SlideShare a Scribd company logo
UEFI Spec Version 2.4
Facilitates Secure Update
Insyde Software

© 2013 Insyde Software

1
Agenda
• UEFI 2.4
• Background FMP
• New Capsule Defined
• Delivery on Disk
• Secure?
• Open Questions

© 2013 Insyde Software

2
UEFI 2.4 Spec is Public
• Some of the New Content:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.

ARM 64-bit Bindings
Custom Security Variable
Variable Naming rules clarified
Network driver changes including EFI_NO_MEDIA rules
Async I/O Improvements
Timestamp and Random Number protocols
Time-based revocation
Adapter Information Protocol and several AIP blocks defined
Capsule Format containing FMP updates
Deliver Capsule on Boot Disk
Variable with Capsule processing status

© 2013 Insyde Software

3
UEFI 2.4 Spec is Public
• Some of the New Content:
1.
2.
3.
4.
5.
6.
7.
8.

ARM 64-bit Bindings
Custom Security Variable
Variable Naming rules clarified
Network driver changes including EFI_NO_MEDIA rules
Async I/O Improvements
Timestamp and Random Number protocols
Time-based revocation
Adapter Information Protocol and several AIP blocks defined

9.
10.
11.

Capsule Format containing FMP updates
Deliver Capsule on Boot Disk
Variable with Capsule processing status

© 2013 Insyde Software

4
Firmware Management
Protocol

© 2013 Insyde Software

5
Background - FMP
• Added with UEFI version 2.3 update
• Designed to
• allow individual firmware components to expose data on current
running image(s)
• accept update images

© 2013 Insyde Software

6
FMP in the Industry
• Mostly used in Enterprise segment
• Popular for high-performance expansion cards with
multi-element firmware onboard
• But FMP is run in Boot Services – how to get the
downloaded update to the FMP instance?

© 2013 Insyde Software

7
Factors inhibiting FMP
• Using EFI shell delivery is not secure and awkward for
system admin
• For security, designers want to lock firmware store
before Shell or OS boot
• Secure Boot rules block many of todays update
delivery tools

© 2013 Insyde Software

8
UEFI 2.4 Update Has New
Capsule Targeting FMP

© 2013 Insyde Software

9
New Capsule for delivering FMP
Updates
• UEFI Defines a Capsule header for UpdateCapsule()
function
• UEFI 2.4 adds a complete description of internals of a
Capsule targeting FMP
• System firmware unpacks the capsule and delivers
updates to FMP instances early in pre-boot

© 2013 Insyde Software

10
Capsule Format
• EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_
GUID is the ID
• In some cases complete FMP function cannot
fit inside production firmware store,
• Therefore new capsule format allows 0-n
driver(s) and 0-n image(s)
• Minimum is 1 driver or 1 image

© 2013 Insyde Software

11
Example with 2 drivers, multiple update
payloads

© 2013 Insyde Software

12
© 2013 Insyde Software

13
UEFI 2.4 Update Adds New
Capsule Delivery Solutions

© 2013 Insyde Software

14
Problem Statement
• UpdateCapsule() is run-time but:
• FMP is not runtime so capsule needs to be conveyed to the system
firmware after a restart
• Persist in memory is possible but has disadvantages including:
• Need to reserve block of memory of unknown size

© 2013 Insyde Software

15
UEFI 2.4 defines Capsule Delivery Via
Disk
• OS tool Copies Capsule Image to
EFICapsuleUpdate directory on Boot Drive
• Then Sets OS_Indications bit
• EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED

• After Restart F/W finds Capsule and processes

© 2013 Insyde Software

16
UEFI 2.4 Defines Result Var
• After Capsule Processed, the result including any
error status is left in created UEFI Variable
• Examined by the update launcher after OS restarts

© 2013 Insyde Software

17
How Secure is This new
Method?

© 2013 Insyde Software

18
Driver Security
• Update driver launched from the capsule must be
signed by CA trusted by the platform
• Same Security Level as the UEFI Option ROM (the
thing that is being updated)
• The Updated Option ROM image is also checked at
restart

© 2013 Insyde Software

19
Image Payload Security
• All FMP implementations should use

IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED

• FMP code doing check is signed, and download
driver breaks any existing ROM size barrier and
allows IHV to use crypto for strong image check
© 2013 Insyde Software

20
Discussion Questions

© 2013 Insyde Software

21
Non-FMP use
• I don’t use FMP for my card. Can I use this new
Capsule for proprietary update?
• Technically yes, a capsule could contain 1 or more drivers but no
payloads.
• But, the update image would need to be embedded inside the driver
image and the combination sent to CA for signing…

© 2013 Insyde Software

22
Boot Drive Write-protected
• What about a system with a write-protected EFI
System Partition?
• Provide utility to use UpdateCapsule directly, but possible the device
firmware store was locked before UpdateCapsule() caller can load?
• What is the right event trigger for device firmware write-protect lock?

© 2013 Insyde Software

23
Thanks!

© 2013 Insyde Software

24
For inquiries, please contact Ed Brohm at Insyde Software
ed.brohm@insydesw.com
Insyde, InsydeH2O and Ready for the Next are registered trademarks of Insyde Software.

© 2013 Insyde Software

More Related Content

What's hot

LAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debuggingLAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debugging96Boards
 
Introduction to systemd
Introduction to systemdIntroduction to systemd
Introduction to systemdYusaku OGAWA
 
LCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLinaro
 
Hardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ ProcessorsHardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ ProcessorsThe Linux Foundation
 
U boot porting guide for SoC
U boot porting guide for SoCU boot porting guide for SoC
U boot porting guide for SoCMacpaul Lin
 
RISC-V Boot Process: One Step at a Time
RISC-V Boot Process: One Step at a TimeRISC-V Boot Process: One Step at a Time
RISC-V Boot Process: One Step at a TimeAtish Patra
 
Rootless Kubernetes
Rootless KubernetesRootless Kubernetes
Rootless KubernetesAkihiro Suda
 
Linux Porting to a Custom Board
Linux Porting to a Custom BoardLinux Porting to a Custom Board
Linux Porting to a Custom BoardPatrick Bellasi
 
TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityLinaro
 
Secure boot general
Secure boot generalSecure boot general
Secure boot generalPrabhu Swamy
 
QEMU - Binary Translation
QEMU - Binary Translation QEMU - Binary Translation
QEMU - Binary Translation Jiann-Fuh Liaw
 
ACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelSUSE Labs Taipei
 
Profiling the ACPICA Namespace and Event Handing
Profiling the ACPICA Namespace and Event HandingProfiling the ACPICA Namespace and Event Handing
Profiling the ACPICA Namespace and Event HandingSUSE Labs Taipei
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)RuggedBoardGroup
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Linaro
 

What's hot (20)

BeagleBone Black Bootloaders
BeagleBone Black BootloadersBeagleBone Black Bootloaders
BeagleBone Black Bootloaders
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debuggingLAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
 
Introduction to systemd
Introduction to systemdIntroduction to systemd
Introduction to systemd
 
LCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platform
 
Hardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ ProcessorsHardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ Processors
 
U boot porting guide for SoC
U boot porting guide for SoCU boot porting guide for SoC
U boot porting guide for SoC
 
RISC-V Boot Process: One Step at a Time
RISC-V Boot Process: One Step at a TimeRISC-V Boot Process: One Step at a Time
RISC-V Boot Process: One Step at a Time
 
UEFI presentation
UEFI presentationUEFI presentation
UEFI presentation
 
Rootless Kubernetes
Rootless KubernetesRootless Kubernetes
Rootless Kubernetes
 
Bootloaders
BootloadersBootloaders
Bootloaders
 
Linux Porting to a Custom Board
Linux Porting to a Custom BoardLinux Porting to a Custom Board
Linux Porting to a Custom Board
 
TEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source securityTEE - kernel support is now upstream. What this means for open source security
TEE - kernel support is now upstream. What this means for open source security
 
Secure boot general
Secure boot generalSecure boot general
Secure boot general
 
QEMU - Binary Translation
QEMU - Binary Translation QEMU - Binary Translation
QEMU - Binary Translation
 
ACPI Debugging from Linux Kernel
ACPI Debugging from Linux KernelACPI Debugging from Linux Kernel
ACPI Debugging from Linux Kernel
 
A practical guide to buildroot
A practical guide to buildrootA practical guide to buildroot
A practical guide to buildroot
 
Profiling the ACPICA Namespace and Event Handing
Profiling the ACPICA Namespace and Event HandingProfiling the ACPICA Namespace and Event Handing
Profiling the ACPICA Namespace and Event Handing
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)
 
USB Drivers
USB DriversUSB Drivers
USB Drivers
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
 

Viewers also liked

Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)k33a
 
Description of GRUB 2
Description of GRUB 2Description of GRUB 2
Description of GRUB 2iamumr
 
Real time Operating System
Real time Operating SystemReal time Operating System
Real time Operating SystemTech_MX
 
Real Time OS For Embedded Systems
Real Time OS For Embedded SystemsReal Time OS For Embedded Systems
Real Time OS For Embedded SystemsHimanshu Ghetia
 

Viewers also liked (8)

Uefi and bios
Uefi and biosUefi and bios
Uefi and bios
 
Grub
GrubGrub
Grub
 
Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)
 
Description of GRUB 2
Description of GRUB 2Description of GRUB 2
Description of GRUB 2
 
Bios uefi y legacy
Bios uefi y legacyBios uefi y legacy
Bios uefi y legacy
 
Real time Operating System
Real time Operating SystemReal time Operating System
Real time Operating System
 
Real Time OS For Embedded Systems
Real Time OS For Embedded SystemsReal Time OS For Embedded Systems
Real Time OS For Embedded Systems
 
Boot process: BIOS vs UEFI
Boot process: BIOS vs UEFIBoot process: BIOS vs UEFI
Boot process: BIOS vs UEFI
 

Similar to UEFI Spec Version 2.4 Facilitates Secure Update

Android OTA updates
Android OTA updatesAndroid OTA updates
Android OTA updatesGary Bisson
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionAnne Nicolas
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise247infotech
 
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...eFolder
 
Open mic on sametime 9 installs best practices, tips and tricks
Open mic on sametime 9 installs best practices, tips and tricksOpen mic on sametime 9 installs best practices, tips and tricks
Open mic on sametime 9 installs best practices, tips and tricksa8us
 
Open Mic on Sametime9 Install -Best Practices
Open Mic on Sametime9 Install  -Best PracticesOpen Mic on Sametime9 Install  -Best Practices
Open Mic on Sametime9 Install -Best PracticesVinayak Tavargeri
 
XPDS14 - Xen in EFI World - Daniel Kiper, Oracle
XPDS14 - Xen in EFI World - Daniel Kiper, OracleXPDS14 - Xen in EFI World - Daniel Kiper, Oracle
XPDS14 - Xen in EFI World - Daniel Kiper, OracleThe Linux Foundation
 
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...eFolder
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17:  EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17:  EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...The Linux Foundation
 
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdfFiner Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdfMarna Walle
 
Taishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_LabTaishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_LabTaishaun Owens
 
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Lumension
 
Perfect Foundation for 2013 Security Blueprint
Perfect Foundation for 2013 Security BlueprintPerfect Foundation for 2013 Security Blueprint
Perfect Foundation for 2013 Security BlueprintGroup of company MUK
 
Todo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBXTodo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBXPaloSanto Solutions
 
BKK16-309A Open Platform support in UEFI
BKK16-309A Open Platform support in UEFIBKK16-309A Open Platform support in UEFI
BKK16-309A Open Platform support in UEFILinaro
 

Similar to UEFI Spec Version 2.4 Facilitates Secure Update (20)

Android OTA updates
Android OTA updatesAndroid OTA updates
Android OTA updates
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise
 
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...
 
Open mic on sametime 9 installs best practices, tips and tricks
Open mic on sametime 9 installs best practices, tips and tricksOpen mic on sametime 9 installs best practices, tips and tricks
Open mic on sametime 9 installs best practices, tips and tricks
 
Open Mic on Sametime9 Install -Best Practices
Open Mic on Sametime9 Install  -Best PracticesOpen Mic on Sametime9 Install  -Best Practices
Open Mic on Sametime9 Install -Best Practices
 
XPDS14 - Xen in EFI World - Daniel Kiper, Oracle
XPDS14 - Xen in EFI World - Daniel Kiper, OracleXPDS14 - Xen in EFI World - Daniel Kiper, Oracle
XPDS14 - Xen in EFI World - Daniel Kiper, Oracle
 
Smooth as Silk Exadata Patching
Smooth as Silk Exadata PatchingSmooth as Silk Exadata Patching
Smooth as Silk Exadata Patching
 
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...
 
Cipc
CipcCipc
Cipc
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17:  EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17:  EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
 
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdfFiner Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
 
Taishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_LabTaishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_Lab
 
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
 
Perfect Foundation for 2013 Security Blueprint
Perfect Foundation for 2013 Security BlueprintPerfect Foundation for 2013 Security Blueprint
Perfect Foundation for 2013 Security Blueprint
 
Todo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBXTodo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBX
 
S4 sig-check-lpc-20130918
S4 sig-check-lpc-20130918S4 sig-check-lpc-20130918
S4 sig-check-lpc-20130918
 
Best ofmms kb_final
Best ofmms kb_finalBest ofmms kb_final
Best ofmms kb_final
 
Best ofmms kb_final
Best ofmms kb_finalBest ofmms kb_final
Best ofmms kb_final
 
BKK16-309A Open Platform support in UEFI
BKK16-309A Open Platform support in UEFIBKK16-309A Open Platform support in UEFI
BKK16-309A Open Platform support in UEFI
 

Recently uploaded

Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKUXDXConf
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024TopCSSGallery
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...FIDO Alliance
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...CzechDreamin
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераMark Opanasiuk
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityScyllaDB
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationZilliz
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessUXDXConf
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...FIDO Alliance
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfFIDO Alliance
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureFemke de Vroome
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfFIDO Alliance
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekCzechDreamin
 

Recently uploaded (20)

Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 

UEFI Spec Version 2.4 Facilitates Secure Update

  • 1. UEFI Spec Version 2.4 Facilitates Secure Update Insyde Software © 2013 Insyde Software 1
  • 2. Agenda • UEFI 2.4 • Background FMP • New Capsule Defined • Delivery on Disk • Secure? • Open Questions © 2013 Insyde Software 2
  • 3. UEFI 2.4 Spec is Public • Some of the New Content: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. ARM 64-bit Bindings Custom Security Variable Variable Naming rules clarified Network driver changes including EFI_NO_MEDIA rules Async I/O Improvements Timestamp and Random Number protocols Time-based revocation Adapter Information Protocol and several AIP blocks defined Capsule Format containing FMP updates Deliver Capsule on Boot Disk Variable with Capsule processing status © 2013 Insyde Software 3
  • 4. UEFI 2.4 Spec is Public • Some of the New Content: 1. 2. 3. 4. 5. 6. 7. 8. ARM 64-bit Bindings Custom Security Variable Variable Naming rules clarified Network driver changes including EFI_NO_MEDIA rules Async I/O Improvements Timestamp and Random Number protocols Time-based revocation Adapter Information Protocol and several AIP blocks defined 9. 10. 11. Capsule Format containing FMP updates Deliver Capsule on Boot Disk Variable with Capsule processing status © 2013 Insyde Software 4
  • 6. Background - FMP • Added with UEFI version 2.3 update • Designed to • allow individual firmware components to expose data on current running image(s) • accept update images © 2013 Insyde Software 6
  • 7. FMP in the Industry • Mostly used in Enterprise segment • Popular for high-performance expansion cards with multi-element firmware onboard • But FMP is run in Boot Services – how to get the downloaded update to the FMP instance? © 2013 Insyde Software 7
  • 8. Factors inhibiting FMP • Using EFI shell delivery is not secure and awkward for system admin • For security, designers want to lock firmware store before Shell or OS boot • Secure Boot rules block many of todays update delivery tools © 2013 Insyde Software 8
  • 9. UEFI 2.4 Update Has New Capsule Targeting FMP © 2013 Insyde Software 9
  • 10. New Capsule for delivering FMP Updates • UEFI Defines a Capsule header for UpdateCapsule() function • UEFI 2.4 adds a complete description of internals of a Capsule targeting FMP • System firmware unpacks the capsule and delivers updates to FMP instances early in pre-boot © 2013 Insyde Software 10
  • 11. Capsule Format • EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_ GUID is the ID • In some cases complete FMP function cannot fit inside production firmware store, • Therefore new capsule format allows 0-n driver(s) and 0-n image(s) • Minimum is 1 driver or 1 image © 2013 Insyde Software 11
  • 12. Example with 2 drivers, multiple update payloads © 2013 Insyde Software 12
  • 13. © 2013 Insyde Software 13
  • 14. UEFI 2.4 Update Adds New Capsule Delivery Solutions © 2013 Insyde Software 14
  • 15. Problem Statement • UpdateCapsule() is run-time but: • FMP is not runtime so capsule needs to be conveyed to the system firmware after a restart • Persist in memory is possible but has disadvantages including: • Need to reserve block of memory of unknown size © 2013 Insyde Software 15
  • 16. UEFI 2.4 defines Capsule Delivery Via Disk • OS tool Copies Capsule Image to EFICapsuleUpdate directory on Boot Drive • Then Sets OS_Indications bit • EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED • After Restart F/W finds Capsule and processes © 2013 Insyde Software 16
  • 17. UEFI 2.4 Defines Result Var • After Capsule Processed, the result including any error status is left in created UEFI Variable • Examined by the update launcher after OS restarts © 2013 Insyde Software 17
  • 18. How Secure is This new Method? © 2013 Insyde Software 18
  • 19. Driver Security • Update driver launched from the capsule must be signed by CA trusted by the platform • Same Security Level as the UEFI Option ROM (the thing that is being updated) • The Updated Option ROM image is also checked at restart © 2013 Insyde Software 19
  • 20. Image Payload Security • All FMP implementations should use IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED • FMP code doing check is signed, and download driver breaks any existing ROM size barrier and allows IHV to use crypto for strong image check © 2013 Insyde Software 20
  • 21. Discussion Questions © 2013 Insyde Software 21
  • 22. Non-FMP use • I don’t use FMP for my card. Can I use this new Capsule for proprietary update? • Technically yes, a capsule could contain 1 or more drivers but no payloads. • But, the update image would need to be embedded inside the driver image and the combination sent to CA for signing… © 2013 Insyde Software 22
  • 23. Boot Drive Write-protected • What about a system with a write-protected EFI System Partition? • Provide utility to use UpdateCapsule directly, but possible the device firmware store was locked before UpdateCapsule() caller can load? • What is the right event trigger for device firmware write-protect lock? © 2013 Insyde Software 23
  • 24. Thanks! © 2013 Insyde Software 24
  • 25. For inquiries, please contact Ed Brohm at Insyde Software ed.brohm@insydesw.com Insyde, InsydeH2O and Ready for the Next are registered trademarks of Insyde Software. © 2013 Insyde Software