Enabling Advanced NVMe Features Through UEFI

Similar documents
System Prep Applications A Powerful New Feature in UEFI 2.5

ARM Server s Firmware Security

UEFI and the Security Development Lifecycle

Advances in Storage Security Standards

NVM Express TM Ecosystem Enabling PCIe NVMe Architectures

PreBoot Provisioning Solutions with UEFI

Manufacturing Tools in the UEFI Secure Boot Environment

Firmware Implementation Techniques to Achieve Windows 8 Fast Boot

User Guide. Storage Executive Command Line Interface. Introduction. Storage Executive Command Line Interface User Guide Introduction

General Firmware Overview of Recommendations for Window OS

Seagate Secure TCG Enterprise and TCG Opal SSC Self-Encrypting Drive Common Criteria Configuration Guide

Standardized Firmware for ARMv8 based Volume Servers

UEFI What is it? Spring 2017 UEFI Seminar and Plugfest March 27-31, 2017 Presented by Dong Wei (ARM) presented by. Updated

Seagate Secure TCG Enterprise SSC Pulsar.2 Self-Encrypting Drive FIPS 140 Module Security Policy

Implementing Secure Boot: A Refresher on Key & Database Configuration

Lessons Learned from Implementing a Wi-Fi and BT Stack

Mass-Storage Systems

I N V E N T I V E. SSD Firmware Complexities and Benefits from NVMe. Steven Shrader

Windows Support for PM. Tom Talpey, Microsoft

Tailoring TrustZone as SMM Equivalent

UEFI and IoT: Best Practices in Developing IoT Firmware Solutions

FC-NVMe. NVMe over Fabrics. Fibre Channel the most trusted fabric can transport NVMe natively. White Paper

Windows Support for PM. Tom Talpey, Microsoft

UEFI ARM Update. UEFI PlugFest March 18-22, 2013 Andrew N. Sloss (ARM, Inc.) presented by

UEFI in Arm Platform Architecture

NVM Express 1.3 Delivering Continuous Innovation

AMD Ryzen Threadripper NVMe RAID Quick Start Guide RC Release Version 1.0

The TPM 2.0 specs are here, now what?

CS370 Operating Systems

SSD AES ENCRYPTION. Application Note. Document #AN0009 Viking SSD AES Encryption Rev. B. Purpose of this Document

Spring 2018 UEFI Plugfest

Strengthening the Chain of Trust. Kevin Lane HP Jeff Bobzin Insyde Software

Implementing MicroPython as a UEFI Test Framework

NVMe Client and Cloud Requirements, and Security 9:45 10:50

Che-Wei Chang Department of Computer Science and Information Engineering, Chang Gung University

Seagate Secure TCG Enterprise SSC Self-Encrypting Drives FIPS 140 Module Security Policy

User Guide. Storage Executive. Introduction. Storage Executive User Guide. Introduction

Personal Cloud Self Protecting Self Encrypting Storage Devices

An Introduction to Platform Security

V. Mass Storage Systems

Lenovo Imaging Checklist

CS3600 SYSTEMS AND NETWORKS

SSD7101A-1. 4x M.2 Port to PCIe 3.0 x16 NVMe RAID Controller. User Guide V1.00

Nine Effective Features of NVMe Questa Verification IP to Help You Verify PCIe Based SSD Storage by Saurabh Sharma, Mentor Graphics

Managing self-encrypting HDDs with Lustre/ZFS LUG 2017

Serial ATA (SATA) Interface. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Operating-System Structures

Microsoft UEFI Certification Authority

The Role UEFI Technologies Play in ARM Platform Architecture

Engineering UEFI Firmware for Windows: Best Practices and Pitfalls to Avoid

UEFI Manageability and REST Services

Windows To Go and USB Boot

System Firmware and Device Firmware Updates using Unified Extensible Firmware Interface (UEFI) Capsules

CTWP005: Write Abort Handling for Cactus Technologies Industrial-Grade Flash-Storage Products

Security in NVMe Enterprise SSDs

Open CloudServer OCS Solid State Drive Version 2.1

EPTDM Features SATA III 6Gb/s msata SSD

AMD NVMe/SATA RAID Quick Start Guide for Windows Operating Systems

Seagate Secure TCG Enterprise SSC Self-Encrypting Drives FIPS 140 Module. Security Policy. Security Level 2. Rev. 0.

EI 338: Computer Systems Engineering (Operating Systems & Computer Architecture)

How Next Generation NV Technology Affects Storage Stacks and Architectures

Extending the NVMHCI Standard to Enterprise

Intel vpro Technology Virtual Seminar 2010

The Transition to PCI Express* for Client SSDs

TCG Storage Application Note: Encrypting Drives Compliant with Opal SSC

NVMe From The Server Perspective

UNIVERSITY OF EXETER BITLOCKER USER GUIDE

SATA III 6Gb/S 2.5 SSD Industrial Temp AQS-I25S I Series. Advantech. Industrial Temperature. Datasheet. Rev

UEFI Plugfest March

Chapter 10: Mass-Storage Systems

v4: How to Use Macrium ReDeploy

NVM Express TM Management Interface

SAMSUNG ELECTRONICS RESERVES THE RIGHT TO CHANGE PRODUCTS, INFORMATION AND SPECIFICATIONS WITHOUT NOTICE.

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Check Point SmartEndpoint Security

Cloud FastPath: Highly Secure Data Transfer

USER MANUAL SafeStick

STORAGE NETWORKING TECHNOLOGY STEPS UP TO PERFORMANCE CHALLENGES

Implementing Advanced USB Interrupt Transfers

Expert Reference Series of White Papers. BitLocker: Is It Really Secure? COURSES.

Ben Walker Data Center Group Intel Corporation

SEAhawk and Self Encrypting Drives (SED) Whitepaper

Intel Solid State Drive Firmware Update Tool Release Notes

FAQs HP Z Turbo Drive Quad Pro

BTEC Level 3 Unit 2. Computer Components

NVM Express Technical Errata

Describe the features and performance characteristics of server-class hard disks and solid state drives.

Seagate Momentus Thin Self-Encrypting Drives TCG Opal FIPS 140 Module Security Policy

Leveraging Windows Update to Distribute Firmware Updates Model Based Servicing (MBS)

AMD Security and Server innovation

UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies

"Last Mile" Barriers to Removing Legacy BIOS

Chapter 10: Mass-Storage Systems. Operating System Concepts 9 th Edition

Using GIGABYTE Notebook for the First Time

Seagate Secure TCG Enterprise SSC Self-Encrypting Drives FIPS 140 Module. Security Policy. Security Level 2. Rev. 1.0 May 11, 2015

TCG. TCG Storage Interface Interactions Specification (SIIS) Specification Version 1.07 Revision 1.00 January 30, 2018

Chapter 3: Operating-System Structures

Chapter. Chapter. Magnetic and Solid-State Storage Devices

Deploying Secure Boot: Key Creation and Management

Open Channel Solid State Drives NVMe Specification

UEFI updates, Secure firmware and Secure Services on Arm

Transcription:

presented by Enabling Advanced NVMe Features Through UEFI Spring 2018 UEFI Seminar and Plugfest March 26-30, 2018 Presented by Zachary Bobroff(AMI)

Agenda What is NVMe? What Features are Missing? How to Enable these Features Conclusions Questions? UEFI Plugfest Spring 2018 www.uefi.org 2

Enabling Advanced NVMe Features Through UEFI What is NVMe? UEFI Plugfest Spring 2018 www.uefi.org 3

NVMe Introduction NVMe Non-Volatile Memory Express Traditionally, disk drives existed on busses specifically designed for disk access i.e. IDE, AHCI, SAS or Fibrechannel Being slower than the parent bus was not an issue if the media was slower than the parent bus With the advent of faster SSDs, HD read performance outpaced host bus controller speed UEFI Plugfest Spring 2018 www.uefi.org 4

NVMe Specification NVMe specifications developed out of industry collaboration, similar to UEFI NVM EXPRESS 1.3a (Related to UEFI) NVMe OVER FABRICS 1.0 NVMe MANAGEMENT INTERFACE 1.0 Similar to UEFI, NVMe has test events and members regularly demonstrate their hardware at industry conferences and trade shows UEFI Plugfest Spring 2018 www.uefi.org 5

AHCI NVMe Comparison AHCI Latency 6.0 us 2.8 us Max Queue Depth Up to 1 queue with 32 commands Multicore Support Limited Full NVMe Up to 64K queues with 64K commands each 4KB Efficiency Two serialized host DRAM fetches required One 64B fetch Cited from: sata-io.org UEFI Plugfest Spring 2018 www.uefi.org 6

NVMe Popularity and UEFI Increased speed capabilities, makes NVMe the most popular storage medium for high end: Servers Workstations Desktops Etc. UEFI was also quick to adopt NVMe as a boot media UEFI is very standardized UEFI only needs to provide basic device support through EFI_BLOCK_IO_PROTOCOL UEFI also provides some ancillary protocol support EFI_NVME_PASS_THRU_PROTOCOL to talk directly to controllers/drives UEFI Plugfest Spring 2018 www.uefi.org 7

Enabling Advanced NVMe Features Through UEFI What Features are Missing? UEFI Plugfest Spring 2018 www.uefi.org 8

NVMe Features in UEFI UEFI only needs to provide basic support for booting to an NVMe disk and talking directly to a controller Traditional hard drives had many additional features used in UEFI firmware but not commonly applied for NVMe! NVMe has many additional features used at OS time that firmware could also use! UEFI Plugfest Spring 2018 www.uefi.org 9

Missing Traditional Hard Drive Features in UEFI SAT3 Password Support Ability to set a password on the drive so it cannot be used without password Pyrite Support Capability to self-encrypt drive so it cannot be read without proper authentication Block SID Support Specification that covers firmware and OS communication to handle freeze-locking events for a self-encrypting hard drive UEFI Plugfest Spring 2018 www.uefi.org 10

NVMe Features Missing in UEFI NVMe Namespace Creation Capability called namespace where a drive can be segmented. While generic EDKII has the ability to read namespaces, end users may want to create namespaces in pre-boot NVMe Controller FW Update Secure way to update the host controller firmware NVMe Metadata Metadata that exists in parallel to actual drive data; data used by drive to ensure data integrity UEFI Plugfest Spring 2018 www.uefi.org 11

How Do Interested OEMs Add Support Using UEFI interfaces, how does an OEM add support for these features on top of base features provided in their UEFI FW? UEFI Plugfest Spring 2018 www.uefi.org 12

Enabling Advanced NVMe Features Through UEFI How to Enable Additional Features UEFI Plugfest Spring 2018 www.uefi.org 13

UEFI Provides the Building Blocks UEFI Specification provides EFI_NVME_PASS_THRU protocol All UEFI PassThru protocols provide base way to talk to a drive/controller Using these protocols allows developers to provide support for all features described Provided the NVMe device has support for feature being developed UEFI Plugfest Spring 2018 www.uefi.org 14

SAT3 Password Support SAT3 Password Support is a standard method of having a hard drive password; will not work if password is not supplied This is commonly used to marry a drive to a system If removed, the data cannot be read without the password Even if drive has no password set, the drive should be freeze locked Prevents malicious code from setting one later UEFI Plugfest Spring 2018 www.uefi.org 15

SAT3 Password Sample Implementation If Password is currently set: Prompt for Password Provide password to drive via NVMePassThru protocol to send proper SPC-4 command to unlock the drive Locate NVMePassThru If Password is not currently set: Use NVMePassThru protocol to send proper SPC-4 command to FreezeLock the drive If EfiSecurityStorage Protocol is available: EfiSecurityStorage protocol can be used in place of NVMePassThru UEFI Plugfest Spring 2018 www.uefi.org 16

Pyrite Support Pyrite Support is when a drive can self-encrypt specific data areas of the drive Protects drive data by encrypting data on disk by the drive Drive may have early boot loader data unencrypted and decrypt remaining area after OS authentication is complete UEFI Plugfest Spring 2018 www.uefi.org 17

Pyrite Sample Implementation Using NVMePassThru Protocol: Take ownership of storage device Set new password to C_PIN Credential Activate the locking SP Change Admin1 Pin in locking Service Provider (SP) Additional User password can also be set Configure locking objects (LBA Range) Configure the ranges (regions) that will be locked (encrypted). Entire disk is also an option. On subsequent boots, password must be applied to drive to unlock regions locked above UEFI Plugfest Spring 2018 www.uefi.org 18

Block SID Support Block SID Support is a TCG specification that manages freeze locking or not freeze locking of certain drive features as requested by the OS Spec requires validation where someone is physically present, but allows OS to request the drive remain unlocked so OS can begin drive encryption on next boot BlockSid support can be detected using level0 discovery command with feature code 0402 This will return if Block SID is supported and if it is currently locked Firmware should report if any media supports Block SID UEFI Plugfest Spring 2018 www.uefi.org 19

BlockSID Sample Implementation If no mailbox event from OS: On every reboot, check for OS mailbox event Use NVMePassThru protocol to FreezeLock the drive Refer to TCG storage specification for proper command information in table marked Block SID Authentication Channel If mailbox event from OS: Check for user presence (some pop-up is the easiest way) Continue boot with no additional commands and OS can take ownership of the drive UEFI Plugfest Spring 2018 www.uefi.org 20

Multiple Namespace Support Multiple Namespace Support provides support for namespaces where one drive can appear as two different NVMe devices Namespaces provide a good way to better utilize NVMe storage media NVMe namespaces can be setup within the OS, but what if someone wants to do this before installation? UEFI Plugfest Spring 2018 www.uefi.org 21

Multiple Namespaces Provide User Interface in Setup for displaying, deleting and creating namespaces Use NVMePassThru protocol to talk to NVMe drive through NVMe Attachment/Management commands Refer to NVMe specification for additional details on this command Default NVMe driver will automatically create a BlockIO instance for each namespace discovered UEFI Plugfest Spring 2018 www.uefi.org 22

Controller FW Update Controller FW Update enables NVMe device controller firmware to be updated Updating of firmware should be done in a safe and secure environment Using NVMe PassThru and Capsule update allows a capsule to be provided to the UEFI FW Provides standard method to accomplish secure FW updates for all NVMe devices UEFI Plugfest Spring 2018 www.uefi.org 23

FW Update Sample Implementation If no capsule exists for NVMe controller Continue booting normally On reboot, firmware checks for capsule If capsule exists for NVMe controller: Verify/authenticate capsule image Push capsule to the drive using NVMePassThru Protocol via Firmware Image Download command & Firmware Commit command Reboot system UEFI Plugfest Spring 2018 www.uefi.org 24

NVMe Metadata NVMe Metadata is kept within the drive in parallel to actual device firmware When data is read, metadata is compared to verify data integrity When data is written, metadata is written to metadata storage with proper CRC information for verification UEFI Plugfest Spring 2018 www.uefi.org 25

NVMe Sample Implementation First, drive must be formatted correctly to accommodate metadata Once drive metadata is enabled, standard EfiBlockIo will not work on its own EfiBlockIo protocol in the end uses NVMePassThru Normal NVMePassThru block read/write must be extended to accommodate additional blocks relating to metadata information Both read and write operations must be extended Extension means when reading/writing specific sector, buffer needs to be extended by length of metadata Read operation can check metadata for integrity before return block UEFI Plugfest Spring 2018 www.uefi.org 26

Enabling Advanced NVMe Features Through UEFI Conclusions UEFI Plugfest Spring 2018 www.uefi.org 27

Conclusions NVMe is a relatively new technology in the computer ecosystem NVMe has been quickly & broadly adopted, some useful features may have been overlooked UEFI provides the building blocks to provide support so any developer can contribute! What other technologies can be better extended using PassThru protocols? UEFI Plugfest Spring 2018 www.uefi.org 28

Questions? UEFI Plugfest Spring 2018 www.uefi.org 29

Thanks for attending the Spring 2018 UEFI Plugfest For more information on the UEFI Forum and UEFI Specifications, visit http://www.uefi.org presented by UEFI Plugfest Spring 2018 www.uefi.org 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback