This section describes how the security features are embedded in the control flows. PSCS/ChipSec required features should be enabled in this stage in addition to other general security flow. This section will also elaborate on each security feature and the platform code implementation required to enable the feature.
Note: Some of these features can be treated as an advanced feature and can be turned on or off based on system-specific usage. However, this section serves as a guideline to develop platform code for security features.
Refer to the UEFI specification and the whitepaper A Tour Beyond BIOS - Implementing UEFI Authenticated Variables in SMM with EDK II
UEFI Secure boot provides verification of 3rd party drivers, such as the OS loader or PCI option ROMs.
A platform may provide additional authentication for firmware volume.
For example: Intel Boot Guard, or PI signed FV.
Intel® Boot Guard provides a hardware way to verify the initial boot block (IBB) code. After power on, the CPU Microcode finds a Boot Guard ACM and executes the Boot Guard ACM, which is signed by Intel. Then the Boot Guard ACM takes the Boot Guard manifest and verifies the IBB code.
The PI specification also provides the verification for the system firmware code on the board. Refer to PI specification, EFI Signed Firmware Volumes and EFI Signed Sections.
The whole hardware based secure boot flow on an Intel Boot Guard platform is:
Startup ACM or some equivalent module verifies the initial boot block of the
Intel® Boot Guard Technology is one possible implementation
The initial boot block verifies the rest of the system firmware.
PI signed FV is one possible implementation. An implementation may choose
PKCS7 or RSA2048_SHA256 based signing verification.
The other option is just to use the HASH for the rest of the system
firmware. In PEI phase, the code who installs the addition FV for the post
memory phase need verify the HASH of the system firmware.
The system firmware verifies 3rd party code.
UEFI secure boot is the implementation.
Refer to TCG platform specification and the white paper A Tour Beyond BIOS - Implementing TPM Support in EDK II
Refer to Intel® VT-d specification and the white paper Using IOMMU for DMA Protection in UEFI