Signed Recovery
NIST SP800-193 defines three principles supporting platform resiliency:
    Protection,
    Detection
    Recovery
Signed UEFI capsule update and Intel® BIOS Guard provide these protections. Intel® Boot Guard and OBB verification provide detection. If firmware corruption is detected, the firmware can perform recovery to prevent a permanent denial of service (PDOS) attack. EDK II implements a signed recovery (see Table 2-10).
Table 2-10: Firmware Recovery Verification
Item
Entity
Provider
Location
TP
Firmware Recovery Verification
OEM
Originally on flash, loaded into DRAM.
CDI
Firmware Recovery TCB Code
OEM
Originally on flash, loaded into DRAM.
Firmware Recovery Signature Database (Policy)
OEM
Originally on flash, loaded into DRAM.
UDI
Firmware Recovery Package
OEM
Originally on external storage (e.g. Hard drive, USB, Memory, or Flash), loaded into DRAM

Signing

The UDI is provided a new firmware image, the same as the UEFI Capsule Update implementation. The entire firmware binary must be signed using the OEM private key.

Public Key Storage

The OEM public key should be embedded in the original firmware & recovery launcher module.

Verification

If firmware corruption is detected during boot, the recovery boot path is triggered. In this scenario, TP is the firmware recovery launcher module. This module loads the recovery image from a known source and verifies the signature. If TP passes verification, the recovery image is loaded and the recovery launcher module transfers control to the recovery image. If recovery verification fails, the recovery image is discarded and the recovery launcher attempts to locate additional recovery images. If all recovery images fail verification, the recovery process is aborted.
NOTE: The signed recovery image itself may be updatable even if it is on the flash region.
Last modified 1yr ago