Thursday, December 22, 2011

Windows 8 Hardware Certification Requirements

Check out the document windows8-hardware-cert-requirements-system.pdf, which can be downloaded from http://msdn.microsoft.com/library/windows/hardware/hh748188. The platform builders often refer to these as 'logo requirements.'

The document includes details on UEFI network boot on IPV4 and IPV6 under System.Fundamentals.PXE.PXEBoot, along with more information on implementing UEFI secure boot under System.Fundamentals.Firmware.UEFISecureBoot and measured boot under System.Fundamentals.TrustedPlatformModule.TPMRequirements.

The matter includes guidance that complements the UEFI2.3.1a specification, IETF RFC's (such as RFC5970 on IPV6 network boot), and other industry standards, for purposes of describing how to build a UEFI platform for this class of operating system.

Tuesday, December 13, 2011

Random notes

After so many years, it is good to see so much activity around UEFI Secure Boot and the proposed usage of this capability in upcoming operating systems. The UEFI Forum www.uefi.org has been working on refining this capability since the publication of the UEFI 2.0 specification in 2006, culminating in its present form in the UEFI 2.3.1a specification published this year.

I introduced the concept of a UEFI-based Root of Trust for Verification / Enforcement (RTV/RTE) in the 2007 paper Platform Trust Beyond BIOS Using the Unified Extensible Firmware Interface http://dblp.uni-trier.de/rec/bibtex/conf/csreaSAM/Zimmer07. As I concluded in that paper:

This paper has shown that the future of extensible platform firmware beyond BIOS holds many perils and opportunities. The perils include the new ability to have extensible code loading in the pre-operating system regime, but the opportunities include the use of measured and secure boot to harden the platform and authorize code loading. And in a world of ever-more-secure operating systems, the pre-OS may become a more interesting target for the Blackhat's of the world. As such, these UEFI protections are even more important to implement.


The paper also describes how the UEFI RTV complements a Trusted Computing Group Trusted Platform Module (TPM) Root of Trust for Storage/Recording (RTS/RTR) and a UEFI based Root of Trust for Measurement (RTM) to work in tandem with the TPM. Finally, the paper describes using formal integrity models like Clark-Wilson to decompose a system and the use of UEFI Capsule updates to have a cryptographically-assured update of the underlying UEFI Platform Initialization (PI)-based UEFI features.

For more recent information on a UEFI RTM, check out the IBM/Intel paper http://download.intel.com/technology/efi/SF09_EFIS001_UEFI_PI_TCG_White_Paper.pdf.
In addition to that material from 2007 and 2009, article 5 of the November Intel Technology Journal describes the UEFI Secure and Measured Boot scenario in light of the UEFI 2.3.1a specification
Other interesting discussions of the Measured and Secure boot interplay can be found in http://channel9.msdn.com/Events/BUILD/BUILD2011/HW-462T. Matt Garrett also notes "Secure boot is a valuable feature. It does neatly deal with the growing threat of pre-OS malware" http://mjg59.dreamwidth.org/6503.html.

Monday, November 7, 2011

UEFI Edition of the Intel Technology Journal

The latest edition of the Intel Technology Journal is "UEFI Today: Bootstrapping the Continuum." The articles contained therein include an overview of UEFI, Silicon enabling with PI, IHV / OEM usage, Fast boot, Security / Networking, Debug, and HP usage of UEFI. These articles were co-authored with the original equipment manufacturers, independent hardware vendors, operating system vendors and silicon/chipset suppliers in order to provide alternate views into the usages of UEFI across the industry.

A direct link to the document is also available at http://www.intel.com/content/www/us/en/research/intel-technology-journal/2011-volume-15-issue-01-intel-technology-journal.html.

Take a look.

Friday, April 15, 2011

UEFI 2.3.1 Specification

The UEFI 2.3.1 specification is now available at www.uefi.org.

Notable additions to this version of the specification include-

* Time-based authenticated variable and richer signing
* Key Management Services (KMS) protocol (loosely based on KMIP)
* Storage Security Command Protocol for hardware full-disk encryption (FDE) devices
* DUID-UUID usage in netboot6 to report platform identification
* Non-Blocking interfaces for Block I/O protocol
* Enhancements to the USB protocol for USB 3.0

Take a look

Monday, April 11, 2011

IPV6 Phase-2 ready logo achieved

Check out https://www.ipv6ready.org/db/index.php/public/logo/02-C-000590/ to see that the IPV6 network stack at Tianocore.org has achieved the phase-2 testing logo.

As noted on the page,
Open source preboot (firmware) network stack for UEFI EDKII UDK2010 UP3 P1 firmware. To be used with UEFI spec 2.3 or later netboot6

The details on netboot6 can be found in the UEFI 2.3 Specification, Errata D, and future iterations of the specification, along with RFC 5970.