Signed Capsule Update

Platform firmware often requires an update. NIST provides multiple guidelines for authenticated updates (SP800-147, SP800-147B, SP800-193). EDK II implements authenticated updates based on Signed UEFI Capsule Updates and Capsule Recovery. Table 2-8 describes firmware update verification.

Table 2-8: Firmware Update Verification

Item Entity Provider Location
TP Firmware Update Verification OEM Originally on flash, loaded into flash unlockable environment. (It could be DRAM before the flash is locked, or SMRAM.)
CDI Firmware Update TCB Code OEM Originally on flash, loaded into flash unlockable environment.
Firmware Update Signature Database (Policy) OEM Originally on flash, loaded into flash unlockable environment.
UDI Firmware Update Package OEM Originally on external storage (e.g. Hard drive, USB, Memory, or Read-Write Flash), loaded into flash unlockable environment.

Signing

The UDI is the whole new firmware image. As such, the whole firmware binary needs to be signed by the OEM private key.

Public Key Storage

The OEM public key should be embedded in the original firmware. As such it can be used to verify the new firmware binary.

A policy may be updated along with the new Firmware image.

Verification

During the firmware update process, TP is inside of the original firmware image. TP will load the new firmware image from external storage into memory. The memory can be normal DRAM (if the update happens before any 3rd party code is executed) or flash (in an unlocked state). If the update must occur after 3rd party code execution, the update must occur in an isolated execution environment (example: SMRAM). Care must be taken that both verification and update occur in the same environment, and there is no TOC-TOU threat (example: DMA attack). If TP passes verification, the new firmware image is programmed into flash. If verification fails, the flash update process is aborted.

Intel® BIOS Guard

The implementation above assumes any code in the execution environment is secure. Reality shows that this is difficult to implement due to the number of drivers present in this environment. Intel provides the Intel® BIOS Guard solution which only allows the flash device to be programmed by the Intel® BIOS Guard AC module. This module performs firmware verification and updates in an Authenticated Code RAM (AC-RAM) environment. This is designed to prevent issues early in the firmware boot process or SMM from impacting the verification and update flow.

Figure 2-6 describes Intel® BIOS Guard components. Table 2-9 described firmware update verification using Intel® BIOS Guard.

Figure 2-6: Intel® BIOS Guard

Table 2-9: Firmware Update Verification

Item Entity Provider Location
TP ACM FU Verification Intel Original on the flash, loaded into AC-RAM
CDI Intel® BIOS Guard ACM Intel Original on the flash, loaded into AC-RAM
PubKey Hash (Policy) OEM Calculated during Firmware Boot early phase, and write to the CPU register.
UDI Firmware Update Package OEM External Storage (e.g. Hard drive, USB, Memory, or Read-Write Flash), loaded into SMRAM.

Signing

The UDI is provided a new firmware image, the same as the UEFI Capsule Update implementation. The entire firmware binary must be signed using the OEM private key.

Public Key Storage

The OEM public key should be embedded in the original firmware. During boot, the early BIOS needs to program the public key hash into the CPU BIOS Guard register. This is used by the BIOS Guard module during the verification. The policy may be updated along with the new BIOS image.

Verification

During the firmware update process, a SMM module will load the firmware image and trigger the BIOS Guard module. TP is inside of the BIOS Guard module. TP first verifies if the OEM public key in the new firmware image matches the CPU BIOS Guard register, then verifies if the signature of the new firmware image. If TP passes verification, the BIOS Guard module writes the new firmware image into flash. If the verification fails, BIOS Guard returns with a failure.