Appendix - Threat Model for EDK II

This chapter provides the basic assumptions for the threat model of EDK II firmware. The threat model discussed here is a general guide and serves as the baseline of the EDK II firmware. For each specific feature in EDK II firmware, there might be additional feature-based threat models in addition to the general threat model.

In UEFI Threat Model, we discussed the asset, threat and mitigation. Here we will revisit these items and based upon [STRIDE](https://en.wikipedia.org/wiki/STRIDE_(security)).

Threat

Desired Property

Spoofing

Authentication

Tampering

Integrity

Repudiation

Non-Repudiation

Information Disclosure

Confidentiality

Denial of Service

Availability

Elevation of Privilege

Authorization

In EDK II firmware, the denial of service can be temporary in the current boot, or permanent in which case the system never boot again. The latter is more serious and it is named as permanent denial of service (PDoS).

We will consider the below adversary for the EDK II firmware:

Adversary

Capability

Network Attacker

The attacker may connect to the system by network in order to eavesdrop, intercept, masquerade, or modify the network packet.

Unprivileged Software Attacker

The attacker may run ring-3 software in an OS application layer. The attacker may perform a software based side channel attack (such as using cache timing).

System Software Attacker

The attacker may run ring-0 software in the OS kernel or hypervisor, or run 3rd party firmware code in firmware boot phase. The attacker may perform the software based side channel attack (such as using cache timing, performance counters, branch information, or power status).

Simple Hardware Attacker

The attacker may touch the platform hardware (such as power button or jumper) and attach/remove a simple malicious device (such as hardware debugger, PCI Leach to the external port, PCIE card to the PCIE slot, memory DIMM, NIC cable, hard drive, keyboard, USB device, Bluetooth device). The attacker may hijack the simple system bus (such as the SPI bus or I2C bus).

Skilled Hardware Attacker

The attacker may hijack the complex system bus (such as memory bus, or PCI express bus). The attacker may perform the hardware based side channel attack, such as power analysis, thermal analysis, or electromagnetic analysis. The attacker may perform a glitch attack.

We will consider the below mitigations for the EDKII firmware:

Mitigation

Objective

Protection

The mitigation is to prevent such an attack for damaging the system.

Detection

The mitigation is to detect if the system is under attack.

Recovery

The mitigation is to recover the system if it is under attack.

  • Asset: Flash Content

  • Asset: Boot Flow

  • Asset: S3 Resume

  • Asset: Management Mode

  • Asset: Build Tool