Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

LAS16-200: Firmware Summit - UEFI secure boot


Published on

Title: Secure Boot
A 101 style introduction to what Secure Boot is as Secure means different things to different people. Covering the current status, what features are implemented currently on ARM64 and what features should be implemented in the future. Followed by a discussion period.
Speaker: Ard Biesheuvel

Published in: Technology
  • Be the first to comment

LAS16-200: Firmware Summit - UEFI secure boot

  1. 1. UEFI Secure Boot Ard Biesheuvel <>
  2. 2. ENGINEERS AND DEVICES WORKING TOGETHER UEFI Secure Boot - current status on AArch64 ● Essentially the same as a year ago ○ Software layers above the non-volatile variable store are working and regression tested through CI (both AArch64 and ARM) ○ No implementation exists to make the non-volatile variable store tamper proof and replay protected, as the UEFI Secure Boot spec requires ● What is holding us back? ○ Spec based reference implementation of the tamper proof varstore requires (S)MM support, which is not even in the spec yet for AArch64. ○ Non-spec based ref implementation is likely too platform specific, which complicates sharing between members and/or open sourcing ● Is there a plan B? ○ External manipulation of PK/KEK/db/dbx variables, while making them immutable from the OS/firmware pov. Stop gap solution, but effective
  3. 3. Thank You #LAS16 For further information: LAS16 keynotes and videos on: