SlideShare a Scribd company logo

LAS16-200: Firmware Summit - UEFI secure boot

Linaro, profile picture
Linaro

The document discusses the current status of UEFI Secure Boot on AArch64, indicating that progress remains largely unchanged from the previous year. It highlights the lack of a tamper-proof, replay-protected non-volatile variable store implementation, which is a requirement of the UEFI Secure Boot specification. Additionally, it notes challenges related to specification support and suggests a potential stopgap solution involving external manipulation of certain variables to make them immutable.

Technology
1 of 3
Downloaded 13 times
1
2
3
UEFI Secure Boot Ard Biesheuvel <ard.biesheuvel@linaro.org>
ENGINEERS AND DEVICES WORKING TOGETHER UEFI Secure Boot - current status on AArch64 ● Essentially the same as a year ago ○ Software layers above the non-volatile variable store are working and regression tested through CI (both AArch64 and ARM) ○ No implementation exists to make the non-volatile variable store tamper proof and replay protected, as the UEFI Secure Boot spec requires ● What is holding us back? ○ Spec based reference implementation of the tamper proof varstore requires (S)MM support, which is not even in the spec yet for AArch64. ○ Non-spec based ref implementation is likely too platform specific, which complicates sharing between members and/or open sourcing ● Is there a plan B? ○ External manipulation of PK/KEK/db/dbx variables, while making them immutable from the OS/firmware pov. Stop gap solution, but effective
Thank You #LAS16 For further information: www.linaro.org LAS16 keynotes and videos on: connect.linaro.org

More Related Content

PDF
UEFI presentation
Bruno Cornec
 
PPTX
Fast Boot Times with InsydeH2O
insydesoftware
 
PDF
LCA14: LCA14-105: UEFI secure boot
Linaro
 
PPTX
Unified Extensible Firmware Interface (UEFI)
k33a
 
ODP
BIOS, Linux and Firmware Test Suite in-between
Alex Hung
 
PPTX
UEFI Spec Version 2.4 Facilitates Secure Update
insydesoftware
 
PPTX
Uefi and bios
Shubham Pendharkar
 
PPTX
Implementing a UEFI BIOS into an Embedded System
insydesoftware
 
UEFI presentation
Bruno Cornec
 
Fast Boot Times with InsydeH2O
insydesoftware
 
LCA14: LCA14-105: UEFI secure boot
Linaro
 
Unified Extensible Firmware Interface (UEFI)
k33a
 
BIOS, Linux and Firmware Test Suite in-between
Alex Hung
 
UEFI Spec Version 2.4 Facilitates Secure Update
insydesoftware
 
Uefi and bios
Shubham Pendharkar
 
Implementing a UEFI BIOS into an Embedded System
insydesoftware
 

What's hot (20)

DOCX
Review paper on bios vs uefi
Faizan Mushtaq
 
PPTX
Bios vs uefi
Faizan Mushtaq
 
PDF
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
The Linux Foundation
 
PDF
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Anne Nicolas
 
PPTX
Cisco ios overview
NetProtocol Xpert
 
PPTX
Cisco ios
Teja Babu
 
PDF
LCU14 500 ARM Trusted Firmware
Linaro
 
PDF
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
Linaro
 
PDF
Trusted firmware deep_dive_v1.0_
Linaro
 
PDF
SFO15-TR9: PSCI, ACPI (and UEFI to boot)
Linaro
 
PDF
LCU13: An Introduction to ARM Trusted Firmware
Linaro
 
PPT
Slimline Open Firmware
Heiko Joerg Schick
 
ODP
Introduction to Optee (26 may 2016)
Yannick Gicquel
 
PDF
Lcu14 107- op-tee on ar mv8
Linaro
 
PDF
Useful USB Gadgets on Linux
Gary Bisson
 
PDF
Q2.12: Power Management Across OSs
Linaro
 
PPTX
Sdk For Firmware Development
Ramesh Prasad
 
PDF
HKG18-212 - Trusted Firmware M: Introduction
Linaro
 
PDF
LCA14: LCA14-502: The way to a generic TrustZone® solution
Linaro
 
PDF
Lcu14 306 - OP-TEE Future Enhancements
Linaro
 
Review paper on bios vs uefi
Faizan Mushtaq
 
Bios vs uefi
Faizan Mushtaq
 
XPDDS17: EFI Secure Boot, Shim and Xen: Current Status and Developments - Da...
The Linux Foundation
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Anne Nicolas
 
Cisco ios overview
NetProtocol Xpert
 
Cisco ios
Teja Babu
 
LCU14 500 ARM Trusted Firmware
Linaro
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
Linaro
 
Trusted firmware deep_dive_v1.0_
Linaro
 
SFO15-TR9: PSCI, ACPI (and UEFI to boot)
Linaro
 
LCU13: An Introduction to ARM Trusted Firmware
Linaro
 
Slimline Open Firmware
Heiko Joerg Schick
 
Introduction to Optee (26 may 2016)
Yannick Gicquel
 
Lcu14 107- op-tee on ar mv8
Linaro
 
Useful USB Gadgets on Linux
Gary Bisson
 
Q2.12: Power Management Across OSs
Linaro
 
Sdk For Firmware Development
Ramesh Prasad
 
HKG18-212 - Trusted Firmware M: Introduction
Linaro
 
LCA14: LCA14-502: The way to a generic TrustZone® solution
Linaro
 
Lcu14 306 - OP-TEE Future Enhancements
Linaro
 
Ad

Viewers also liked (11)

PDF
Boot process: BIOS vs UEFI
Alea Soluciones, S.L.
 
PPT
Integrated version control with Fossil SCM
Ashberk
 
PPTX
Making NFV-Based Business Services Secure
ADVA
 
PPTX
Overview&Framework 1-Manage Software and Firmware Files
Ad Ghauri
 
PPT
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
Moabi.com
 
PPTX
Bios y UEFI
Carlos Torres
 
PPTX
BIOS, UEFI y Legacy
David Hernandez Cruz
 
PDF
01. BIOS introduction
certain310
 
PDF
Introduction to Firmware
Caroline Murphy
 
PDF
Play with UEFI
Takuya ASADA
 
PDF
UEFI時代のブートローダ
Takuya ASADA
 
Boot process: BIOS vs UEFI
Alea Soluciones, S.L.
 
Integrated version control with Fossil SCM
Ashberk
 
Making NFV-Based Business Services Secure
ADVA
 
Overview&Framework 1-Manage Software and Firmware Files
Ad Ghauri
 
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
Moabi.com
 
Bios y UEFI
Carlos Torres
 
BIOS, UEFI y Legacy
David Hernandez Cruz
 
01. BIOS introduction
certain310
 
Introduction to Firmware
Caroline Murphy
 
Play with UEFI
Takuya ASADA
 
UEFI時代のブートローダ
Takuya ASADA
 
Ad

Similar to LAS16-200: Firmware Summit - UEFI secure boot (20)

PDF
LAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
Linaro
 
PDF
LAS16-200: Firmware summit - Tianocore Progress and Status
Linaro
 
PDF
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro
 
PDF
Resilient IoT Security: The end of flat security models
Milosch Meriac
 
PDF
LCA14: George Grey Keynote - LCA14
Linaro
 
PDF
LAS16 100 K1 - Keynote George Grey
96Boards
 
PDF
LAS16-100K1: Welcome Keynote
Linaro
 
PDF
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
Felipe Prado
 
PDF
Open Source Firmware - FrOSCon 2019
Daniel Maslowski
 
PDF
LCA13: ARMv8 Status and Updates
Linaro
 
PDF
44CON London 2015 - Is there an EFI monster inside your apple?
44CON
 
PDF
Reliability, Availability, and Serviceability (RAS) on ARM64 status - SFO17-203
Linaro
 
PDF
HKG18-116 - RAS Solutions for Arm64 Servers
Linaro
 
PDF
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
LibreCon
 
PDF
Qubes hardware certification
Piotr Król
 
PDF
Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...
mjos
 
PDF
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Priyanka Aash
 
PDF
Roberto Clapis/Stefano Zanero - Night of the living vulnerabilities: forever-...
Codemotion
 
PPTX
Security for io t apr 29th mentor embedded hangout
mentoresd
 
PDF
BKK16-309A Open Platform support in UEFI
Linaro
 
LAS16-402: ARM Trusted Firmware – from Enterprise to Embedded
Linaro
 
LAS16-200: Firmware summit - Tianocore Progress and Status
Linaro
 
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
Linaro
 
Resilient IoT Security: The end of flat security models
Milosch Meriac
 
LCA14: George Grey Keynote - LCA14
Linaro
 
LAS16 100 K1 - Keynote George Grey
96Boards
 
LAS16-100K1: Welcome Keynote
Linaro
 
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
Felipe Prado
 
Open Source Firmware - FrOSCon 2019
Daniel Maslowski
 
LCA13: ARMv8 Status and Updates
Linaro
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON
 
Reliability, Availability, and Serviceability (RAS) on ARM64 status - SFO17-203
Linaro
 
HKG18-116 - RAS Solutions for Arm64 Servers
Linaro
 
Implementing a Security strategy in IoT, Practical example Automotive Grade L...
LibreCon
 
Qubes hardware certification
Piotr Król
 
Simple AEAD Hardware Interface SAEHI in a SoC: Implementing an On-Chip Keyak/...
mjos
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Priyanka Aash
 
Roberto Clapis/Stefano Zanero - Night of the living vulnerabilities: forever-...
Codemotion
 
Security for io t apr 29th mentor embedded hangout
mentoresd
 
BKK16-309A Open Platform support in UEFI
Linaro
 

More from Linaro (20)

PDF
Deep Learning Neural Network Acceleration at the Edge - Andrea Gallo
Linaro
 
PDF
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
Linaro
 
PDF
Huawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
Linaro
 
PDF
Bud17 113: distribution ci using qemu and open qa
Linaro
 
PDF
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
Linaro
 
PDF
HPC network stack on ARM - Linaro HPC Workshop 2018
Linaro
 
PDF
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
Linaro
 
PDF
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
Linaro
 
PDF
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
Linaro
 
PDF
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
Linaro
 
PDF
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
Linaro
 
PDF
HKG18-100K1 - George Grey: Opening Keynote
Linaro
 
PDF
HKG18-318 - OpenAMP Workshop
Linaro
 
PDF
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
Linaro
 
PDF
HKG18-315 - Why the ecosystem is a wonderful thing, warts and all
Linaro
 
PDF
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
Linaro
 
PDF
HKG18-TR08 - Upstreaming SVE in QEMU
Linaro
 
PDF
HKG18-113- Secure Data Path work with i.MX8M
Linaro
 
PPTX
HKG18-120 - Devicetree Schema Documentation and Validation
Linaro
 
PPTX
HKG18-223 - Trusted FirmwareM: Trusted boot
Linaro
 
Deep Learning Neural Network Acceleration at the Edge - Andrea Gallo
Linaro
 
Arm Architecture HPC Workshop Santa Clara 2018 - Kanta Vekaria
Linaro
 
Huawei’s requirements for the ARM based HPC solution readiness - Joshua Mora
Linaro
 
Bud17 113: distribution ci using qemu and open qa
Linaro
 
OpenHPC Automation with Ansible - Renato Golin - Linaro Arm HPC Workshop 2018
Linaro
 
HPC network stack on ARM - Linaro HPC Workshop 2018
Linaro
 
It just keeps getting better - SUSE enablement for Arm - Linaro HPC Workshop ...
Linaro
 
Intelligent Interconnect Architecture to Enable Next Generation HPC - Linaro ...
Linaro
 
Yutaka Ishikawa - Post-K and Arm HPC Ecosystem - Linaro Arm HPC Workshop Sant...
Linaro
 
Andrew J Younge - Vanguard Astra - Petascale Arm Platform for U.S. DOE/ASC Su...
Linaro
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
Linaro
 
HKG18-100K1 - George Grey: Opening Keynote
Linaro
 
HKG18-318 - OpenAMP Workshop
Linaro
 
HKG18-501 - EAS on Common Kernel 4.14 and getting (much) closer to mainline
Linaro
 
HKG18-315 - Why the ecosystem is a wonderful thing, warts and all
Linaro
 
HKG18- 115 - Partitioning ARM Systems with the Jailhouse Hypervisor
Linaro
 
HKG18-TR08 - Upstreaming SVE in QEMU
Linaro
 
HKG18-113- Secure Data Path work with i.MX8M
Linaro
 
HKG18-120 - Devicetree Schema Documentation and Validation
Linaro
 
HKG18-223 - Trusted FirmwareM: Trusted boot
Linaro
 

Recently uploaded (20)

PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Encapsulation theory and applications.pdf
gurumoop
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Approach and Philosophy of On baking technology
30anthuong17
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 

LAS16-200: Firmware Summit - UEFI secure boot

  • 1. UEFI Secure Boot Ard Biesheuvel <ard.biesheuvel@linaro.org>
  • 2. ENGINEERS AND DEVICES WORKING TOGETHER UEFI Secure Boot - current status on AArch64 ● Essentially the same as a year ago ○ Software layers above the non-volatile variable store are working and regression tested through CI (both AArch64 and ARM) ○ No implementation exists to make the non-volatile variable store tamper proof and replay protected, as the UEFI Secure Boot spec requires ● What is holding us back? ○ Spec based reference implementation of the tamper proof varstore requires (S)MM support, which is not even in the spec yet for AArch64. ○ Non-spec based ref implementation is likely too platform specific, which complicates sharing between members and/or open sourcing ● Is there a plan B? ○ External manipulation of PK/KEK/db/dbx variables, while making them immutable from the OS/firmware pov. Stop gap solution, but effective
  • 3. Thank You #LAS16 For further information: www.linaro.org LAS16 keynotes and videos on: connect.linaro.org