Getting Started with UEFI HTTPS Boot on EDK II

DRAFT [12/01/2020 07:08:27]

Revision 1.30

HTTPS Authentication

Figure 1 shows the regular HTTPS authentication mechanism for both the server providing the boot image, and the client booting from the image. Leveraging an asymmetric crypto system, the client and server can be authenticated by each other. The steps for mutual authentication are as follows:

Server and Client request the corresponding asymmetric key pair from the Certification Authority (CA). Both requested certificates can be verified by the CA.
The CA distributes the key pair (servercert/serverkey) and its own certificate (rootcert) to the Server. The distributed certificate (servercert) has been signed by its rootkey.
The CA distributes the key pair (clientcert/clientkey) and its own certificate (rootcert) to the Client. The distributed certificate (clientcert) has been signed by its rootkey.
Both Server and Client present their own certificate to each other for mutual authentication.
When the Server receives the Client certificate (clientcert) the certificate will be verified by rootcert, since it has been signed with the rootkey (and vice versa).

Getting Started with UEFI HTTPS Boot on EDK II DRAFT [12/01/2020 07:08:27] Revision 1.30

HTTPS Authentication

Figure 1 Authentication Mechanism

Getting Started with UEFI HTTPS Boot on EDK II DRAFT [12/01/2020 07:08:27] Revision 1.30

Getting Started with UEFI HTTPS Boot on EDK II

DRAFT [12/01/2020 07:08:27]

Revision 1.30

Getting Started with UEFI HTTPS Boot on EDK II

DRAFT [12/01/2020 07:08:27]

Revision 1.30