About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Understanding UEFI Secure Boot Chain- 532

IntelPosted 4 Years Ago
  • UEFI is the successor of the BIOS. Part of the UEFI specification includes Secure Boot, which is extremely complicated. This document is a wiki page from Intel that discusses Secure Boot and Intel's Boot Guard. My notes mostly refer to the book Rootkits and Bootkits but this is an additional good link that I wanted to include.
  • Secure Boot guarantees that only valid 3rd party firmware code can run in the Original Equipment Manufacturer (OEM) firmware environment. It should be noted that the UEFI Secure Boot assumes the system firmware is a trusted entity. Any 3rd party firmware is considered untrusted, but can be manually enrolled by the user.
  • Secure Boot is made up of two main parts: Verification of the boot image and Verification of updates to the image security database. Essentially, everything has to be cryptographically signed with part of the PKI. This is important because without Secure Boot the UEFI OS bootloader can be swapped out, breaking the rest of the process.
  • With a large key infrastructure, it is complicated to keep track of everything. Because of this, there are NVRAM variables that store an allowlist of accepted public keys and a denylist of public keys and firmware images. This article has amazing documentation on how the PKI works for Secure Boot, which is why this was included here.
  • Even with all of these protections in place, the root of trust is set into the initial bootloader. What if an attacker manually overwrites the SPI flash with this? Well, that is a valid attack that breaks the chain! An additional attack is to overwrite the NVRAM variables too.
  • In order to fix the SPI flash writing problem, Verified and Measured Boot are used. Verified Boot is ran as soon as the machine is powered on via hardware logic. Verified Boot has a public key in the hardware to ensure that the initial bootloader of UEFI is signed. Because the initial bootloader is validated to be secure, the rest of the system can now be known to be secure.
  • Measured boot stores cryptographic hashes of the OS loader and the platform initialization (PI) firmware. These hashes are stored in TPMs. Because the hashes are stored, the hash only tells us if the firmware has been modified, but nothing else.
  • Intel's Boot Guard runs directly after the ROM bootloader runs. This is cryptographically signed by Intel and cannot be modified. Boot Guard itself is an implementation of Verified and Measured Boot, but a lot of specific quirks to it. Once it is done with the system initialization steps, it validates then calls the UEFI firmware.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed