Understanding the UEFI Secure Boot Chain
Understanding the UEFI Secure Boot Chain
Understanding the UEFI Secure Boot Chain
Understanding the UEFI Secure Boot Chain
Understanding UEFI Secure Boot Chain
Executive Summary
Overview
Secure Boot Chain in UEFI
Additional Secure Boot Chain Implementations
Looking Forward – Platform Firmware Resiliency
Platform Firmware Resiliency
Device Firmware Boot
Device Firmware Update
Project Cerberus
Intel® Platform Firmware Resilience (Intel® PFR)
Google Titan
Other Platform Firmware Resiliency (PFR) Implementations
Glossary
References
Figures
Powered by GitBook

Device Firmware Boot

If device firmware is not in TCB, it must be verified by the system firmware or device firmware in TCB.

During system boot, host firmware may choose to verify some device firmware components. For device firmware stored in the device’s internal storage, verification may happen based upon device policy. For device firmware images in external storage loaded at runtime, verification is mandatory. Device firmware verification may follow the same rules as the system firmware verification. Device firmware is only loaded after it is verified.

Table 4-1: Device Firmware Boot Verification

Item

Entity

Provider

Location

TP

Device Firmware Verification

OEM or IHV

Flash (Read Only Code), Device ROM.

CDI

System Firmware or Device firmware TCB

OEM or IHV

Flash (Read Only Code), ROM

Device Firmware Signature Database (Policy)

OEM or IHV

Flash (Read Only Data), ROM

UDI

Device Firmware

IHV

Device Internal Storage (or) External Storage (e.g. Hard drive, USB, Memory, or Read-Write Flash)

Previous
Platform Firmware Resiliency
Next
Device Firmware Update
Last updated 1 year ago
Edit on GitHub