MASTER OF SCIENCE PROJECT DEFENSE BY: Nolan Paduch
When: Monday,
January 12, 2015
6:30 PM
-
8:30 PM
Where: Science and Engineering Building 285 Old Westport Road, Dartmouth, MA
Cost: free
Description: TOPIC: IMPLEMENTATION OF UEFI SECURE FIRMWARE UPDATE WITHOUT UEFI SECURE BOOT
LOCATION: Lester W. Cory Conference Room, Science & engineering Building (Group II), Room 213A
ABSTRACT:
The Unified Extensible Firmware Interface (UEFI) is an interface for the communication between a computer firmware and the operating system, specifically the operating system loader. Operating system (OS) is a software package to manage computer resources and provide user service. The Basic Input/Output System (BIOS) as well as the essential part of OS, such as the OS loader that boots OS when the computer is powered on, is stored in persistent memory or Read-Only Memory (ROM). The combination of the memory hardware and the code/data software is called firmware. The specification is published by the UEFI forum to document a set of tables and service calls made available to the OS and loader. UEFI contains Secure Boot, which allows only authenticated images to be loaded and executed from within the BIOS. This would include PCIe option ROMs, PCIe drivers, and OSs. PCIe stands for Peripheral Component Interconnect (PCI) Express, a standard for high-speed communications among computer components. By limiting what can be loaded and launched at boot time, we can assure that no malicious software is compromising the system during boot.
UEFI BIOS is stored in flash memory and is accessed via the Serial Peripheral Interface (SPI). During boot time, if this interface is unlocked, any driver, option ROM, or OS can write to the flash and corrupt the system. UEFI Secure Boot is designed to prevent this security vulnerability, since only trusted non-malicious code will be run. However, we run into an issue when we have to allow un-authenticated firmware to run without having Secure Boot enabled (such as a legacy operating system).
The purpose of this project is to implement a way to conduct a secure firmware update without the use of UEFI Secure Boot. It is reasonable to assume that certain functions can be guaranteed for execution at certain times. These functions include detecting the BIOS update, authenticating the image, flashing the image, and locking the SPI flash. Throughout the process, it is also necessary to log the steps in the process so that the OS can see the results of the complete process. All of these steps must be completed before any third party code is executed, or we risk compromising the system.
The project overviews the secure firmware update process, as well as details the timing requirements at each step. The project also overviews enhancements made to the initial release and future expandability options. The project exemplifies the assurance of security without losing operability, the technology with significant economic impact to the computing industry.
NOTE: All ECE Graduate Students are ENCOURAGED to attend.
All interested parties are invited to attend.
Open to the public.
Advisor: Dr. Hong Liu
Committee Members: Dr. Paul Fortier, ECE Dept.; and Jim Roche, EMC Corporation.
LOCATION: Lester W. Cory Conference Room, Science & engineering Building (Group II), Room 213A
ABSTRACT:
The Unified Extensible Firmware Interface (UEFI) is an interface for the communication between a computer firmware and the operating system, specifically the operating system loader. Operating system (OS) is a software package to manage computer resources and provide user service. The Basic Input/Output System (BIOS) as well as the essential part of OS, such as the OS loader that boots OS when the computer is powered on, is stored in persistent memory or Read-Only Memory (ROM). The combination of the memory hardware and the code/data software is called firmware. The specification is published by the UEFI forum to document a set of tables and service calls made available to the OS and loader. UEFI contains Secure Boot, which allows only authenticated images to be loaded and executed from within the BIOS. This would include PCIe option ROMs, PCIe drivers, and OSs. PCIe stands for Peripheral Component Interconnect (PCI) Express, a standard for high-speed communications among computer components. By limiting what can be loaded and launched at boot time, we can assure that no malicious software is compromising the system during boot.
UEFI BIOS is stored in flash memory and is accessed via the Serial Peripheral Interface (SPI). During boot time, if this interface is unlocked, any driver, option ROM, or OS can write to the flash and corrupt the system. UEFI Secure Boot is designed to prevent this security vulnerability, since only trusted non-malicious code will be run. However, we run into an issue when we have to allow un-authenticated firmware to run without having Secure Boot enabled (such as a legacy operating system).
The purpose of this project is to implement a way to conduct a secure firmware update without the use of UEFI Secure Boot. It is reasonable to assume that certain functions can be guaranteed for execution at certain times. These functions include detecting the BIOS update, authenticating the image, flashing the image, and locking the SPI flash. Throughout the process, it is also necessary to log the steps in the process so that the OS can see the results of the complete process. All of these steps must be completed before any third party code is executed, or we risk compromising the system.
The project overviews the secure firmware update process, as well as details the timing requirements at each step. The project also overviews enhancements made to the initial release and future expandability options. The project exemplifies the assurance of security without losing operability, the technology with significant economic impact to the computing industry.
NOTE: All ECE Graduate Students are ENCOURAGED to attend.
All interested parties are invited to attend.
Open to the public.
Advisor: Dr. Hong Liu
Committee Members: Dr. Paul Fortier, ECE Dept.; and Jim Roche, EMC Corporation.
Contact:
ECE: Electrical & Computer Engineering Department 508.999.9164 http://www.umassd.edu/engineering/ece/
Topical Areas: General Public, University Community, Electrical and Computer Engineering