7.7 Additional Control Flows

EDK II Minimum Platform Specification

DRAFT [12/01/2020 06:42:28]

Revision 0.7

7.7 Additional Control Flows

This section describes how the security features are embedded in the control flows. PSCS/ChipSec required features should be enabled in this stage in addition to other general security flow. This section will also elaborate on each security feature and the platform code implementation required to enable the feature.

Note: Some of these features can be treated as an advanced feature and can be turned on or off based on system-specific usage. However, this section serves as a guideline to develop platform code for security features.

7.7.1 UEFI Secure Boot

Refer to the UEFI specification and the whitepaper A Tour Beyond BIOS - Implementing UEFI Authenticated Variables in SMM with EDK II

7.7.2 Hardware Authenticated Boot

UEFI Secure boot provides verification of 3rd party drivers, such as the OS loader or PCI option ROMs.

A platform may provide additional authentication for firmware volume.

For example: Intel Boot Guard, or PI signed FV.

Intel® Boot Guard provides a hardware way to verify the initial boot block (IBB) code. After power on, the CPU Microcode finds a Boot Guard ACM and executes the Boot Guard ACM, which is signed by Intel. Then the Boot Guard ACM takes the Boot Guard manifest and verifies the IBB code.
The PI specification also provides the verification for the system firmware code on the board. Refer to PI specification, EFI Signed Firmware Volumes and EFI Signed Sections.

The whole hardware based secure boot flow on an Intel Boot Guard platform is:

Startup ACM or some equivalent module verifies the initial boot block of the system firmware.
- Intel® Boot Guard Technology is one possible implementation
The initial boot block verifies the rest of the system firmware.
- PI signed FV is one possible implementation. An implementation may choose PKCS7 or RSA2048_SHA256 based signing verification.
- The other option is just to use the HASH for the rest of the system firmware. In PEI phase, the code who installs the addition FV for the post memory phase need verify the HASH of the system firmware.
The system firmware verifies 3rd party code.
- UEFI secure boot is the implementation.

7.7.3 TCG Trusted Boot and Memory Overwrite Request (MOR)

Refer to TCG platform specification and the white paper A Tour Beyond BIOS - Implementing TPM Support in EDK II

7.7.4 DMA (VT-d) Protection

Refer to Intel® VT-d specification and the white paper Using IOMMU for DMA Protection in UEFI

EDK II Minimum Platform Specification DRAFT [12/01/2020 06:42:28] Revision 0.7