SlideShare a Scribd company logo

UEFI Spec Version 2.4 Facilitates Secure Update

Download as PPTX, PDF
insydesoftware
insydesoftware

Overview of how the UEFI 2.4 specification facilitates secure update. Presented by Insyde Software.

TechnologyBusiness
1 of 25
UEFI Spec Version 2.4 Facilitates Secure Update Insyde Software © 2013 Insyde Software 1
Agenda • UEFI 2.4 • Background FMP • New Capsule Defined • Delivery on Disk • Secure? • Open Questions © 2013 Insyde Software 2
UEFI 2.4 Spec is Public • Some of the New Content: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. ARM 64-bit Bindings Custom Security Variable Variable Naming rules clarified Network driver changes including EFI_NO_MEDIA rules Async I/O Improvements Timestamp and Random Number protocols Time-based revocation Adapter Information Protocol and several AIP blocks defined Capsule Format containing FMP updates Deliver Capsule on Boot Disk Variable with Capsule processing status © 2013 Insyde Software 3
UEFI 2.4 Spec is Public • Some of the New Content: 1. 2. 3. 4. 5. 6. 7. 8. ARM 64-bit Bindings Custom Security Variable Variable Naming rules clarified Network driver changes including EFI_NO_MEDIA rules Async I/O Improvements Timestamp and Random Number protocols Time-based revocation Adapter Information Protocol and several AIP blocks defined 9. 10. 11. Capsule Format containing FMP updates Deliver Capsule on Boot Disk Variable with Capsule processing status © 2013 Insyde Software 4
Firmware Management Protocol © 2013 Insyde Software 5
Background - FMP • Added with UEFI version 2.3 update • Designed to • allow individual firmware components to expose data on current running image(s) • accept update images © 2013 Insyde Software 6
FMP in the Industry • Mostly used in Enterprise segment • Popular for high-performance expansion cards with multi-element firmware onboard • But FMP is run in Boot Services – how to get the downloaded update to the FMP instance? © 2013 Insyde Software 7
Factors inhibiting FMP • Using EFI shell delivery is not secure and awkward for system admin • For security, designers want to lock firmware store before Shell or OS boot • Secure Boot rules block many of todays update delivery tools © 2013 Insyde Software 8
UEFI 2.4 Update Has New Capsule Targeting FMP © 2013 Insyde Software 9
New Capsule for delivering FMP Updates • UEFI Defines a Capsule header for UpdateCapsule() function • UEFI 2.4 adds a complete description of internals of a Capsule targeting FMP • System firmware unpacks the capsule and delivers updates to FMP instances early in pre-boot © 2013 Insyde Software 10
Capsule Format • EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_ GUID is the ID • In some cases complete FMP function cannot fit inside production firmware store, • Therefore new capsule format allows 0-n driver(s) and 0-n image(s) • Minimum is 1 driver or 1 image © 2013 Insyde Software 11
Example with 2 drivers, multiple update payloads © 2013 Insyde Software 12
© 2013 Insyde Software 13
UEFI 2.4 Update Adds New Capsule Delivery Solutions © 2013 Insyde Software 14
Problem Statement • UpdateCapsule() is run-time but: • FMP is not runtime so capsule needs to be conveyed to the system firmware after a restart • Persist in memory is possible but has disadvantages including: • Need to reserve block of memory of unknown size © 2013 Insyde Software 15
UEFI 2.4 defines Capsule Delivery Via Disk • OS tool Copies Capsule Image to EFICapsuleUpdate directory on Boot Drive • Then Sets OS_Indications bit • EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED • After Restart F/W finds Capsule and processes © 2013 Insyde Software 16
UEFI 2.4 Defines Result Var • After Capsule Processed, the result including any error status is left in created UEFI Variable • Examined by the update launcher after OS restarts © 2013 Insyde Software 17
How Secure is This new Method? © 2013 Insyde Software 18
Driver Security • Update driver launched from the capsule must be signed by CA trusted by the platform • Same Security Level as the UEFI Option ROM (the thing that is being updated) • The Updated Option ROM image is also checked at restart © 2013 Insyde Software 19
Image Payload Security • All FMP implementations should use IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED • FMP code doing check is signed, and download driver breaks any existing ROM size barrier and allows IHV to use crypto for strong image check © 2013 Insyde Software 20
Discussion Questions © 2013 Insyde Software 21
Non-FMP use • I don’t use FMP for my card. Can I use this new Capsule for proprietary update? • Technically yes, a capsule could contain 1 or more drivers but no payloads. • But, the update image would need to be embedded inside the driver image and the combination sent to CA for signing… © 2013 Insyde Software 22
Boot Drive Write-protected • What about a system with a write-protected EFI System Partition? • Provide utility to use UpdateCapsule directly, but possible the device firmware store was locked before UpdateCapsule() caller can load? • What is the right event trigger for device firmware write-protect lock? © 2013 Insyde Software 23
Thanks! © 2013 Insyde Software 24
For inquiries, please contact Ed Brohm at Insyde Software ed.brohm@insydesw.com Insyde, InsydeH2O and Ready for the Next are registered trademarks of Insyde Software. © 2013 Insyde Software

Recommended

How To Build A Computer
How To Build A ComputerHow To Build A Computer
How To Build A Computeriamsoccer17
 
Implementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded SystemImplementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded Systeminsydesoftware
 
Qemu Pcie
Qemu PcieQemu Pcie
Qemu PcieThe Linux Foundation
 
BIOS/UEFI
BIOS/UEFIBIOS/UEFI
BIOS/UEFIMLG College of Learning, Inc
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debuggingLAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debugging96Boards
 
Uefi and bios
Uefi and biosUefi and bios
Uefi and biosShubham Pendharkar
 
20130729 advantech bios-training
20130729 advantech bios-training20130729 advantech bios-training
20130729 advantech bios-trainingАлександр Лифанов
 
Video Drivers
Video DriversVideo Drivers
Video DriversAnil Kumar Pugalia
 

Recommended

How To Build A Computer
How To Build A ComputerHow To Build A Computer
How To Build A Computeriamsoccer17
 
Implementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded SystemImplementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded Systeminsydesoftware
 
Qemu Pcie
Qemu PcieQemu Pcie
Qemu PcieThe Linux Foundation
 
BIOS/UEFI
BIOS/UEFIBIOS/UEFI
BIOS/UEFIMLG College of Learning, Inc
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debuggingLAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debugging96Boards
 
Uefi and bios
Uefi and biosUefi and bios
Uefi and biosShubham Pendharkar
 
20130729 advantech bios-training
20130729 advantech bios-training20130729 advantech bios-training
20130729 advantech bios-trainingАлександр Лифанов
 
Video Drivers
Video DriversVideo Drivers
Video DriversAnil Kumar Pugalia
 
Fast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2OFast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2Oinsydesoftware
 
SPI Drivers
SPI DriversSPI Drivers
SPI DriversSysPlay eLearning Academy for You
 
BeagleBone Black Booting Process
BeagleBone Black Booting ProcessBeagleBone Black Booting Process
BeagleBone Black Booting ProcessSysPlay eLearning Academy for You
 
Linux Audio Drivers. ALSA
Linux Audio Drivers. ALSALinux Audio Drivers. ALSA
Linux Audio Drivers. ALSAGlobalLogic Ukraine
 
UEFI presentation
UEFI presentationUEFI presentation
UEFI presentationBruno Cornec
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN
 
Bios
BiosBios
BiosKapil Sinha
 
Q4.11: Introduction to eMMC
Q4.11: Introduction to eMMCQ4.11: Introduction to eMMC
Q4.11: Introduction to eMMCLinaro
 
eMMC 5.0 Total IP Solution
eMMC 5.0 Total IP SolutioneMMC 5.0 Total IP Solution
eMMC 5.0 Total IP SolutionArasan Chip Systems
 
I2c drivers
I2c driversI2c drivers
I2c driverspradeep_tewani
 
Bios vs uefi
Bios vs uefiBios vs uefi
Bios vs uefiFaizan Mushtaq
 
Boot process: BIOS vs UEFI
Boot process: BIOS vs UEFIBoot process: BIOS vs UEFI
Boot process: BIOS vs UEFIAlea Soluciones, S.L.
 
Understanding The Boot Process
Understanding The Boot ProcessUnderstanding The Boot Process
Understanding The Boot ProcessDominique Cimafranca
 
Kernel Recipes 2018 - Overview of SD/eMMC, their high speed modes and Linux s...
Kernel Recipes 2018 - Overview of SD/eMMC, their high speed modes and Linux s...Kernel Recipes 2018 - Overview of SD/eMMC, their high speed modes and Linux s...
Kernel Recipes 2018 - Overview of SD/eMMC, their high speed modes and Linux s...Anne Nicolas
 
CE-4028, Miracast with AMD Wireless Display technology – Kickass gaming and o...
CE-4028, Miracast with AMD Wireless Display technology – Kickass gaming and o...CE-4028, Miracast with AMD Wireless Display technology – Kickass gaming and o...
CE-4028, Miracast with AMD Wireless Display technology – Kickass gaming and o...AMD Developer Central
 
Block Drivers
Block DriversBlock Drivers
Block DriversAnil Kumar Pugalia
 
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Anne Nicolas
 
Bios
BiosBios
BiosEvans Lampi
 
Motherboard
MotherboardMotherboard
MotherboardNano Omega
 
Reliability, Availability, and Serviceability (RAS) on ARM64 status - SFO17-203
Reliability, Availability, and Serviceability (RAS) on ARM64 status - SFO17-203Reliability, Availability, and Serviceability (RAS) on ARM64 status - SFO17-203
Reliability, Availability, and Serviceability (RAS) on ARM64 status - SFO17-203Linaro
 
Grub
GrubGrub
GrubAmir Hadad
 
Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)k33a
 

More Related Content

What's hot

Fast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2OFast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2Oinsydesoftware
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN
 
Q4.11: Introduction to eMMC
Q4.11: Introduction to eMMCQ4.11: Introduction to eMMC
Q4.11: Introduction to eMMCLinaro
 
Kernel Recipes 2018 - Overview of SD/eMMC, their high speed modes and Linux s...
Kernel Recipes 2018 - Overview of SD/eMMC, their high speed modes and Linux s...Kernel Recipes 2018 - Overview of SD/eMMC, their high speed modes and Linux s...
Kernel Recipes 2018 - Overview of SD/eMMC, their high speed modes and Linux s...Anne Nicolas
 
CE-4028, Miracast with AMD Wireless Display technology – Kickass gaming and o...
CE-4028, Miracast with AMD Wireless Display technology – Kickass gaming and o...CE-4028, Miracast with AMD Wireless Display technology – Kickass gaming and o...
CE-4028, Miracast with AMD Wireless Display technology – Kickass gaming and o...AMD Developer Central
 
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Anne Nicolas
 
Reliability, Availability, and Serviceability (RAS) on ARM64 status - SFO17-203
Reliability, Availability, and Serviceability (RAS) on ARM64 status - SFO17-203Reliability, Availability, and Serviceability (RAS) on ARM64 status - SFO17-203
Reliability, Availability, and Serviceability (RAS) on ARM64 status - SFO17-203Linaro
 

What's hot (20)

Fast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2OFast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2O
 
SPI Drivers
SPI DriversSPI Drivers
SPI Drivers
 
BeagleBone Black Booting Process
BeagleBone Black Booting ProcessBeagleBone Black Booting Process
BeagleBone Black Booting Process
 
Linux Audio Drivers. ALSA
Linux Audio Drivers. ALSALinux Audio Drivers. ALSA
Linux Audio Drivers. ALSA
 
UEFI presentation
UEFI presentationUEFI presentation
UEFI presentation
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
 
Bios
BiosBios
Bios
 
Q4.11: Introduction to eMMC
Q4.11: Introduction to eMMCQ4.11: Introduction to eMMC
Q4.11: Introduction to eMMC
 
eMMC 5.0 Total IP Solution
eMMC 5.0 Total IP SolutioneMMC 5.0 Total IP Solution
eMMC 5.0 Total IP Solution
 
I2c drivers
I2c driversI2c drivers
I2c drivers
 
Bios vs uefi
Bios vs uefiBios vs uefi
Bios vs uefi
 
Boot process: BIOS vs UEFI
Boot process: BIOS vs UEFIBoot process: BIOS vs UEFI
Boot process: BIOS vs UEFI
 
Understanding The Boot Process
Understanding The Boot ProcessUnderstanding The Boot Process
Understanding The Boot Process
 
Kernel Recipes 2018 - Overview of SD/eMMC, their high speed modes and Linux s...
Kernel Recipes 2018 - Overview of SD/eMMC, their high speed modes and Linux s...Kernel Recipes 2018 - Overview of SD/eMMC, their high speed modes and Linux s...
Kernel Recipes 2018 - Overview of SD/eMMC, their high speed modes and Linux s...
 
CE-4028, Miracast with AMD Wireless Display technology – Kickass gaming and o...
CE-4028, Miracast with AMD Wireless Display technology – Kickass gaming and o...CE-4028, Miracast with AMD Wireless Display technology – Kickass gaming and o...
CE-4028, Miracast with AMD Wireless Display technology – Kickass gaming and o...
 
Block Drivers
Block DriversBlock Drivers
Block Drivers
 
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
 
Bios
BiosBios
Bios
 
Motherboard
MotherboardMotherboard
Motherboard
 
Reliability, Availability, and Serviceability (RAS) on ARM64 status - SFO17-203
Reliability, Availability, and Serviceability (RAS) on ARM64 status - SFO17-203Reliability, Availability, and Serviceability (RAS) on ARM64 status - SFO17-203
Reliability, Availability, and Serviceability (RAS) on ARM64 status - SFO17-203
 

Viewers also liked

Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)k33a
 
Description of GRUB 2
Description of GRUB 2Description of GRUB 2
Description of GRUB 2iamumr
 
Real time Operating System
Real time Operating SystemReal time Operating System
Real time Operating SystemTech_MX
 
Real Time OS For Embedded Systems
Real Time OS For Embedded SystemsReal Time OS For Embedded Systems
Real Time OS For Embedded SystemsHimanshu Ghetia
 

Viewers also liked (6)

Grub
GrubGrub
Grub
 
Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)
 
Description of GRUB 2
Description of GRUB 2Description of GRUB 2
Description of GRUB 2
 
Bios uefi y legacy
Bios uefi y legacyBios uefi y legacy
Bios uefi y legacy
 
Real time Operating System
Real time Operating SystemReal time Operating System
Real time Operating System
 
Real Time OS For Embedded Systems
Real Time OS For Embedded SystemsReal Time OS For Embedded Systems
Real Time OS For Embedded Systems
 

Similar to UEFI Spec Version 2.4 Facilitates Secure Update

Android OTA updates
Android OTA updatesAndroid OTA updates
Android OTA updatesGary Bisson
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionAnne Nicolas
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise247infotech
 
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...eFolder
 
Open mic on sametime 9 installs best practices, tips and tricks
Open mic on sametime 9 installs best practices, tips and tricksOpen mic on sametime 9 installs best practices, tips and tricks
Open mic on sametime 9 installs best practices, tips and tricksa8us
 
Open Mic on Sametime9 Install -Best Practices
Open Mic on Sametime9 Install -Best PracticesOpen Mic on Sametime9 Install -Best Practices
Open Mic on Sametime9 Install -Best PracticesVinayak Tavargeri
 
XPDS14 - Xen in EFI World - Daniel Kiper, Oracle
XPDS14 - Xen in EFI World - Daniel Kiper, OracleXPDS14 - Xen in EFI World - Daniel Kiper, Oracle
XPDS14 - Xen in EFI World - Daniel Kiper, OracleThe Linux Foundation
 
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...eFolder
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...The Linux Foundation
 
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdfFiner Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdfMarna Walle
 
Taishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_LabTaishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_LabTaishaun Owens
 
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Lumension
 
Perfect Foundation for 2013 Security Blueprint
Perfect Foundation for 2013 Security BlueprintPerfect Foundation for 2013 Security Blueprint
Perfect Foundation for 2013 Security BlueprintGroup of company MUK
 
Todo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBXTodo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBXPaloSanto Solutions
 
BKK16-309A Open Platform support in UEFI
BKK16-309A Open Platform support in UEFIBKK16-309A Open Platform support in UEFI
BKK16-309A Open Platform support in UEFILinaro
 

Similar to UEFI Spec Version 2.4 Facilitates Secure Update (20)

Android OTA updates
Android OTA updatesAndroid OTA updates
Android OTA updates
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise
 
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...
 
Open mic on sametime 9 installs best practices, tips and tricks
Open mic on sametime 9 installs best practices, tips and tricksOpen mic on sametime 9 installs best practices, tips and tricks
Open mic on sametime 9 installs best practices, tips and tricks
 
Open Mic on Sametime9 Install -Best Practices
Open Mic on Sametime9 Install -Best PracticesOpen Mic on Sametime9 Install -Best Practices
Open Mic on Sametime9 Install -Best Practices
 
XPDS14 - Xen in EFI World - Daniel Kiper, Oracle
XPDS14 - Xen in EFI World - Daniel Kiper, OracleXPDS14 - Xen in EFI World - Daniel Kiper, Oracle
XPDS14 - Xen in EFI World - Daniel Kiper, Oracle
 
Smooth as Silk Exadata Patching
Smooth as Silk Exadata PatchingSmooth as Silk Exadata Patching
Smooth as Silk Exadata Patching
 
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...
 
Cipc
CipcCipc
Cipc
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
 
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdfFiner Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
 
Taishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_LabTaishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_Lab
 
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
 
Perfect Foundation for 2013 Security Blueprint
Perfect Foundation for 2013 Security BlueprintPerfect Foundation for 2013 Security Blueprint
Perfect Foundation for 2013 Security Blueprint
 
Todo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBXTodo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBX
 
S4 sig-check-lpc-20130918
S4 sig-check-lpc-20130918S4 sig-check-lpc-20130918
S4 sig-check-lpc-20130918
 
Best ofmms kb_final
Best ofmms kb_finalBest ofmms kb_final
Best ofmms kb_final
 
Best ofmms kb_final
Best ofmms kb_finalBest ofmms kb_final
Best ofmms kb_final
 
BKK16-309A Open Platform support in UEFI
BKK16-309A Open Platform support in UEFIBKK16-309A Open Platform support in UEFI
BKK16-309A Open Platform support in UEFI
 

Recently uploaded

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Recently uploaded (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

UEFI Spec Version 2.4 Facilitates Secure Update

  • 1. UEFI Spec Version 2.4 Facilitates Secure Update Insyde Software © 2013 Insyde Software 1
  • 2. Agenda • UEFI 2.4 • Background FMP • New Capsule Defined • Delivery on Disk • Secure? • Open Questions © 2013 Insyde Software 2
  • 3. UEFI 2.4 Spec is Public • Some of the New Content: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. ARM 64-bit Bindings Custom Security Variable Variable Naming rules clarified Network driver changes including EFI_NO_MEDIA rules Async I/O Improvements Timestamp and Random Number protocols Time-based revocation Adapter Information Protocol and several AIP blocks defined Capsule Format containing FMP updates Deliver Capsule on Boot Disk Variable with Capsule processing status © 2013 Insyde Software 3
  • 4. UEFI 2.4 Spec is Public • Some of the New Content: 1. 2. 3. 4. 5. 6. 7. 8. ARM 64-bit Bindings Custom Security Variable Variable Naming rules clarified Network driver changes including EFI_NO_MEDIA rules Async I/O Improvements Timestamp and Random Number protocols Time-based revocation Adapter Information Protocol and several AIP blocks defined 9. 10. 11. Capsule Format containing FMP updates Deliver Capsule on Boot Disk Variable with Capsule processing status © 2013 Insyde Software 4
  • 6. Background - FMP • Added with UEFI version 2.3 update • Designed to • allow individual firmware components to expose data on current running image(s) • accept update images © 2013 Insyde Software 6
  • 7. FMP in the Industry • Mostly used in Enterprise segment • Popular for high-performance expansion cards with multi-element firmware onboard • But FMP is run in Boot Services – how to get the downloaded update to the FMP instance? © 2013 Insyde Software 7
  • 8. Factors inhibiting FMP • Using EFI shell delivery is not secure and awkward for system admin • For security, designers want to lock firmware store before Shell or OS boot • Secure Boot rules block many of todays update delivery tools © 2013 Insyde Software 8
  • 9. UEFI 2.4 Update Has New Capsule Targeting FMP © 2013 Insyde Software 9
  • 10. New Capsule for delivering FMP Updates • UEFI Defines a Capsule header for UpdateCapsule() function • UEFI 2.4 adds a complete description of internals of a Capsule targeting FMP • System firmware unpacks the capsule and delivers updates to FMP instances early in pre-boot © 2013 Insyde Software 10
  • 11. Capsule Format • EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_ GUID is the ID • In some cases complete FMP function cannot fit inside production firmware store, • Therefore new capsule format allows 0-n driver(s) and 0-n image(s) • Minimum is 1 driver or 1 image © 2013 Insyde Software 11
  • 12. Example with 2 drivers, multiple update payloads © 2013 Insyde Software 12
  • 13. © 2013 Insyde Software 13
  • 14. UEFI 2.4 Update Adds New Capsule Delivery Solutions © 2013 Insyde Software 14
  • 15. Problem Statement • UpdateCapsule() is run-time but: • FMP is not runtime so capsule needs to be conveyed to the system firmware after a restart • Persist in memory is possible but has disadvantages including: • Need to reserve block of memory of unknown size © 2013 Insyde Software 15
  • 16. UEFI 2.4 defines Capsule Delivery Via Disk • OS tool Copies Capsule Image to EFICapsuleUpdate directory on Boot Drive • Then Sets OS_Indications bit • EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED • After Restart F/W finds Capsule and processes © 2013 Insyde Software 16
  • 17. UEFI 2.4 Defines Result Var • After Capsule Processed, the result including any error status is left in created UEFI Variable • Examined by the update launcher after OS restarts © 2013 Insyde Software 17
  • 18. How Secure is This new Method? © 2013 Insyde Software 18
  • 19. Driver Security • Update driver launched from the capsule must be signed by CA trusted by the platform • Same Security Level as the UEFI Option ROM (the thing that is being updated) • The Updated Option ROM image is also checked at restart © 2013 Insyde Software 19
  • 20. Image Payload Security • All FMP implementations should use IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED • FMP code doing check is signed, and download driver breaks any existing ROM size barrier and allows IHV to use crypto for strong image check © 2013 Insyde Software 20
  • 21. Discussion Questions © 2013 Insyde Software 21
  • 22. Non-FMP use • I don’t use FMP for my card. Can I use this new Capsule for proprietary update? • Technically yes, a capsule could contain 1 or more drivers but no payloads. • But, the update image would need to be embedded inside the driver image and the combination sent to CA for signing… © 2013 Insyde Software 22
  • 23. Boot Drive Write-protected • What about a system with a write-protected EFI System Partition? • Provide utility to use UpdateCapsule directly, but possible the device firmware store was locked before UpdateCapsule() caller can load? • What is the right event trigger for device firmware write-protect lock? © 2013 Insyde Software 23
  • 24. Thanks! © 2013 Insyde Software 24
  • 25. For inquiries, please contact Ed Brohm at Insyde Software ed.brohm@insydesw.com Insyde, InsydeH2O and Ready for the Next are registered trademarks of Insyde Software. © 2013 Insyde Software