Solutions. Dhananjay Pavgi, Tech Mahindra Ltd Srinivasa Addepalli, Intel

Who s Protecting Your Keys? August 2018

Using the UEFI Shell. October 2010 UEFI Taipei Plugfest Insyde Software

Advanced x86: BIOS and System Management Mode Internals UEFI SecureBoot. Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Bromium: Virtualization-Based Security

Cybersecurity in Government

Securing Software Updates for IoT Devices with TUF and Uptane. Ricardo Salveti Principal Engineer

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

CIS 4360 Secure Computer Systems SGX

BEYOND TRADITIONAL PASSWORD AUTHENTICATION: PKI & BLOCKCHAIN

Enabling Advanced NVMe Features Through UEFI

Security Enhancements

Security Fundamentals

The Role UEFI Technologies Play in ARM Platform Architecture

Technical Brief Distributed Trusted Computing

Application vulnerabilities and defences

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

TUX : Trust Update on Linux Kernel

GELI Support for UEFI

Use of Mojo PowerPoint Template. Your name, Title

Public-Key Infrastructure NETS E2008

Advanced Operating Systems and Virtualization. Alessandro Pellegrini A.Y. 2017/2018

Monthly Security Bulletin Briefing

BREAKTHROUGH CYBER SECURITY FREQUENTLY ASKED QUESTIONS

The TPM 2.0 specs are here, now what?

McAfee Complete Endpoint Threat Protection Advanced threat protection for sophisticated attacks

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Improving Security in Embedded Systems Felix Baum, Product Line Manager

Securing IoT with the ARM mbed ecosystem

The information contained in this document represents the current view of Microsoft Corp. on the issues discussed as of the date of publication.

Chapter 9: Key Management

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Trustzone Security IP for IoT

Pass, No Record: An Android Password Manager

PL-I Assignment Broup B-Ass 5 BIOS & UEFI

Provisioning secure Identity for Microcontroller based IoT Devices

Make security part of your client systems refresh

UEFI in Arm Platform Architecture

Defend what you create. Why Dr.Web

Transcription:

presented by Microsoft UEFI Certification Authority UEFI PlugFest September 19-20, 2013 Presented by Jeremiah Cox (Microsoft Corp.) Updated 2011-06-01 UEFI PlugFest September 2013 www.uefi.org 1

Agenda Digital Signing Secure Boot UEFI CA Improving User Choice Conclusions UEFI PlugFest September 2013 www.uefi.org 2

Digital Signing UEFI PlugFest September 2013 www.uefi.org 3

Digital Signing A foundation for Secure Boot Additional bits Prevent tampering Provide signer-defined claims Certification Authorities Identity of signer Think passport WHQL: Microsoft Windows Hardware Compatibility Publisher Passes Logo tests UEFI PlugFest September 2013 www.uefi.org 4

Digital Signing: CA Claims Identity, identity, identity Trustworthiness? NOT evaluated by CA s No background checks, recommendations, polygraphs, mental fitness evaluations UEFI PlugFest September 2013 www.uefi.org 5

Digital Signing: Revocation Lost signing keys? Revocation & Re-Key Malicious actors? Revocation Prevents polymorphic malware New malware requires new cert $ + forgery + time UEFI PlugFest September 2013 www.uefi.org 6

Digital Signing: Extended Validation a.k.a EV Code Signing Benefits Stronger assurance of identity Private keys in FIPS 140-2 L2 hardware Non-benefit Trustworthiness of subject - not addressed Leveraged by Windows SmartScreen UEFI PlugFest September 2013 www.uefi.org 7

What is Secure Boot? UEFI PlugFest September 2013 www.uefi.org 8

Secure Boot == Rootkit Prevention Only trusted code executes System vendor pre-populates trust list User customizes as desired Windows 8.x Certified systems must: Ship secure-by-default Trust Windows 8.x Not trust <8.0, not Secure Boot enlightened Provide user choice Options to disable & customize UEFI PlugFest September 2013 www.uefi.org 9

Secure Boot OS do s Continue Secure Boot into the OS Kernel Mode Code Integrity Solid revocation story Block development & test modes that weaken code integrity Kernel Driver TESTSIGNING Kernel Debugging UEFI PlugFest September 2013 www.uefi.org 10

Microsoft s UEFI CA A signing service for UEFI modules Most new PCs trust Microsoft s UEFI CA Not required May not be present in high-security or highly-integrated devices UEFI PlugFest September 2013 www.uefi.org 11

Secure Boot: Trust Decisions In-Box Trust List varies by OEM Windows 8.x - almost always present Microsoft UEFI CA usually Canonical Ltd. Master Certificate Authority - some User Choice Disable for compatibility with legacy Customize to suit your taste UEFI PlugFest September 2013 www.uefi.org 12

Microsoft UEFI CA Myth: Microsoft Charges $99 Paid to Symantec $99 (introductory price) Paid to Microsoft $0 Microsoft s cost to operate the CA $<big number> We appreciate your commitment to submit quality, secure code UEFI PlugFest September 2013 www.uefi.org 13

Microsoft UEFI CA Myth: Microsoft Signs Everything No Why? $99 Symantec certificate does not prove Secure Boot & security competency Trustworthiness 0!= sizeof( dbx ) UEFI PlugFest September 2013 www.uefi.org 14

What does Microsoft UEFI CA sign? Secure Boot enlightened modules Do not permit untrusted code to execute It does NOT sign: GPL Version 3 (or similar) licensed code GRUB 2 Modules that permit untrusted code to execute GRUB 0.9 Hobby projects, code still in development, test code, platform specific tools Chain loaders are effectively cross signing Merit deeper review In the future anything that gets to kernel may be an attack that is exploited and we can no longer sign UEFI PlugFest September 2013 www.uefi.org 15

Before submitting to the MS UEFI CA Use the Security Development Lifecycle Or similar Threat models, security reviews, Test Function Security Test Secure Boot signing & enlightment http://aka.ms/uefica-test UEFI PlugFest September 2013 www.uefi.org 16

Microsoft UEFI CA: Needs Establish better identity and trustworthiness Reduce turnaround time without compromising quality in security UEFI PlugFest September 2013 www.uefi.org 17

Microsoft UEFI CA: Future Require EV certs Require organizations, not individuals Improved information gathering UEFI PlugFest September 2013 www.uefi.org 18

User Experience Today: OEMs must allow Secure Boot to be disabled and customized OEMs can implement in the way that they think makes most sense for users Microsoft is committed to support industry efforts to improve the consistency and usability of Secure Boot configuration UEFI PlugFest September 2013 www.uefi.org 19

Improving User Choice We should consider standardizing experience: Nomenclature in BIOS options File format to enroll in db Entry points to relevant BIOS menus Benefits: Always works Simplifies documentation Reduces customer support UEFI PlugFest September 2013 www.uefi.org 20

Secure Boot: Present User Test If I am physically present, I am the owner Stolen or borrowed devices? Evil Maid can install a rootkit Solution: BIOS password I understand the consequences of Yes Users want forward progress Faced with an unknown prompt? Click Yes Facilitates ransomware UAC, SmartScreen provide learnings UEFI PlugFest September 2013 www.uefi.org 21

What should I remember? Conclusions UEFI PlugFest September 2013 www.uefi.org 22

Conclusions Revocation happens EV Certificates Provide additional identity assurance Provide additional protection for private keys Coming to the Microsoft UEFI CA Microsoft supports user choice in the Secure Boot ecosystem UEFI PlugFest September 2013 www.uefi.org 23

Links HOWTO: test sign UEFI drivers & apps http://aka.ms/uefica-test Microsoft Root Certificate Program http://aka.ms/rootcaprogram Security Development Lifecycle http://aka.ms/sdl Ransomware http://en.wikipedia.org/wiki/ransomware_(malware) UEFI PlugFest September 2013 www.uefi.org 24

Thanks for attending the UEFI PlugFest 2013 For more information on the Unified EFI Forum and UEFI Specifications, visit http://www.uefi.org presented by UEFI PlugFest September 2013 www.uefi.org 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback