Manufacturing Tools in the UEFI Secure Boot Environment

Similar documents
Implementing Secure Boot: A Refresher on Key & Database Configuration

PreBoot Provisioning Solutions with UEFI

System Prep Applications A Powerful New Feature in UEFI 2.5

Microsoft UEFI Certification Authority

Strengthening the Chain of Trust. Kevin Lane HP Jeff Bobzin Insyde Software

Tailoring TrustZone as SMM Equivalent

General Firmware Overview of Recommendations for Window OS

Leveraging Windows Update to Distribute Firmware Updates Model Based Servicing (MBS)

ARM Trusted Firmware ARM UEFI SCT update

Creating Advanced Graphics Libraries on top of GOP

Deploying Secure Boot: Key Creation and Management

Engineering UEFI Firmware for Windows: Best Practices and Pitfalls to Avoid

UEFI and the Security Development Lifecycle

Firmware Implementation Techniques to Achieve Windows 8 Fast Boot

UEFI State of the Union Ecosystem enabling update

UEFI ARM Update. UEFI PlugFest March 18-22, 2013 Andrew N. Sloss (ARM, Inc.) presented by

Firmware Test Suite - Uses, Development, Contribution and GPL

UEFI Plugfest March

System Firmware and Device Firmware Updates using Unified Extensible Firmware Interface (UEFI) Capsules

Standardized Firmware for ARMv8 based Volume Servers

UEFI What is it? Spring 2017 UEFI Seminar and Plugfest March 27-31, 2017 Presented by Dong Wei (ARM) presented by. Updated

The Role UEFI Technologies Play in ARM Platform Architecture

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

Debugging under Unified Extensible Firmware Interface (UEFI): Addressing DXE Driver Challenges

UEFI in Arm Platform Architecture

Copyright 2015

UEFI Test Tools For Linux Developers

Hardware Prototyping Using a Windows-Hosted UEFI environment

"Last Mile" Barriers to Removing Legacy BIOS

Enabling Advanced NVMe Features Through UEFI

The TPM 2.0 specs are here, now what?

Updates on Server Base System Architecture and Boot Requirements. Dong Wei

PL-I Assignment Broup B-Ass 5 BIOS & UEFI

Using the UEFI Shell. October 2010 UEFI Taipei Plugfest Insyde Software

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

Attacking and Defending the Platform

SSN Lab Assignment: UEFI Secure Boot

Solutions for the Intel Platform Innovation Framework for EFI July 26, Slide 1

Backup, File Backup copies of individual files made in order to replace the original file(s) in case it is damaged or lost.

CIS 4360 Secure Computer Systems Secured System Boot

AMD Security and Server innovation

UEFI updates, Secure firmware and Secure Services on Arm

Windows To Go and USB Boot

Lessons Learned from Implementing a Wi-Fi and BT Stack

Implementing Advanced USB Interrupt Transfers

UEFI Manageability and REST Services

An Introduction to Platform Security

UEFI Plugfest Dupont, WA

Cisco Secure Boot and Trust Anchor Module Differentiation

QL45xxx UEFI HII BIOS. 5/4/2016 Karl Erickson

Trusted Computing As a Solution!

Advanced x86: BIOS and System Management Mode Internals UEFI SecureBoot. Xeno Kovah && Corey Kallenberg LegbaCore, LLC

ARM Server s Firmware Security

UEFI Secure Boot and DRI. Kalyan Kumar N

Microsoft Sample Code on GitHub and Walkthrough on Firmware Updates to Windows Update (WU)

Configuring Cisco UCS Server Pools and Policies

Intel Transparent Computing

Building Better Firmware Experience An OEM Perspective

Advanced Operating Systems and Virtualization. Alessandro Pellegrini A.Y. 2017/2018

Designing Security & Trust into Connected Devices

UEFI 2.1 Features. Added protocols. New member functions or equivalent

UEFI Forum Update. UEFI Spring Plugfest March 29-31, 2016 Presented by Dong Wei (The UEFI Forum)

An overview of ACPICA Userspace Tools

Windows 8 Uefi Bios Update Step By Step Guide Msi Usa

ServerReady and Open Standards Accelerating Delivery

Server Boot. Boot Policy. This chapter includes the following sections:

Introduction to Standards based approach to Server

UEFI / Bios was denn das?

UEFI and IoT: Best Practices in Developing IoT Firmware Solutions

Boot Mode Considerations: BIOS vs. UEFI

RELEASE NOTES. Memento. Memento 6.2. EURESYS s.a Document version built on

UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies

UEFI HTTP/HTTPS Boot LinuxCon China 2017

vsphere Installation and Setup Update 2 Modified on 10 JULY 2018 VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5

Delivering High-mix, High-volume Secure Manufacturing in the Distribution Channel

How to boot Mac OS X 10.5 from RocketRAID esata for Mac

Windows Phone 8 Security

TUX : Trust Update on Linux Kernel

CLASS AGENDA. 9:00 9:15 a.m. 9:15 10:00 a.m. 10:00 12:00 p.m. 12:00 1:00 p.m. 1:00 3:00 p.m. 3:00 5:00 p.m.

One-Stop Intel TXT Activation Guide

A Secure Update Architecture for High Assurance Mixed-Criticality System Don Kuzhiyelil Dr. Sergey Tverdyshev SYSGO AG

3 November 2009 e09127r1 EDD-4 Hybrid MBR support

Configuring Server Boot

Linux in the connected car platform

Windows 10 Security & Audit

Introduction to Intel Boot Loader Development Kit (Intel BLDK) Intel SSG/SSD/UEFI

Implementing MicroPython as a UEFI Test Framework

UEFI Porting Update for ARM Platforms

Use of Mojo PowerPoint Template. Your name, Title

Windows 8 BIOS Boot settings

One-Stop Intel TXT Activation Guide

BIOS Update Release Notes

UEFI Security Response Team (USRT)

SSD Utility. Installation Guide. Software Version 3.n

CIS 4360 Secure Computer Systems SGX

Longhorn Large Sector Size Support. Anuraag Tiwari Program Manager Core File System

UEFI ARM Update. Presented by Mitch Ishihara. UEFI Plugfest October presented by

Big and Bright - Security

Overview. Wait, which firmware? Threats Update methods request_firmware() hooking Regression testing Future work

O p t i m i z e d U E F I I m p l e m e n t a t i o n o n I n t e l X e o n B a s e d O C P P l a t f o r m

Transcription:

Manufacturing Tools in the UEFI Secure Boot Environment Presented by Stefano Righi presented by UEFI Plugfest May 2014

Agenda Introduction Transition of Manufacturing Tools to UEFI Manufacturing Tools and UEFI Secure Boot Call to Action www.uefi.org 2

Introduction www.uefi.org 3

Introduction As OEMs produce hardware, each system needs to be individually provisioned on the production line Each system needs individual attention for programming of specific devices and configuration www.uefi.org 4

Manufacturing Tools Uses Manufacturing tools example uses include: Pre-installing an OS Installing OS related keys for activation Programming of device data like MAC addresses Updating platforms BIOS to latest version Programming SMBIOS structures Locking interfaces used for manufacturing tools www.uefi.org 5

Pre-UEFI Manufacturing Process OEMs would write custom tools that would run in reduced OS environments where the tools have direct access to hardware Some ODMs created very advanced manufacturing environments where the system was very modular Since these tools are legacy based they could never be signed for use in a UEFI Secure Boot environment www.uefi.org 6

UEFI Secure Boot UEFI Secure Boot is a very important feature that helps prevent attacks during the handoff from firmware to the operating system UEFI Secure Boot is a feature that allows systems to only execute authenticated images that have been signed by a trusted certificate authority (CA) More information on Secure Boot here www.uefi.org 7

UEFI CA Currently there is only one UEFI Certificate Authority The UEFI CA is responsible for inspecting and signing images When someone submits an image for signing, the CA will: Reject the image if it does not satisfy signing requirements Provide back a properly signed image to the requester More info on the UEFI CA here www.uefi.org 8

UEFI Only Systems Some manufacturers still rely on legacy based manufacturing tools UEFI Class 3 systems have no support for the legacy environment the tools rely on These manufacturers need a set of tools to support provisioning these types of systems More info on UEFI system classes here www.uefi.org 9

Transition of Manufacturing Tools to UEFI www.uefi.org 10

UEFI Manufacturing Tools UEFI provides a very feature rich environment to create manufacturing tools and easy access to a network UEFI provides abstracted methods for configuring all hardware of the platform and its attributes, provisioning of the OS, and populating of system tables Sample code for writing UEFI manufacturing tools can be found at www.tianocore.org www.uefi.org 11

UEFI Manufacturing Tools Provisioning Network www.uefi.org 12

UEFI CA and Manufacturing Tools The UEFI CA does not allow signing of manufacturing tools Manufacturing tools operate at an equivalent of ring 0 execution to program all components of a platform If these tools were signed by the CA, they could be used for malicious purposes on any system How do OEMs run these tools with UEFI Secure Boot? www.uefi.org 13

Manufacturing Tools and UEFI Secure Boot www.uefi.org 14

Self Signing of Tools OEMs can sign their own utilities This is done by using a private key to sign the image and inserting a corresponding public key into the UEFI authenticated variable Once this is done, the system will authenticate their manufacturing utility just like any image signed by the UEFI CA www.uefi.org 15

Signing Tools For signing on Windows use signtool.exe from Microsoft Signtool is included with Visual Studio or the Windows Development Kit (WDK) located here For signing on Linux there is an open source tool based upon OpenSSL located here www.uefi.org 16

Other possible solutions The OEM can build a manufacturing suite in Linux and sign their own kernel Learn how to sign Linux kernel here The OEM can use the legacy tools and enable Secure Boot at the end of the provisioning Requires that the system not be Class 3 The OEM can use unsigned UEFI tools and enable Secure Boot at the end of the provisioning www.uefi.org 17

Demonstration of Self Signing Demonstration includes: Showing how to insert a key into the proper database Signing an image Proper failed and successful authentication of the signed/unsigned image www.uefi.org 18

Call to Action www.uefi.org 19

Call to Action Companies should transition their tools for UEFI if they have not already done so Class 3 system shipments are on the rise OEMs should evaluate what sort of UEFI provisioning environment works best for them OEMs and developers should become familiar with how to sign and insert keys for their own utilities www.uefi.org 20

For more information on the Unified EFI Forum and UEFI Specifications, visit http://www.uefi.org presented by www.uefi.org 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback