Understanding UEFI Secure Boot Chain
Executive Summary
Overview
Integrity Models
Introduction to the Secure Boot Chain
Patterns in the Secure Boot Chain
Comparing Clark-Wilson and UEFI Secure Boot
Secure Boot Chain in UEFI
UEFI Secure Boot
Intel® Boot Guard
Boot Chain – Putting it all together
Signed Capsule Update
Signed Recovery
S3 Resume
SMM Runtime Communication
Additional Secure Boot Chain Implementations
Machine Owner Key (MOK)
coreboot
Android Verified Boot
Looking Forward – Platform Firmware Resiliency
Platform Firmware Resiliency
Device Firmware Boot
Device Firmware Update
Project Cerberus
Intel® Platform Firmware Resilience (Intel® PFR)
Google Titan
Other Platform Firmware Resiliency (PFR) Implementations
Glossary
References
Books and Papers
Web
Figures
Figure 1-1: Clark-Wilson model, From Lee
Figure 2-1: UEFI Secure Boot
Figure 2-2: Image Verification flow
Figure 2-3: Image Verification with timestamp signature database
Figure 2-4: Intel® Boot Guard diagram credit CYBER-RESILIENCY IN CHIPSET AND BIOS
Figure 2-5: Secure Boot Verification Flow
Figure 2-6: Intel® BIOS Guard
Figure 3-1: Linux MOK Boot, source: UEFI Secure Boot Webinar
Figure 3-2: coreboot Verified Boot
Figure 3-3: Android Verified Boot 1.0 without A/B source: Android Verified Boot 2.0
Figure 3-4: Android Verified Boot 1.0 with A/B source: Android Verified Boot 2.0
Figure 3-5: Android Verified Boot 2.0 source: Android Verified Boot 2.0
Figure 4-1: Component and Trust Chain, from NIST SP800-193
Figure 4-2: High-level View of PCIe® Component Authentication
Figure 4-3: Cerberus power on sequence source: “Project Cerberus Hardware Security
Figure 4-4: Cerberus boot flow source: “Project Cerberus Hardware Security"
Figure 4-5: Cerberus recovery flow source: “Project Cerberus Hardware Security"
Figure 4-6: Cerberus firmware update source: “Project Cerberus Hardware Security"
Figure 4-7: Intel® PFR Overview source: csdn.net
Figure 4-8: Intel® PFR boot flow source: csdn.net
Figure 4-9: Intel® PFR Reset Sequence source: csdn.net
Figure 4-10: Titan System Integration
Figure 4-11: Titan Verified Boot
Figure 4-12: Lattice PFR source: latticesemi.com/pfr
Published with GitBook
Additional Secure Boot Chain Implementations
Understanding the UEFI Secure Boot Chain
DRAFT [03/30/2021 03:43:22]
Revision 01.0
Additional Secure Boot Chain Implementations
Overview of Secure Boot in Other Areas including:
Machine Owner Key (MOK)
coreboot
Android verified boot
Understanding the UEFI Secure Boot Chain
DRAFT [03/30/2021 03:43:22]
Revision 01.0