SlideShare a Scribd company logo

UEFI Spec Version 2.4 Facilitates Secure Update

Download as PPTX, PDF
insydesoftware
insydesoftware

Overview of how the UEFI 2.4 specification facilitates secure update. Presented by Insyde Software.

TechnologyBusiness
1 of 25
UEFI Spec Version 2.4 Facilitates Secure Update Insyde Software © 2013 Insyde Software 1
Agenda • UEFI 2.4 • Background FMP • New Capsule Defined • Delivery on Disk • Secure? • Open Questions © 2013 Insyde Software 2
UEFI 2.4 Spec is Public • Some of the New Content: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. ARM 64-bit Bindings Custom Security Variable Variable Naming rules clarified Network driver changes including EFI_NO_MEDIA rules Async I/O Improvements Timestamp and Random Number protocols Time-based revocation Adapter Information Protocol and several AIP blocks defined Capsule Format containing FMP updates Deliver Capsule on Boot Disk Variable with Capsule processing status © 2013 Insyde Software 3
UEFI 2.4 Spec is Public • Some of the New Content: 1. 2. 3. 4. 5. 6. 7. 8. ARM 64-bit Bindings Custom Security Variable Variable Naming rules clarified Network driver changes including EFI_NO_MEDIA rules Async I/O Improvements Timestamp and Random Number protocols Time-based revocation Adapter Information Protocol and several AIP blocks defined 9. 10. 11. Capsule Format containing FMP updates Deliver Capsule on Boot Disk Variable with Capsule processing status © 2013 Insyde Software 4
Firmware Management Protocol © 2013 Insyde Software 5
Background - FMP • Added with UEFI version 2.3 update • Designed to • allow individual firmware components to expose data on current running image(s) • accept update images © 2013 Insyde Software 6
FMP in the Industry • Mostly used in Enterprise segment • Popular for high-performance expansion cards with multi-element firmware onboard • But FMP is run in Boot Services – how to get the downloaded update to the FMP instance? © 2013 Insyde Software 7
Factors inhibiting FMP • Using EFI shell delivery is not secure and awkward for system admin • For security, designers want to lock firmware store before Shell or OS boot • Secure Boot rules block many of todays update delivery tools © 2013 Insyde Software 8
UEFI 2.4 Update Has New Capsule Targeting FMP © 2013 Insyde Software 9
New Capsule for delivering FMP Updates • UEFI Defines a Capsule header for UpdateCapsule() function • UEFI 2.4 adds a complete description of internals of a Capsule targeting FMP • System firmware unpacks the capsule and delivers updates to FMP instances early in pre-boot © 2013 Insyde Software 10
Capsule Format • EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_ GUID is the ID • In some cases complete FMP function cannot fit inside production firmware store, • Therefore new capsule format allows 0-n driver(s) and 0-n image(s) • Minimum is 1 driver or 1 image © 2013 Insyde Software 11
Example with 2 drivers, multiple update payloads © 2013 Insyde Software 12
© 2013 Insyde Software 13
UEFI 2.4 Update Adds New Capsule Delivery Solutions © 2013 Insyde Software 14
Problem Statement • UpdateCapsule() is run-time but: • FMP is not runtime so capsule needs to be conveyed to the system firmware after a restart • Persist in memory is possible but has disadvantages including: • Need to reserve block of memory of unknown size © 2013 Insyde Software 15
UEFI 2.4 defines Capsule Delivery Via Disk • OS tool Copies Capsule Image to EFICapsuleUpdate directory on Boot Drive • Then Sets OS_Indications bit • EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED • After Restart F/W finds Capsule and processes © 2013 Insyde Software 16
UEFI 2.4 Defines Result Var • After Capsule Processed, the result including any error status is left in created UEFI Variable • Examined by the update launcher after OS restarts © 2013 Insyde Software 17
How Secure is This new Method? © 2013 Insyde Software 18
Driver Security • Update driver launched from the capsule must be signed by CA trusted by the platform • Same Security Level as the UEFI Option ROM (the thing that is being updated) • The Updated Option ROM image is also checked at restart © 2013 Insyde Software 19
Image Payload Security • All FMP implementations should use IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED • FMP code doing check is signed, and download driver breaks any existing ROM size barrier and allows IHV to use crypto for strong image check © 2013 Insyde Software 20
Discussion Questions © 2013 Insyde Software 21
Non-FMP use • I don’t use FMP for my card. Can I use this new Capsule for proprietary update? • Technically yes, a capsule could contain 1 or more drivers but no payloads. • But, the update image would need to be embedded inside the driver image and the combination sent to CA for signing… © 2013 Insyde Software 22
Boot Drive Write-protected • What about a system with a write-protected EFI System Partition? • Provide utility to use UpdateCapsule directly, but possible the device firmware store was locked before UpdateCapsule() caller can load? • What is the right event trigger for device firmware write-protect lock? © 2013 Insyde Software 23
Thanks! © 2013 Insyde Software 24
For inquiries, please contact Ed Brohm at Insyde Software ed.brohm@insydesw.com Insyde, InsydeH2O and Ready for the Next are registered trademarks of Insyde Software. © 2013 Insyde Software

Recommended

Fast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2OFast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2Oinsydesoftware
 
Implementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded SystemImplementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded Systeminsydesoftware
 
Bootloaders (U-Boot)
Bootloaders (U-Boot) Bootloaders (U-Boot)
Bootloaders (U-Boot) Omkar Rane
 
LCA13: Power State Coordination Interface
LCA13: Power State Coordination InterfaceLCA13: Power State Coordination Interface
LCA13: Power State Coordination InterfaceLinaro
 
Linux Porting
Linux PortingLinux Porting
Linux PortingAnil Kumar Pugalia
 
U-Boot - An universal bootloader
U-Boot - An universal bootloader U-Boot - An universal bootloader
U-Boot - An universal bootloader Emertxe Information Technologies Pvt Ltd
 
BeagleBone Black Booting Process
BeagleBone Black Booting ProcessBeagleBone Black Booting Process
BeagleBone Black Booting ProcessSysPlay eLearning Academy for You
 
BIOS AND OS
BIOS AND OSBIOS AND OS
BIOS AND OSAlen Binu abraham
 

Recommended

Fast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2OFast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2Oinsydesoftware
 
Implementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded SystemImplementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded Systeminsydesoftware
 
Bootloaders (U-Boot)
Bootloaders (U-Boot) Bootloaders (U-Boot)
Bootloaders (U-Boot) Omkar Rane
 
LCA13: Power State Coordination Interface
LCA13: Power State Coordination InterfaceLCA13: Power State Coordination Interface
LCA13: Power State Coordination InterfaceLinaro
 
Linux Porting
Linux PortingLinux Porting
Linux PortingAnil Kumar Pugalia
 
U-Boot - An universal bootloader
U-Boot - An universal bootloader U-Boot - An universal bootloader
U-Boot - An universal bootloader Emertxe Information Technologies Pvt Ltd
 
BeagleBone Black Booting Process
BeagleBone Black Booting ProcessBeagleBone Black Booting Process
BeagleBone Black Booting ProcessSysPlay eLearning Academy for You
 
BIOS AND OS
BIOS AND OSBIOS AND OS
BIOS AND OSAlen Binu abraham
 
SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)Linaro
 
Boot process: BIOS vs UEFI
Boot process: BIOS vs UEFIBoot process: BIOS vs UEFI
Boot process: BIOS vs UEFIAlea Soluciones, S.L.
 
Chapter 3 Motherboard and BIOS
Chapter 3 Motherboard and BIOSChapter 3 Motherboard and BIOS
Chapter 3 Motherboard and BIOSaskme
 
eMMC Embedded Multimedia Card overview
eMMC Embedded Multimedia Card overvieweMMC Embedded Multimedia Card overview
eMMC Embedded Multimedia Card overviewVijayGESYS
 
Cisco data center training for ibm
Cisco data center training for ibmCisco data center training for ibm
Cisco data center training for ibmChristian Silva Espinoza
 
U Boot or Universal Bootloader
U Boot or Universal BootloaderU Boot or Universal Bootloader
U Boot or Universal BootloaderSatpal Parmar
 
eMMC 5.0 Total IP Solution
eMMC 5.0 Total IP SolutioneMMC 5.0 Total IP Solution
eMMC 5.0 Total IP SolutionArasan Chip Systems
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchlinuxlab_conf
 
Video Drivers
Video DriversVideo Drivers
Video DriversAnil Kumar Pugalia
 
Motherboards Form Factor(
Motherboards Form Factor( Motherboards Form Factor(
Motherboards Form Factor( smdphneeee
 
UEFI presentation
UEFI presentationUEFI presentation
UEFI presentationBruno Cornec
 
Embedded_Linux_Booting
Embedded_Linux_BootingEmbedded_Linux_Booting
Embedded_Linux_BootingRashila Rr
 
Moving to PCI Express based SSD with NVM Express
Moving to PCI Express based SSD with NVM ExpressMoving to PCI Express based SSD with NVM Express
Moving to PCI Express based SSD with NVM ExpressOdinot Stanislas
 
The e820 trap of Linux kernel hibernation
The e820 trap of Linux kernel hibernationThe e820 trap of Linux kernel hibernation
The e820 trap of Linux kernel hibernationjoeylikernel
 
BUD17-400: Secure Data Path with OPTEE
BUD17-400: Secure Data Path with OPTEE BUD17-400: Secure Data Path with OPTEE
BUD17-400: Secure Data Path with OPTEE Linaro
 
ZFS
ZFSZFS
ZFSmewandalmeida
 
Audio in linux embedded
Audio in linux embeddedAudio in linux embedded
Audio in linux embeddedtrx2001
 
IBM FlashSystems A9000/R presentation
IBM FlashSystems A9000/R presentation IBM FlashSystems A9000/R presentation
IBM FlashSystems A9000/R presentation Joe Krotz
 
Linux Booting Steps
Linux Booting StepsLinux Booting Steps
Linux Booting StepsAnando Kumar Paul
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)RuggedBoardGroup
 
Uefi and bios
Uefi and biosUefi and bios
Uefi and biosShubham Pendharkar
 
Grub
GrubGrub
GrubAmir Hadad
 

More Related Content

What's hot

SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)Linaro
 
Chapter 3 Motherboard and BIOS
Chapter 3 Motherboard and BIOSChapter 3 Motherboard and BIOS
Chapter 3 Motherboard and BIOSaskme
 
eMMC Embedded Multimedia Card overview
eMMC Embedded Multimedia Card overvieweMMC Embedded Multimedia Card overview
eMMC Embedded Multimedia Card overviewVijayGESYS
 
U Boot or Universal Bootloader
U Boot or Universal BootloaderU Boot or Universal Bootloader
U Boot or Universal BootloaderSatpal Parmar
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchlinuxlab_conf
 
Motherboards Form Factor(
Motherboards Form Factor( Motherboards Form Factor(
Motherboards Form Factor( smdphneeee
 
Embedded_Linux_Booting
Embedded_Linux_BootingEmbedded_Linux_Booting
Embedded_Linux_BootingRashila Rr
 
Moving to PCI Express based SSD with NVM Express
Moving to PCI Express based SSD with NVM ExpressMoving to PCI Express based SSD with NVM Express
Moving to PCI Express based SSD with NVM ExpressOdinot Stanislas
 
The e820 trap of Linux kernel hibernation
The e820 trap of Linux kernel hibernationThe e820 trap of Linux kernel hibernation
The e820 trap of Linux kernel hibernationjoeylikernel
 
BUD17-400: Secure Data Path with OPTEE
BUD17-400: Secure Data Path with OPTEE BUD17-400: Secure Data Path with OPTEE
BUD17-400: Secure Data Path with OPTEE Linaro
 
Audio in linux embedded
Audio in linux embeddedAudio in linux embedded
Audio in linux embeddedtrx2001
 
IBM FlashSystems A9000/R presentation
IBM FlashSystems A9000/R presentation IBM FlashSystems A9000/R presentation
IBM FlashSystems A9000/R presentation Joe Krotz
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)RuggedBoardGroup
 

What's hot (20)

SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)SFO15-TR9: PSCI, ACPI (and UEFI to boot)
SFO15-TR9: PSCI, ACPI (and UEFI to boot)
 
Boot process: BIOS vs UEFI
Boot process: BIOS vs UEFIBoot process: BIOS vs UEFI
Boot process: BIOS vs UEFI
 
Chapter 3 Motherboard and BIOS
Chapter 3 Motherboard and BIOSChapter 3 Motherboard and BIOS
Chapter 3 Motherboard and BIOS
 
eMMC Embedded Multimedia Card overview
eMMC Embedded Multimedia Card overvieweMMC Embedded Multimedia Card overview
eMMC Embedded Multimedia Card overview
 
Cisco data center training for ibm
Cisco data center training for ibmCisco data center training for ibm
Cisco data center training for ibm
 
U Boot or Universal Bootloader
U Boot or Universal BootloaderU Boot or Universal Bootloader
U Boot or Universal Bootloader
 
eMMC 5.0 Total IP Solution
eMMC 5.0 Total IP SolutioneMMC 5.0 Total IP Solution
eMMC 5.0 Total IP Solution
 
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratchJagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratch
 
Video Drivers
Video DriversVideo Drivers
Video Drivers
 
Motherboards Form Factor(
Motherboards Form Factor( Motherboards Form Factor(
Motherboards Form Factor(
 
UEFI presentation
UEFI presentationUEFI presentation
UEFI presentation
 
Embedded_Linux_Booting
Embedded_Linux_BootingEmbedded_Linux_Booting
Embedded_Linux_Booting
 
Moving to PCI Express based SSD with NVM Express
Moving to PCI Express based SSD with NVM ExpressMoving to PCI Express based SSD with NVM Express
Moving to PCI Express based SSD with NVM Express
 
The e820 trap of Linux kernel hibernation
The e820 trap of Linux kernel hibernationThe e820 trap of Linux kernel hibernation
The e820 trap of Linux kernel hibernation
 
BUD17-400: Secure Data Path with OPTEE
BUD17-400: Secure Data Path with OPTEE BUD17-400: Secure Data Path with OPTEE
BUD17-400: Secure Data Path with OPTEE
 
ZFS
ZFSZFS
ZFS
 
Audio in linux embedded
Audio in linux embeddedAudio in linux embedded
Audio in linux embedded
 
IBM FlashSystems A9000/R presentation
IBM FlashSystems A9000/R presentation IBM FlashSystems A9000/R presentation
IBM FlashSystems A9000/R presentation
 
Linux Booting Steps
Linux Booting StepsLinux Booting Steps
Linux Booting Steps
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)
 

Viewers also liked

Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)k33a
 
Description of GRUB 2
Description of GRUB 2Description of GRUB 2
Description of GRUB 2iamumr
 
Real time Operating System
Real time Operating SystemReal time Operating System
Real time Operating SystemTech_MX
 
Real Time OS For Embedded Systems
Real Time OS For Embedded SystemsReal Time OS For Embedded Systems
Real Time OS For Embedded SystemsHimanshu Ghetia
 

Viewers also liked (7)

Uefi and bios
Uefi and biosUefi and bios
Uefi and bios
 
Grub
GrubGrub
Grub
 
Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)
 
Description of GRUB 2
Description of GRUB 2Description of GRUB 2
Description of GRUB 2
 
Bios uefi y legacy
Bios uefi y legacyBios uefi y legacy
Bios uefi y legacy
 
Real time Operating System
Real time Operating SystemReal time Operating System
Real time Operating System
 
Real Time OS For Embedded Systems
Real Time OS For Embedded SystemsReal Time OS For Embedded Systems
Real Time OS For Embedded Systems
 

Similar to UEFI Spec Version 2.4 Facilitates Secure Update

Android OTA updates
Android OTA updatesAndroid OTA updates
Android OTA updatesGary Bisson
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionAnne Nicolas
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise247infotech
 
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...eFolder
 
Open mic on sametime 9 installs best practices, tips and tricks
Open mic on sametime 9 installs best practices, tips and tricksOpen mic on sametime 9 installs best practices, tips and tricks
Open mic on sametime 9 installs best practices, tips and tricksa8us
 
Open Mic on Sametime9 Install -Best Practices
Open Mic on Sametime9 Install -Best PracticesOpen Mic on Sametime9 Install -Best Practices
Open Mic on Sametime9 Install -Best PracticesVinayak Tavargeri
 
XPDS14 - Xen in EFI World - Daniel Kiper, Oracle
XPDS14 - Xen in EFI World - Daniel Kiper, OracleXPDS14 - Xen in EFI World - Daniel Kiper, Oracle
XPDS14 - Xen in EFI World - Daniel Kiper, OracleThe Linux Foundation
 
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...eFolder
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...The Linux Foundation
 
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdfFiner Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdfMarna Walle
 
Taishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_LabTaishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_LabTaishaun Owens
 
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Lumension
 
Perfect Foundation for 2013 Security Blueprint
Perfect Foundation for 2013 Security BlueprintPerfect Foundation for 2013 Security Blueprint
Perfect Foundation for 2013 Security BlueprintGroup of company MUK
 
Todo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBXTodo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBXPaloSanto Solutions
 
BKK16-309A Open Platform support in UEFI
BKK16-309A Open Platform support in UEFIBKK16-309A Open Platform support in UEFI
BKK16-309A Open Platform support in UEFILinaro
 

Similar to UEFI Spec Version 2.4 Facilitates Secure Update (20)

Android OTA updates
Android OTA updatesAndroid OTA updates
Android OTA updates
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise
 
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...
 
Open mic on sametime 9 installs best practices, tips and tricks
Open mic on sametime 9 installs best practices, tips and tricksOpen mic on sametime 9 installs best practices, tips and tricks
Open mic on sametime 9 installs best practices, tips and tricks
 
Open Mic on Sametime9 Install -Best Practices
Open Mic on Sametime9 Install -Best PracticesOpen Mic on Sametime9 Install -Best Practices
Open Mic on Sametime9 Install -Best Practices
 
XPDS14 - Xen in EFI World - Daniel Kiper, Oracle
XPDS14 - Xen in EFI World - Daniel Kiper, OracleXPDS14 - Xen in EFI World - Daniel Kiper, Oracle
XPDS14 - Xen in EFI World - Daniel Kiper, Oracle
 
Smooth as Silk Exadata Patching
Smooth as Silk Exadata PatchingSmooth as Silk Exadata Patching
Smooth as Silk Exadata Patching
 
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...
 
Cipc
CipcCipc
Cipc
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
 
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdfFiner Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
 
Taishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_LabTaishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_Lab
 
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
 
Perfect Foundation for 2013 Security Blueprint
Perfect Foundation for 2013 Security BlueprintPerfect Foundation for 2013 Security Blueprint
Perfect Foundation for 2013 Security Blueprint
 
Todo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBXTodo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBX
 
S4 sig-check-lpc-20130918
S4 sig-check-lpc-20130918S4 sig-check-lpc-20130918
S4 sig-check-lpc-20130918
 
Best ofmms kb_final
Best ofmms kb_finalBest ofmms kb_final
Best ofmms kb_final
 
Best ofmms kb_final
Best ofmms kb_finalBest ofmms kb_final
Best ofmms kb_final
 
BKK16-309A Open Platform support in UEFI
BKK16-309A Open Platform support in UEFIBKK16-309A Open Platform support in UEFI
BKK16-309A Open Platform support in UEFI
 

Recently uploaded

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 

Recently uploaded (20)

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 

UEFI Spec Version 2.4 Facilitates Secure Update

  • 1. UEFI Spec Version 2.4 Facilitates Secure Update Insyde Software © 2013 Insyde Software 1
  • 2. Agenda • UEFI 2.4 • Background FMP • New Capsule Defined • Delivery on Disk • Secure? • Open Questions © 2013 Insyde Software 2
  • 3. UEFI 2.4 Spec is Public • Some of the New Content: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. ARM 64-bit Bindings Custom Security Variable Variable Naming rules clarified Network driver changes including EFI_NO_MEDIA rules Async I/O Improvements Timestamp and Random Number protocols Time-based revocation Adapter Information Protocol and several AIP blocks defined Capsule Format containing FMP updates Deliver Capsule on Boot Disk Variable with Capsule processing status © 2013 Insyde Software 3
  • 4. UEFI 2.4 Spec is Public • Some of the New Content: 1. 2. 3. 4. 5. 6. 7. 8. ARM 64-bit Bindings Custom Security Variable Variable Naming rules clarified Network driver changes including EFI_NO_MEDIA rules Async I/O Improvements Timestamp and Random Number protocols Time-based revocation Adapter Information Protocol and several AIP blocks defined 9. 10. 11. Capsule Format containing FMP updates Deliver Capsule on Boot Disk Variable with Capsule processing status © 2013 Insyde Software 4
  • 6. Background - FMP • Added with UEFI version 2.3 update • Designed to • allow individual firmware components to expose data on current running image(s) • accept update images © 2013 Insyde Software 6
  • 7. FMP in the Industry • Mostly used in Enterprise segment • Popular for high-performance expansion cards with multi-element firmware onboard • But FMP is run in Boot Services – how to get the downloaded update to the FMP instance? © 2013 Insyde Software 7
  • 8. Factors inhibiting FMP • Using EFI shell delivery is not secure and awkward for system admin • For security, designers want to lock firmware store before Shell or OS boot • Secure Boot rules block many of todays update delivery tools © 2013 Insyde Software 8
  • 9. UEFI 2.4 Update Has New Capsule Targeting FMP © 2013 Insyde Software 9
  • 10. New Capsule for delivering FMP Updates • UEFI Defines a Capsule header for UpdateCapsule() function • UEFI 2.4 adds a complete description of internals of a Capsule targeting FMP • System firmware unpacks the capsule and delivers updates to FMP instances early in pre-boot © 2013 Insyde Software 10
  • 11. Capsule Format • EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_ GUID is the ID • In some cases complete FMP function cannot fit inside production firmware store, • Therefore new capsule format allows 0-n driver(s) and 0-n image(s) • Minimum is 1 driver or 1 image © 2013 Insyde Software 11
  • 12. Example with 2 drivers, multiple update payloads © 2013 Insyde Software 12
  • 13. © 2013 Insyde Software 13
  • 14. UEFI 2.4 Update Adds New Capsule Delivery Solutions © 2013 Insyde Software 14
  • 15. Problem Statement • UpdateCapsule() is run-time but: • FMP is not runtime so capsule needs to be conveyed to the system firmware after a restart • Persist in memory is possible but has disadvantages including: • Need to reserve block of memory of unknown size © 2013 Insyde Software 15
  • 16. UEFI 2.4 defines Capsule Delivery Via Disk • OS tool Copies Capsule Image to EFICapsuleUpdate directory on Boot Drive • Then Sets OS_Indications bit • EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED • After Restart F/W finds Capsule and processes © 2013 Insyde Software 16
  • 17. UEFI 2.4 Defines Result Var • After Capsule Processed, the result including any error status is left in created UEFI Variable • Examined by the update launcher after OS restarts © 2013 Insyde Software 17
  • 18. How Secure is This new Method? © 2013 Insyde Software 18
  • 19. Driver Security • Update driver launched from the capsule must be signed by CA trusted by the platform • Same Security Level as the UEFI Option ROM (the thing that is being updated) • The Updated Option ROM image is also checked at restart © 2013 Insyde Software 19
  • 20. Image Payload Security • All FMP implementations should use IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED • FMP code doing check is signed, and download driver breaks any existing ROM size barrier and allows IHV to use crypto for strong image check © 2013 Insyde Software 20
  • 21. Discussion Questions © 2013 Insyde Software 21
  • 22. Non-FMP use • I don’t use FMP for my card. Can I use this new Capsule for proprietary update? • Technically yes, a capsule could contain 1 or more drivers but no payloads. • But, the update image would need to be embedded inside the driver image and the combination sent to CA for signing… © 2013 Insyde Software 22
  • 23. Boot Drive Write-protected • What about a system with a write-protected EFI System Partition? • Provide utility to use UpdateCapsule directly, but possible the device firmware store was locked before UpdateCapsule() caller can load? • What is the right event trigger for device firmware write-protect lock? © 2013 Insyde Software 23
  • 24. Thanks! © 2013 Insyde Software 24
  • 25. For inquiries, please contact Ed Brohm at Insyde Software ed.brohm@insydesw.com Insyde, InsydeH2O and Ready for the Next are registered trademarks of Insyde Software. © 2013 Insyde Software