Understanding the UEFI Secure Boot Chain
Search…
Understanding the UEFI Secure Boot Chain
1.0.0
Understanding UEFI Secure Boot Chain
Executive Summary
Overview
Secure Boot Chain in UEFI
Additional Secure Boot Chain Implementations
Looking Forward – Platform Firmware Resiliency
Platform Firmware Resiliency
Device Firmware Boot
Device Firmware Update
Project Cerberus
Intel® Platform Firmware Resilience (Intel® PFR)
Google Titan
Other Platform Firmware Resiliency (PFR) Implementations
Glossary
References
Figures
Powered By GitBook
Platform Firmware Resiliency
In modern platforms, system firmware is only one of multiple firmware images. Most system components rely on some form of device firmware. The scope of PFR covers both system firmware and device firmware images, so the trust chain is maintained for all boot firmware components. See Figure 4-1 for an overview diagram.

Figure 4-1: Component and Trust Chain, from NIST SP800-193

Device firmware may exist in a device-specific region that is managed by the device. In some cases, device firmware may reside in the same location as the system firmware, such as Serial Peripheral Interface (SPI) attached to flash, and the system firmware is responsible for loading the device firmware into a device firmware region.
Most device firmware initializes the hardware so it is functional at runtime. Examples include:
  • Network Interface Card (NIC)
  • Solid State Drive (SSD)
  • Universal Serial Bus (USB)
  • Battery management
Some device firmware is involved in the system boot process and may play an important role in system firmware verification. Examples include:
  • Embedded Controller (EC) firmware
  • Baseboard Management Controller (BMC) firmware
  • Intel® Converged Security and Management Engine (Intel® CSME)
  • Glue logic in a Field Programmable Gate Array (FPGA) or Complex Programmable Logic Device (CPLD)
There are multiple existing standards describing device authentication, including:
Figure 4-2 shows a high-level view of an authentication protocol.

Figure 4-2: High-level View of PCIe® Component Authentication (source: PCIe® Component Authentication)

Previous
Looking Forward – Platform Firmware Resiliency
Next
Device Firmware Boot
Last modified 2yr ago
Copy link
On this page
Figure 4-1: Component and Trust Chain, from NIST SP800-193
Figure 4-2: High-level View of PCIe® Component Authentication (source: PCIe® Component Authentication)