This chapter provides the basic assumptions for the threat model of EDK II firmware. The threat model discussed here is a general guide and serves as the baseline of the EDK II firmware. For each specific feature in EDK II firmware, there might be additional feature-based threat models in addition to the general threat model.
Denial of Service
Elevation of Privilege
In EDK II firmware, the denial of service can be temporary in the current boot, or permanent in which case the system never boot again. The latter is more serious and it is named as permanent denial of service (PDoS).
We will consider the below adversary for the EDK II firmware:
The attacker may connect to the system by network in order to eavesdrop, intercept, masquerade, or modify the network packet.
Unprivileged Software Attacker
The attacker may run ring-3 software in an OS application layer. The attacker may perform a software based side channel attack (such as using cache timing).
System Software Attacker
The attacker may run ring-0 software in the OS kernel or hypervisor, or run 3rd party firmware code in firmware boot phase. The attacker may perform the software based side channel attack (such as using cache timing, performance counters, branch information, or power status).
Simple Hardware Attacker
The attacker may touch the platform hardware (such as power button or jumper) and attach/remove a simple malicious device (such as hardware debugger, PCI Leach to the external port, PCIE card to the PCIE slot, memory DIMM, NIC cable, hard drive, keyboard, USB device, Bluetooth device). The attacker may hijack the simple system bus (such as the SPI bus or I2C bus).
Skilled Hardware Attacker
The attacker may hijack the complex system bus (such as memory bus, or PCI express bus). The attacker may perform the hardware based side channel attack, such as power analysis, thermal analysis, or electromagnetic analysis. The attacker may perform a glitch attack.
We will consider the below mitigations for the EDKII firmware:
The mitigation is to prevent such an attack for damaging the system.
The mitigation is to detect if the system is under attack.
The mitigation is to recover the system if it is under attack.
Asset: Flash Content
Asset: Boot Flow
Asset: S3 Resume
Asset: Management Mode
Asset: Build Tool