7.7 Additional Control Flows
This section describes how the security features are embedded in the control flows. PSCS/ChipSec required features should be enabled in this stage in addition to other general security flow. This section will also elaborate on each security feature and the platform code implementation required to enable the feature.
Note: Some of these features can be treated as an advanced feature and can be turned on or off based on system-specific usage. However, this section serves as a guideline to develop platform code for security features.
UEFI Secure boot provides verification of 3rd party drivers, such as the OS loader or PCI option ROMs.
A platform may provide additional authentication for firmware volume.
For example: Intel Boot Guard, or PI signed FV.
- Intel® Boot Guard provides a hardware way to verify the initial boot block (IBB) code. After power on, the CPU Microcode finds a Boot Guard ACM and executes the Boot Guard ACM, which is signed by Intel. Then the Boot Guard ACM takes the Boot Guard manifest and verifies the IBB code.
- The PI specification also provides the verification for the system firmware code on the board. Refer to PI specification, EFI Signed Firmware Volumes and EFI Signed Sections.
The whole hardware based secure boot flow on an Intel Boot Guard platform is:
- 1.Startup ACM or some equivalent module verifies the initial boot block of thesystem firmware.
- Intel® Boot Guard Technology is one possible implementation
- 2.The initial boot block verifies the rest of the system firmware.
- PI signed FV is one possible implementation. An implementation may choosePKCS7 or RSA2048_SHA256 based signing verification.
- The other option is just to use the HASH for the rest of the systemfirmware. In PEI phase, the code who installs the addition FV for the postmemory phase need verify the HASH of the system firmware.
- 3.The system firmware verifies 3rd party code.
- UEFI secure boot is the implementation.