General Firmware Overview of Recommendations for Window OS

Similar documents
System Prep Applications A Powerful New Feature in UEFI 2.5

Manufacturing Tools in the UEFI Secure Boot Environment

Tailoring TrustZone as SMM Equivalent

Leveraging Windows Update to Distribute Firmware Updates Model Based Servicing (MBS)

Attacking and Defending the Platform

PreBoot Provisioning Solutions with UEFI

Implementing Secure Boot: A Refresher on Key & Database Configuration

Strengthening the Chain of Trust. Kevin Lane HP Jeff Bobzin Insyde Software

UEFI What is it? Spring 2017 UEFI Seminar and Plugfest March 27-31, 2017 Presented by Dong Wei (ARM) presented by. Updated

UEFI Plugfest March

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

The Role UEFI Technologies Play in ARM Platform Architecture

ARM Trusted Firmware ARM UEFI SCT update

ARM Server s Firmware Security

Standardized Firmware for ARMv8 based Volume Servers

UEFI and the Security Development Lifecycle

Enabling Advanced NVMe Features Through UEFI

UEFI in Arm Platform Architecture

An Introduction to Platform Security

UEFI updates, Secure firmware and Secure Services on Arm

Microsoft Sample Code on GitHub and Walkthrough on Firmware Updates to Windows Update (WU)

Microsoft UEFI Certification Authority

The TPM 2.0 specs are here, now what?

Firmware Implementation Techniques to Achieve Windows 8 Fast Boot

System Firmware and Device Firmware Updates using Unified Extensible Firmware Interface (UEFI) Capsules

Deploying Secure Boot: Key Creation and Management

UEFI ARM Update. UEFI PlugFest March 18-22, 2013 Andrew N. Sloss (ARM, Inc.) presented by

UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies

Lessons Learned from Implementing a Wi-Fi and BT Stack

TRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE

Updates on Server Base System Architecture and Boot Requirements. Dong Wei

UEFI Test Tools For Linux Developers

Hacking the Extensible Firmware Interface. John Heasman, Director of Research

"Last Mile" Barriers to Removing Legacy BIOS

Arm Server Ready. Dong Wei

Spring 2018 UEFI Plugfest

Firmware Test Suite - Uses, Development, Contribution and GPL

Windows IoT Security. Jackie Chang Sr. Program Manager

Advanced x86: BIOS and System Management Mode Internals UEFI SecureBoot. Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Debugging under Unified Extensible Firmware Interface (UEFI): Addressing DXE Driver Challenges

Backup, File Backup copies of individual files made in order to replace the original file(s) in case it is damaged or lost.

AMD Security and Server innovation

Implementing MicroPython as a UEFI Test Framework

Windows 10 Security & Audit

Use of Mojo PowerPoint Template. Your name, Title

Hardware Prototyping Using a Windows-Hosted UEFI environment

HPE ProLiant DL360 Gen P 16GB-R P408i-a 8SFF 500W PS Performance Server (P06453-B21)

Big and Bright - Security

Engineering UEFI Firmware for Windows: Best Practices and Pitfalls to Avoid

Solutions for the Intel Platform Innovation Framework for EFI July 26, Slide 1

Introduction to Standards based approach to Server

DMTF Management Initiatives for Academics

Technical Brief Distributed Trusted Computing

PL-I Assignment Broup B-Ass 5 BIOS & UEFI

Mohan J. Kumar Intel Fellow Intel Corporation

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

UEFI Manageability and REST Services

TCG TPM2 Software Stack & Embedded Linux. Philip Tricca

UEFI State of the Union Ecosystem enabling update

Intel vpro Technology Virtual Seminar 2010

UEFI and PCI bootkits. Pierre Chifflier PacSec 2013

Recommendations for Device Provisioning Security

ServerReady and Open Standards Accelerating Delivery

Windows 10 IoT Core Azure Connectivity and Security

TUX : Trust Update on Linux Kernel

CIS 4360 Secure Computer Systems Secured System Boot

NVDIMM Overview. Technology, Linux, and Xen

TechDirect User's Guide for ProDeploy Client Suite

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

UEFI and IoT: Best Practices in Developing IoT Firmware Solutions

Firmware. OSF (open System. Gundrala Devender Goud Engineering Director/Azure/Microsoft OCP/OSF Project Lead

Provisioning secure Identity for Microcontroller based IoT Devices

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

UEFI Forum Update. UEFI Spring Plugfest March 29-31, 2016 Presented by Dong Wei (The UEFI Forum)

Using the UEFI Shell. October 2010 UEFI Taipei Plugfest Insyde Software

GSE/Belux Enterprise Systems Security Meeting

UEFI Plugfest Dupont, WA

Configuring Cisco UCS Server Pools and Policies

HP Sure Start Gen3. Table of contents. Available on HP Elite products equipped with 7th generation Intel Core TM processors September 2017

Using ArcGIS for Server in the Microsoft Azure Cloud

Software at AMD AMD Developer Outreach

Designing Interoperability into IA-64 Systems: DIG64 Guidelines

New Approaches to Connected Device Security

Surviving in the wilderness integrity protection and system update. Patrick Ohly, Intel Open Source Technology Center Preliminary version

UEFI 2.1 Features. Added protocols. New member functions or equivalent

This Security Policy describes how this module complies with the eleven sections of the Standard:

UEFI ARM Update. Presented by Mitch Ishihara. UEFI Plugfest October presented by

How Shielded VMs Protect Your Data

Lecture Secure, Trusted and Trustworthy Computing Trusted Platform Module

benefits for customers with subscriptions in CSP

UEFI Development Anti- Patterns

Lecture Embedded System Security Trusted Platform Module

Windows To Go and USB Boot

SAML-Based SSO Solution

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Trusted Mobile Keyboard Controller Architecture

Embedded Base Boot Requirements. Dong Wei

epldt Web Builder Security March 2017

Spring 2017 :: CSE 506. Device Programming. Nima Honarmand

Transcription:

presented by General Firmware Overview of Recommendations for Window OS Spring 2017 UEFI Seminar and Plugfest March 27-31, 2017 Presented by Fei Zhou (Microsoft, Inc.) Updated 2011-06- 01 UEFI Plugfest March 2017 www.uefi.org 1

Agenda Introduction Creators Update Device Guard & Credential Guard Firmware(FW) update through Windows Update (WU) Secure Boot HSTI Call to Action, Reference and Links UEFI Plugfest March 2017 www.uefi.org 2

Introduction Fei who am I? Why is Microsoft, a software company, interested in UEFI? Firmware is software Security starts in the firmware Ensure Boot Firmware is protected Control is passed to OS boot files The OS is now able to build on the secure foundation UEFI Plugfest March 2017 www.uefi.org 3

Device Guard, Credential Guard, Firmware Updates in WU, SMBIOS, UEFI CA UEFI Plugfest March 2017 www.uefi.org 4

Device Guard & Credential Guard DG/CG Readiness tool DG/CG New Requirements Virtualization-based security (VBS) enables NX protection for UEFI RUNTIME SERVICES Firmware support for SMM Protection (WSMT table) Firmware (FW) updates through Windows Update (WU) SMBIOS fields UEFI Certificate Authority (CA) UEFI Plugfest March 2017 www.uefi.org 5

Device Guard & Credential Guard Latest release of Device Guard and Credential Guard Readiness Tool v3.0 link to Microsoft Download page Fixes HSTITest.dll, clears LSALSO s UEFI var, better text strings & messages, speed optimized, now also works on Windows 10 Pro editions PC OEM requirements for Device Guard and Credential Guard published on MSDN UEFI Plugfest March 2017 www.uefi.org 6

DG/CG: First New Requirement VBS enablement of NX protection for UEFI RUNTIME SERVICES VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable implement the UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table PE sections need to be page-aligned in memory (not required in non-volatile storage) The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both. No entries may be left without either of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable (Documented on MSDN) Notes: Only applies to UEFI runtime service memory and not UEFI boot service memory. Protection is applied by VBS on OS page tables Do not use sections that are both writable and executable Do not attempt to directly modify executable system memory Do not use dynamic code Microsoft has open sourced our test tool for Memory Map and EMAT verification on GitHub UEFI Plugfest March 2017 www.uefi.org 7

DG/CG: Second New Requirement Firmware Support for SMM Protection (WSMT table) Firmware vendors must re-design System Management Interrupts (SMIs) to only read or write to an allowed list of regions that include MMIO and EFI-allocated memory. It is not enough to check that pointers are outside of SMM, they must only be within these safe regions. This prevents SMM from becoming a confused deputy which can bypass Windows flagship Guard features NOTE: Page protections that enforce pointers being in only safe regions are not yet required If, and only if, you do the above re-design, then you may implement WSMT to assert you have completed this work. If you implement WSMT without doing this work, you are leaving an open attack portal WSMT, once implemented, confirms that the commbuffer has been fixed for SMI processing. Details on WSMT are on MSDN UEFI Plugfest March 2017 www.uefi.org 8

Firmware Updates Delivered Through Windows Update (WU) Reliable field-update of firmware is a critical security feature and necessary to sunset legacy application transport types Enables most expedient update mechanism for system and device firmware In order to have the ability to target a system for firmware update in the field, the OEM/ODM/IHV will need to prepare the system while on the factory floor 1. Enable EFI UpdateCapsule() & QueryCapsuleCapabilities in firmware 2. Create a unique ID for each model that is destined to receive the same firmware package 1. Online documentation will refer to the Unique ID as a GUID or UUID it is not globally or universally unique. It functions as a target designator) 3. Populate ACPI table EFI System Resource Table (ESRT) with unique ID 4. Package uploaded to Microsoft will require a Computer Hardware ID (CHID) 5. CHID is generated using a tool provided in Microsoft SDK (ComputerHardwareIDs.exe) 6. CHID generation relies on populated SMBIOS fields described later Review documentation on MSDN before implementing UEFI Plugfest March 2017 www.uefi.org 9

SMBIOS Microsoft is driving initiatives to enable use of SMBIOS for management of systems as described in DMTF documentation Needed SMBIOS fields: manufacturer, family, product name, base board product, SKU number, and enclosure type The ComputerHardwareIDs.exe tool will generate Computer Hardware IDs (CHIDs) Empty fields result in no CHID generation that use that empty field A non-unique SMBIOS field can generate a non-unique ID A CHID is used along with Unique ID in ESRT for firmware targeting Microsoft has documentation describing SMBIOS fields and usage/ Downloadable document on MSDN UEFI Plugfest March 2017 www.uefi.org 10

UEFI CA updates Microsoft UEFI CA Signing policy updates Microsoft will not sign EFI submissions that use EFI_IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER Use EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE _DRIVER to prevent unnecessary use of runtime EFI drivers Use of EFI Byte Code: Microsoft will not sign EFI submissions that are EBC-based submissions For Linux shims, there will be a new review process hosted by Linux Shim Review Board Shim- review@lists.freedesktop.org Enforcement Date: 01/01/2017 UEFI Plugfest March 2017 www.uefi.org 11

UEFI CA Update (cont.) If your submission is a DISK encryption or a File/Volume based encryption, then you MUST make sure that you either don t encrypt the EFI system partition or if you do encrypt, be sure to decrypt it and make it available by the time Windows is ready to boot Microsoft UEFI CA Signing Policy Updates located on the Microsoft Hardware Certification Blog Enforcement Date: 01/01/2017 UEFI Plugfest March 2017 www.uefi.org 12

Updates on Secure Boot UEFI Plugfest March 2017 www.uefi.org 13

Windows Hardware Compatibility Requirements for Creators Update Changes coming to System.Fundamentals.Firmware.UEFISecureBoot Microsoft encourages all partners to follow the recommended options below for reserving NVRAM, with longer term OS requirement to move to a 128KB model. We will be updating the required specifics at a later date Sub-Bullet 30: Reserved Memory for Windows Secure Boot UEFI Variables. A total of at least 64KB (Recommended 128KB)of non-volatile NVRAM storage memory must be available for NV UEFI variables (authenticated and unauthenticated, BS and RT) used by UEFI Secure Boot and Windows. The maximum supported variable size must be at least 32KB (Recommended 64Kb). There is no maximum NVRAM storage limit. Below are the current attribute options we are expecting use cases for. #define EFI_VARIABLE_NON_VOLATILE 0x00000001 #define EFI_VARIABLE_BOOTSERVICE_ACCESS 0x00000002 #define EFI_VARIABLE_RUNTIME_ACCESS 0x00000004 #define EFI_VARIABLE_HARDWARE_ERROR_RECORD 0x00000008 #define EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS 0x00000010 #define EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS 0x0000 0020 #define EFI_VARIABLE_APPEND_WRITE 0x00000040 UEFI Plugfest March 2017 www.uefi.org 14

Customized Deployment of Secure Boot Configure Secure Boot options programmatically Enterprise admins can set and deploy PK/KEK/db/dbx/[future Secure Boot variables] Uses new Secure Boot modes from UEFI 2.5 Section 30.3 New modes: Setup, User, Deployed, Audit Ship in Deployed Mode Requires PCR[7] with TPM 2.0 UEFI Plugfest March 2017 www.uefi.org 15

Hardware Security Test Interface (HSTI) UEFI Plugfest March 2017 www.uefi.org 16

Hardware Security Test Interface Features like Device Guard, Credential Guard and Device Encryption require HSTI HSTI provides a self-test for the HW & FW security configuration that is not represented by the UEFI SecureBoot global variable It fills the Pre-UEFI & outside-uefi security testability gap Tests provided by IBV, ODM and OEM Helps ensure correct security configuration Questions about implementation? Start with your silicon provider and BIOS/Firmware Vendor HSTI 1.1.a, details on MSDN UEFI Plugfest March 2017 www.uefi.org 17

Call to action, Reference, Links UEFI Plugfest March 2017 www.uefi.org 18

Call To Action Compatibility readiness for Creators Update Check out the DG/CG Requirements and Validation Tool Review Firmware updates on WU Review UEFI CA process Populate SMBIOS fields Make a note for updates to Secure Boot Review and implement HSTI 1.1.a UEFI Plugfest March 2017 www.uefi.org 19

Reference If you have questions, please do one of the following Connect with us at the Plugfest Follow up in email using the following alias (for Security and UEFI related Questions): SAUEFI@Microsoft.com UEFI Plugfest March 2017 www.uefi.org 20

Links Title Hardware Compatibility Specification for Systems for Windows 10, version 1607 System.Fundamentals.Firmware.UEFISecureBoot Device Guard and Credential Guard readiness tool PC OEM requirements for Device Guard and Credential Guard ACPI system description tables Windows SMM Security Mitigations Table (WSMT) Windows UEFI firmware update platform Driver Publishing Workflow for Windows 10 Microsoft UEFI CA Signing policy updates UEFI CA test we ask submitters to perform before submitting - Pre- submission testing for UEFI submissions Unified Extensible Firmware Interface Specification 2.6 Hardware Security Testability Specification Resource link https://msdn.microsoft.com/en- us/windows/hardware/commercialize/design/compatibility/systems https://www.microsoft.com/en- us/download/details.aspx?id=53337 https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).a spx https://msdn.microsoft.com/en- us/library/windows/hardware/dn495660(v=vs.85).aspx#wsmt http://go.microsoft.com/fwlink/p/?linkid=786943 https://msdn.microsoft.com/en- us/windows/hardware/drivers/bringup/windows- uefi- firmware- update- platform http://download.microsoft.com/download/b/a/8/ba89dce0- DB25-4425- 9EFF- 1037E0BA06F9/windows10_driver_publishing_workflow.docx https://blogs.msdn.microsoft.com/windows_hardware_certification/2013/12/ 03/microsoft- uefi- ca- signing- policy- updates/ https://blogs.msdn.microsoft.com/windows_hardware_certification/2013/12/ 03/pre- submission- testing- for- uefi- submissions/ http://www.uefi.org/sites/default/files/resources/uefi%20spec%202_6.pdf https://msdn.microsoft.com/en- us/library/windows/hardware/mt712332(v=vs.85).aspx UEFI Plugfest March 2017 www.uefi.org 21

Thanks for attending the Spring 2017 UEFI Seminar and Plugfest For more information on the UEFI Forum and UEFI Specifications, visit http://www.uefi.org presented by (c) 2017 Microsoft Corporation. All rights reserved. This document is provided "as- is". Information and views expressed in this document, including URL and other Internet Web site references may change without notice. You bear the risk of using it. UEFI Plugfest March 2017 www.uefi.org 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback