7 Stage V: Security Enable

The objective of Stage V is to establish the basic system security foundation for a production environment. Given the importance of security for all connected systems, the platform architecture considers the following basic security features as minimum requirements for any product and thus an important part of the effort to produce a minimal platform. This stage is concerned with enabling security technologies described in industry specifications. Lower-level chipset-specific security technologies such as register locks may exist and those should be enabled during standard silicon initialization flows in earlier stages.

7.1.1 Major Execution Activities

Stage V Modules

Full UEFI variable services support (i.e. non-volatile, volatile, and authenticated)

Authenticated boot (HW and UEFI)

TCG trusted boot (if TPM HW is present)

DMA protection

7.1.2 Main Control Flow

Stage V introduces new modules and requirements to the boot incrementally over Stage IV. The key requirement is to satisfy industry standard security specifications applicable to the platform. The security technologies enabled in this stage are not strictly bound to the definition in this specification and may consist of a subset or superset of the content described in this section. However, the only case in which a modern production system should not implement a form of any of these technologies is if the necessary hardware is not available. In all other cases, the system must at least implement a form of the following:

  • Hardware rooted authenticated boot that can establish a Static Root of Trust for Verification (S-RTV) and continue an authenticated chain of verification throughout the boot process.

  • System measurement capability that allows the firmware to serve as a Static Root of Trust for Measurement (S-RTM).

  • Protection from Direct Memory Access (DMA) attacks.

The TCG measured boot chain of trust is should be enabled in this stage. At this point, Authenticated UEFI Variable support must be completely functional. This is a basic requirement for secure authentication and management of the UEFI Secure Boot keys.