Tuesday, January 8, 2013

Leveraging UEFI Secure Boot beyond the loader

I've earlier noted some of the exciting work that the community has been doing with platforms around Microsoft(R) Windows8, including UEFI Secure Boot.  Some details are at http://channel9.msdn.com/Events/Windows-Ecosystem-Summit/2011Taipei/SYS-457T, for example.

In addition to the Windows roll-out, Brian Richardson noted the work of Peter Jones of the Fedora Project around "Package Signature Checking During Installation" @ http://fedoraproject.org/wiki/Features/PackageSignatureCheckingDuringInstall.  This work extends UEFI Secure Boot into the OS provisioning. Details include "Following the implementation of Features/SecureBoot, we can extend the Secure Boot keys as a root of trust provided by the hardware against which we can verify a signature on our key files, thus guaranteeing that they're from the same source as the boot media".  

This Fedora work, alongside the Microsoft release, further reinforces the tenet that boot firmware is by design OS-neutral. The plurality of hardware specifications like PCI & USB, firmware-oriented specifications like SMBIOS, UEFI, and ACPI, and finally, implementations like edk2, help to form the bridge between platforms and OS usages.

On a personal note, Peter is a great guy and continues to make valuable contributions into the OS usage of UEFI. This includes some of his work on multiple signatures we mentioned in chapter 4 of http://iweb.dl.sourceforge.net/project/edk2/General%20Documentation/A_Tour_Beyond_BIOS_into_UEFI_Secure_Boot_White_Paper.pdf, too.

The Fedora usages, along with efforts like Matt Flemming & Co. on UEFI loader development https://github.com/mfleming/efilinux, continue to strengthen open source infrastructure for these emergent UEFI platform firmware capabilities.

Thursday, January 3, 2013

A new year, a new blog entry and a couple of white papers

It looks like the Mayan predictions for the end of the world didn't come to pass, although the jury is still out on the Fiscal Cliff correlative of the Mayan-predicted apocalypse. 

That being said, I wanted to highlight a couple of white papers. The first white paper is "Open Platforms and the impacts of security technologies, initiatives, and deployment practices," a joint Cisco and Intel white paper.   Bill Jacobs, my Cisco co-author, and I came up with idea for this paper when we met at the September 2012 Intel Developer Forum. After discussing the large set of security technologies in the industry, we agreed on the need for some higher level review of a subset of these technologies and how they were related. Thus was born the white paper which can be found on the sharing page of http://uefidk.com/share, namely

The next white paper was posted in the last twenty-four hours.  This paper was written with my Intel colleague Palsamy Sakthikumar.  The paper "A Tour beyond BIOS Implementing the ACPI Platform Error Interface with the Unified Extensible Firmware" can be found on the same website at the location http://uefidk.com/sites/default/files/resources/A_Tour_beyond_BIOS_Implementing_APEI_with_UEFI_White_Paper.pdf. The paper demonstrates the usage of firmware standards like UEFI and ACPI to deploy a significant platform capability for the enterprise. Palsamy and I talked about creating the paper for a couple of years so I am happy to see it finally come to fruition.

Regrettably, today is Palsamy's last day at Intel. I wish him the best in his travels.