SlideShare a Scribd company logo

UEFI Spec Version 2.4 Facilitates Secure Update

Download as PPTX, PDF
insydesoftware
insydesoftware

Overview of how the UEFI 2.4 specification facilitates secure update. Presented by Insyde Software.

TechnologyBusiness
1 of 25
UEFI Spec Version 2.4 Facilitates Secure Update Insyde Software © 2013 Insyde Software 1
Agenda • UEFI 2.4 • Background FMP • New Capsule Defined • Delivery on Disk • Secure? • Open Questions © 2013 Insyde Software 2
UEFI 2.4 Spec is Public • Some of the New Content: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. ARM 64-bit Bindings Custom Security Variable Variable Naming rules clarified Network driver changes including EFI_NO_MEDIA rules Async I/O Improvements Timestamp and Random Number protocols Time-based revocation Adapter Information Protocol and several AIP blocks defined Capsule Format containing FMP updates Deliver Capsule on Boot Disk Variable with Capsule processing status © 2013 Insyde Software 3
UEFI 2.4 Spec is Public • Some of the New Content: 1. 2. 3. 4. 5. 6. 7. 8. ARM 64-bit Bindings Custom Security Variable Variable Naming rules clarified Network driver changes including EFI_NO_MEDIA rules Async I/O Improvements Timestamp and Random Number protocols Time-based revocation Adapter Information Protocol and several AIP blocks defined 9. 10. 11. Capsule Format containing FMP updates Deliver Capsule on Boot Disk Variable with Capsule processing status © 2013 Insyde Software 4
Firmware Management Protocol © 2013 Insyde Software 5
Background - FMP • Added with UEFI version 2.3 update • Designed to • allow individual firmware components to expose data on current running image(s) • accept update images © 2013 Insyde Software 6
FMP in the Industry • Mostly used in Enterprise segment • Popular for high-performance expansion cards with multi-element firmware onboard • But FMP is run in Boot Services – how to get the downloaded update to the FMP instance? © 2013 Insyde Software 7
Factors inhibiting FMP • Using EFI shell delivery is not secure and awkward for system admin • For security, designers want to lock firmware store before Shell or OS boot • Secure Boot rules block many of todays update delivery tools © 2013 Insyde Software 8
UEFI 2.4 Update Has New Capsule Targeting FMP © 2013 Insyde Software 9
New Capsule for delivering FMP Updates • UEFI Defines a Capsule header for UpdateCapsule() function • UEFI 2.4 adds a complete description of internals of a Capsule targeting FMP • System firmware unpacks the capsule and delivers updates to FMP instances early in pre-boot © 2013 Insyde Software 10
Capsule Format • EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_ GUID is the ID • In some cases complete FMP function cannot fit inside production firmware store, • Therefore new capsule format allows 0-n driver(s) and 0-n image(s) • Minimum is 1 driver or 1 image © 2013 Insyde Software 11
Example with 2 drivers, multiple update payloads © 2013 Insyde Software 12
© 2013 Insyde Software 13
UEFI 2.4 Update Adds New Capsule Delivery Solutions © 2013 Insyde Software 14
Problem Statement • UpdateCapsule() is run-time but: • FMP is not runtime so capsule needs to be conveyed to the system firmware after a restart • Persist in memory is possible but has disadvantages including: • Need to reserve block of memory of unknown size © 2013 Insyde Software 15
UEFI 2.4 defines Capsule Delivery Via Disk • OS tool Copies Capsule Image to EFICapsuleUpdate directory on Boot Drive • Then Sets OS_Indications bit • EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED • After Restart F/W finds Capsule and processes © 2013 Insyde Software 16
UEFI 2.4 Defines Result Var • After Capsule Processed, the result including any error status is left in created UEFI Variable • Examined by the update launcher after OS restarts © 2013 Insyde Software 17
How Secure is This new Method? © 2013 Insyde Software 18
Driver Security • Update driver launched from the capsule must be signed by CA trusted by the platform • Same Security Level as the UEFI Option ROM (the thing that is being updated) • The Updated Option ROM image is also checked at restart © 2013 Insyde Software 19
Image Payload Security • All FMP implementations should use IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED • FMP code doing check is signed, and download driver breaks any existing ROM size barrier and allows IHV to use crypto for strong image check © 2013 Insyde Software 20
Discussion Questions © 2013 Insyde Software 21
Non-FMP use • I don’t use FMP for my card. Can I use this new Capsule for proprietary update? • Technically yes, a capsule could contain 1 or more drivers but no payloads. • But, the update image would need to be embedded inside the driver image and the combination sent to CA for signing… © 2013 Insyde Software 22
Boot Drive Write-protected • What about a system with a write-protected EFI System Partition? • Provide utility to use UpdateCapsule directly, but possible the device firmware store was locked before UpdateCapsule() caller can load? • What is the right event trigger for device firmware write-protect lock? © 2013 Insyde Software 23
Thanks! © 2013 Insyde Software 24
For inquiries, please contact Ed Brohm at Insyde Software ed.brohm@insydesw.com Insyde, InsydeH2O and Ready for the Next are registered trademarks of Insyde Software. © 2013 Insyde Software

Recommended

Implementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded SystemImplementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded Systeminsydesoftware
 
Uefi and bios
Uefi and biosUefi and bios
Uefi and biosShubham Pendharkar
 
How to install Windows 7
How to install Windows 7 How to install Windows 7
How to install Windows 7 zhairine143
 
Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)k33a
 
Fast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2OFast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2Oinsydesoftware
 
How to install windows 7
How to install windows 7How to install windows 7
How to install windows 7elboob2025
 
Yocto - Embedded Linux Distribution Maker
Yocto - Embedded Linux Distribution MakerYocto - Embedded Linux Distribution Maker
Yocto - Embedded Linux Distribution MakerSherif Mousa
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLinaro
 

Recommended

Implementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded SystemImplementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded Systeminsydesoftware
 
Uefi and bios
Uefi and biosUefi and bios
Uefi and biosShubham Pendharkar
 
How to install Windows 7
How to install Windows 7 How to install Windows 7
How to install Windows 7 zhairine143
 
Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)Unified Extensible Firmware Interface (UEFI)
Unified Extensible Firmware Interface (UEFI)k33a
 
Fast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2OFast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2Oinsydesoftware
 
How to install windows 7
How to install windows 7How to install windows 7
How to install windows 7elboob2025
 
Yocto - Embedded Linux Distribution Maker
Yocto - Embedded Linux Distribution MakerYocto - Embedded Linux Distribution Maker
Yocto - Embedded Linux Distribution MakerSherif Mousa
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLinaro
 
Pc Assembling
Pc AssemblingPc Assembling
Pc AssemblingDr.Ramasubramanian Perumal
 
UEFI presentation
UEFI presentationUEFI presentation
UEFI presentationBruno Cornec
 
Yocto Project introduction
Yocto Project introductionYocto Project introduction
Yocto Project introductionYi-Hsiu Hsu
 
RISC-V Boot Process: One Step at a Time
RISC-V Boot Process: One Step at a TimeRISC-V Boot Process: One Step at a Time
RISC-V Boot Process: One Step at a TimeAtish Patra
 
Bootloaders (U-Boot)
Bootloaders (U-Boot) Bootloaders (U-Boot)
Bootloaders (U-Boot) Omkar Rane
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers Emertxe Information Technologies Pvt Ltd
 
BIOS/UEFI
BIOS/UEFIBIOS/UEFI
BIOS/UEFIMLG College of Learning, Inc
 
Expansion slots
Expansion slotsExpansion slots
Expansion slotsAmmar Tauqir
 
Embedded Linux on ARM
Embedded Linux on ARMEmbedded Linux on ARM
Embedded Linux on ARMEmertxe Information Technologies Pvt Ltd
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internalsmukul bhardwaj
 
Linux Introduction (Commands)
Linux Introduction (Commands)Linux Introduction (Commands)
Linux Introduction (Commands)anandvaidya
 
Linux Kernel Module - For NLKB
Linux Kernel Module - For NLKBLinux Kernel Module - For NLKB
Linux Kernel Module - For NLKBshimosawa
 
Grub2 Booting Process
Grub2 Booting ProcessGrub2 Booting Process
Grub2 Booting ProcessMike Wang
 
Bios
BiosBios
BiosEvans Lampi
 
Embedded Systems Overview
Embedded Systems OverviewEmbedded Systems Overview
Embedded Systems OverviewSameer Rapate
 
HKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewHKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewLinaro
 
Windows 7 installation
Windows 7 installationWindows 7 installation
Windows 7 installationrafaelcuadero
 
Bios vs uefi
Bios vs uefiBios vs uefi
Bios vs uefiFaizan Mushtaq
 
Device Drivers
Device DriversDevice Drivers
Device DriversKushal Modi
 
Bash shell
Bash shellBash shell
Bash shellxylas121
 
Grub
GrubGrub
GrubAmir Hadad
 
Description of GRUB 2
Description of GRUB 2Description of GRUB 2
Description of GRUB 2iamumr
 

More Related Content

What's hot

Yocto Project introduction
Yocto Project introductionYocto Project introduction
Yocto Project introductionYi-Hsiu Hsu
 
RISC-V Boot Process: One Step at a Time
RISC-V Boot Process: One Step at a TimeRISC-V Boot Process: One Step at a Time
RISC-V Boot Process: One Step at a TimeAtish Patra
 
Bootloaders (U-Boot)
Bootloaders (U-Boot) Bootloaders (U-Boot)
Bootloaders (U-Boot) Omkar Rane
 
Linux Introduction (Commands)
Linux Introduction (Commands)Linux Introduction (Commands)
Linux Introduction (Commands)anandvaidya
 
Linux Kernel Module - For NLKB
Linux Kernel Module - For NLKBLinux Kernel Module - For NLKB
Linux Kernel Module - For NLKBshimosawa
 
Grub2 Booting Process
Grub2 Booting ProcessGrub2 Booting Process
Grub2 Booting ProcessMike Wang
 
Embedded Systems Overview
Embedded Systems OverviewEmbedded Systems Overview
Embedded Systems OverviewSameer Rapate
 
HKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewHKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewLinaro
 
Windows 7 installation
Windows 7 installationWindows 7 installation
Windows 7 installationrafaelcuadero
 
Bash shell
Bash shellBash shell
Bash shellxylas121
 

What's hot (20)

Pc Assembling
Pc AssemblingPc Assembling
Pc Assembling
 
UEFI presentation
UEFI presentationUEFI presentation
UEFI presentation
 
Yocto Project introduction
Yocto Project introductionYocto Project introduction
Yocto Project introduction
 
RISC-V Boot Process: One Step at a Time
RISC-V Boot Process: One Step at a TimeRISC-V Boot Process: One Step at a Time
RISC-V Boot Process: One Step at a Time
 
Bootloaders (U-Boot)
Bootloaders (U-Boot) Bootloaders (U-Boot)
Bootloaders (U-Boot)
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers
 
BIOS/UEFI
BIOS/UEFIBIOS/UEFI
BIOS/UEFI
 
Expansion slots
Expansion slotsExpansion slots
Expansion slots
 
Embedded Linux on ARM
Embedded Linux on ARMEmbedded Linux on ARM
Embedded Linux on ARM
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
 
Linux Introduction (Commands)
Linux Introduction (Commands)Linux Introduction (Commands)
Linux Introduction (Commands)
 
Linux Kernel Module - For NLKB
Linux Kernel Module - For NLKBLinux Kernel Module - For NLKB
Linux Kernel Module - For NLKB
 
Grub2 Booting Process
Grub2 Booting ProcessGrub2 Booting Process
Grub2 Booting Process
 
Bios
BiosBios
Bios
 
Embedded Systems Overview
Embedded Systems OverviewEmbedded Systems Overview
Embedded Systems Overview
 
HKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewHKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting Review
 
Windows 7 installation
Windows 7 installationWindows 7 installation
Windows 7 installation
 
Bios vs uefi
Bios vs uefiBios vs uefi
Bios vs uefi
 
Device Drivers
Device DriversDevice Drivers
Device Drivers
 
Bash shell
Bash shellBash shell
Bash shell
 

Viewers also liked

Description of GRUB 2
Description of GRUB 2Description of GRUB 2
Description of GRUB 2iamumr
 
Real time Operating System
Real time Operating SystemReal time Operating System
Real time Operating SystemTech_MX
 
Real Time OS For Embedded Systems
Real Time OS For Embedded SystemsReal Time OS For Embedded Systems
Real Time OS For Embedded SystemsHimanshu Ghetia
 

Viewers also liked (6)

Grub
GrubGrub
Grub
 
Description of GRUB 2
Description of GRUB 2Description of GRUB 2
Description of GRUB 2
 
Bios uefi y legacy
Bios uefi y legacyBios uefi y legacy
Bios uefi y legacy
 
Real time Operating System
Real time Operating SystemReal time Operating System
Real time Operating System
 
Real Time OS For Embedded Systems
Real Time OS For Embedded SystemsReal Time OS For Embedded Systems
Real Time OS For Embedded Systems
 
Boot process: BIOS vs UEFI
Boot process: BIOS vs UEFIBoot process: BIOS vs UEFI
Boot process: BIOS vs UEFI
 

Similar to UEFI Spec Version 2.4 Facilitates Secure Update

Android OTA updates
Android OTA updatesAndroid OTA updates
Android OTA updatesGary Bisson
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionAnne Nicolas
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise247infotech
 
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...eFolder
 
Open mic on sametime 9 installs best practices, tips and tricks
Open mic on sametime 9 installs best practices, tips and tricksOpen mic on sametime 9 installs best practices, tips and tricks
Open mic on sametime 9 installs best practices, tips and tricksa8us
 
Open Mic on Sametime9 Install -Best Practices
Open Mic on Sametime9 Install -Best PracticesOpen Mic on Sametime9 Install -Best Practices
Open Mic on Sametime9 Install -Best PracticesVinayak Tavargeri
 
XPDS14 - Xen in EFI World - Daniel Kiper, Oracle
XPDS14 - Xen in EFI World - Daniel Kiper, OracleXPDS14 - Xen in EFI World - Daniel Kiper, Oracle
XPDS14 - Xen in EFI World - Daniel Kiper, OracleThe Linux Foundation
 
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...eFolder
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...The Linux Foundation
 
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdfFiner Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdfMarna Walle
 
Taishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_LabTaishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_LabTaishaun Owens
 
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Lumension
 
Perfect Foundation for 2013 Security Blueprint
Perfect Foundation for 2013 Security BlueprintPerfect Foundation for 2013 Security Blueprint
Perfect Foundation for 2013 Security BlueprintGroup of company MUK
 
Todo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBXTodo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBXPaloSanto Solutions
 
BKK16-309A Open Platform support in UEFI
BKK16-309A Open Platform support in UEFIBKK16-309A Open Platform support in UEFI
BKK16-309A Open Platform support in UEFILinaro
 

Similar to UEFI Spec Version 2.4 Facilitates Secure Update (20)

Android OTA updates
Android OTA updatesAndroid OTA updates
Android OTA updates
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise
 
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...
eFolder Expert Series Webinar - BDR Do's and Dont's: Featuring Andrew Bensing...
 
Open mic on sametime 9 installs best practices, tips and tricks
Open mic on sametime 9 installs best practices, tips and tricksOpen mic on sametime 9 installs best practices, tips and tricks
Open mic on sametime 9 installs best practices, tips and tricks
 
Open Mic on Sametime9 Install -Best Practices
Open Mic on Sametime9 Install -Best PracticesOpen Mic on Sametime9 Install -Best Practices
Open Mic on Sametime9 Install -Best Practices
 
XPDS14 - Xen in EFI World - Daniel Kiper, Oracle
XPDS14 - Xen in EFI World - Daniel Kiper, OracleXPDS14 - Xen in EFI World - Daniel Kiper, Oracle
XPDS14 - Xen in EFI World - Daniel Kiper, Oracle
 
Smooth as Silk Exadata Patching
Smooth as Silk Exadata PatchingSmooth as Silk Exadata Patching
Smooth as Silk Exadata Patching
 
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...
eFolder Expert Series Webinar — How to Back Up and Replicate Off-Site Using e...
 
Cipc
CipcCipc
Cipc
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
 
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdfFiner Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
Finer Things Club - Lesser known zOSMF SW Mgmt Functions.pdf
 
Taishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_LabTaishaun_OwnensCNS-533_Lab
Taishaun_OwnensCNS-533_Lab
 
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
Using SCUP (System Center Updates Publisher) to Security Patch 3rd Party Apps...
 
Perfect Foundation for 2013 Security Blueprint
Perfect Foundation for 2013 Security BlueprintPerfect Foundation for 2013 Security Blueprint
Perfect Foundation for 2013 Security Blueprint
 
Todo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBXTodo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBX
 
S4 sig-check-lpc-20130918
S4 sig-check-lpc-20130918S4 sig-check-lpc-20130918
S4 sig-check-lpc-20130918
 
Best ofmms kb_final
Best ofmms kb_finalBest ofmms kb_final
Best ofmms kb_final
 
Best ofmms kb_final
Best ofmms kb_finalBest ofmms kb_final
Best ofmms kb_final
 
BKK16-309A Open Platform support in UEFI
BKK16-309A Open Platform support in UEFIBKK16-309A Open Platform support in UEFI
BKK16-309A Open Platform support in UEFI
 

Recently uploaded

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Recently uploaded (20)

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

UEFI Spec Version 2.4 Facilitates Secure Update

  • 1. UEFI Spec Version 2.4 Facilitates Secure Update Insyde Software © 2013 Insyde Software 1
  • 2. Agenda • UEFI 2.4 • Background FMP • New Capsule Defined • Delivery on Disk • Secure? • Open Questions © 2013 Insyde Software 2
  • 3. UEFI 2.4 Spec is Public • Some of the New Content: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. ARM 64-bit Bindings Custom Security Variable Variable Naming rules clarified Network driver changes including EFI_NO_MEDIA rules Async I/O Improvements Timestamp and Random Number protocols Time-based revocation Adapter Information Protocol and several AIP blocks defined Capsule Format containing FMP updates Deliver Capsule on Boot Disk Variable with Capsule processing status © 2013 Insyde Software 3
  • 4. UEFI 2.4 Spec is Public • Some of the New Content: 1. 2. 3. 4. 5. 6. 7. 8. ARM 64-bit Bindings Custom Security Variable Variable Naming rules clarified Network driver changes including EFI_NO_MEDIA rules Async I/O Improvements Timestamp and Random Number protocols Time-based revocation Adapter Information Protocol and several AIP blocks defined 9. 10. 11. Capsule Format containing FMP updates Deliver Capsule on Boot Disk Variable with Capsule processing status © 2013 Insyde Software 4
  • 6. Background - FMP • Added with UEFI version 2.3 update • Designed to • allow individual firmware components to expose data on current running image(s) • accept update images © 2013 Insyde Software 6
  • 7. FMP in the Industry • Mostly used in Enterprise segment • Popular for high-performance expansion cards with multi-element firmware onboard • But FMP is run in Boot Services – how to get the downloaded update to the FMP instance? © 2013 Insyde Software 7
  • 8. Factors inhibiting FMP • Using EFI shell delivery is not secure and awkward for system admin • For security, designers want to lock firmware store before Shell or OS boot • Secure Boot rules block many of todays update delivery tools © 2013 Insyde Software 8
  • 9. UEFI 2.4 Update Has New Capsule Targeting FMP © 2013 Insyde Software 9
  • 10. New Capsule for delivering FMP Updates • UEFI Defines a Capsule header for UpdateCapsule() function • UEFI 2.4 adds a complete description of internals of a Capsule targeting FMP • System firmware unpacks the capsule and delivers updates to FMP instances early in pre-boot © 2013 Insyde Software 10
  • 11. Capsule Format • EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_ GUID is the ID • In some cases complete FMP function cannot fit inside production firmware store, • Therefore new capsule format allows 0-n driver(s) and 0-n image(s) • Minimum is 1 driver or 1 image © 2013 Insyde Software 11
  • 12. Example with 2 drivers, multiple update payloads © 2013 Insyde Software 12
  • 13. © 2013 Insyde Software 13
  • 14. UEFI 2.4 Update Adds New Capsule Delivery Solutions © 2013 Insyde Software 14
  • 15. Problem Statement • UpdateCapsule() is run-time but: • FMP is not runtime so capsule needs to be conveyed to the system firmware after a restart • Persist in memory is possible but has disadvantages including: • Need to reserve block of memory of unknown size © 2013 Insyde Software 15
  • 16. UEFI 2.4 defines Capsule Delivery Via Disk • OS tool Copies Capsule Image to EFICapsuleUpdate directory on Boot Drive • Then Sets OS_Indications bit • EFI_OS_INDICATIONS_FILE_CAPSULE_DELIVERY_SUPPORTED • After Restart F/W finds Capsule and processes © 2013 Insyde Software 16
  • 17. UEFI 2.4 Defines Result Var • After Capsule Processed, the result including any error status is left in created UEFI Variable • Examined by the update launcher after OS restarts © 2013 Insyde Software 17
  • 18. How Secure is This new Method? © 2013 Insyde Software 18
  • 19. Driver Security • Update driver launched from the capsule must be signed by CA trusted by the platform • Same Security Level as the UEFI Option ROM (the thing that is being updated) • The Updated Option ROM image is also checked at restart © 2013 Insyde Software 19
  • 20. Image Payload Security • All FMP implementations should use IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED • FMP code doing check is signed, and download driver breaks any existing ROM size barrier and allows IHV to use crypto for strong image check © 2013 Insyde Software 20
  • 21. Discussion Questions © 2013 Insyde Software 21
  • 22. Non-FMP use • I don’t use FMP for my card. Can I use this new Capsule for proprietary update? • Technically yes, a capsule could contain 1 or more drivers but no payloads. • But, the update image would need to be embedded inside the driver image and the combination sent to CA for signing… © 2013 Insyde Software 22
  • 23. Boot Drive Write-protected • What about a system with a write-protected EFI System Partition? • Provide utility to use UpdateCapsule directly, but possible the device firmware store was locked before UpdateCapsule() caller can load? • What is the right event trigger for device firmware write-protect lock? © 2013 Insyde Software 23
  • 24. Thanks! © 2013 Insyde Software 24
  • 25. For inquiries, please contact Ed Brohm at Insyde Software ed.brohm@insydesw.com Insyde, InsydeH2O and Ready for the Next are registered trademarks of Insyde Software. © 2013 Insyde Software