Research And Implementation Of Building Trusted Chain Based On EFI

The Extensible Firmware Interface (EFI) is a specification that defines a software interface between an operating system and platform firmware. EFI is intended as a significantly improved replacement of the old legacy BIOS firmware interface historically used by all IBM PC compatible personal computers. The EFI specification was originally developed by Intel, and is now managed by the Unified EFI Forum and is officially known as Unified EFI (UEFI). EFI provides more extensibility and customization.Coming with the increase of attack against BIOS, implementation of safe BIOS becomes extremely urgent. EFI have not resolved the security risk.Because most EFI code is implemented by C language, EFI is more easily to be decoded. The research in EFI security is very hot now. At present, most security research in EFI is concerned with trust transition based on TPM module. But TPM is not widely used now.In this thesis, USB Key is chosen to makeup trust root. The code before EFI DXE is the trust transition origin point.The base of implementing safe EFI is establishing a trust transition in EFI. This thesis focuses on research of the loading process of EFI drivers and applications. All EFI drivers and applications are loaded by the form of EFI Image in EFI. Two verification schemes of EFI Images are proposed in this thesis. One is EFI Trust List and the other is Embedding Signing Messages in EFI Image. EFI Trust List scheme needs a file that contains trusted EFI Images' information such as the path and the hash value.The file should be stored in the system. When an EFI Image needs to be loaded, its integrity will be checked. First, its legitimate hash value will be found in the Trusted List File by its path.Then, its actual hash value will be calculated. If the two hash values are the same, the integrity of the EFI Image is verified. In the scheme of embedding signing messages in EFI Image, the EFI Image's hash value will be calculated and then be signed.The signature will be embeded in the EFI Image itself. When checking an EFI Image, the signature will be decoded and then the hash value can be used to check. After compareing the two schemes all-around, EFI Trust List Scheme is chosen and implemented in this thesis.In this thesis, the entrypoint of the EFI Image is located first and the USB Key driver is developed based on the driver model of EFI after analysising the EFI framework source code and the EFI specifications. MD5 arithmetic is implemented as an EFI service. Based on these work, EFI Trust List Scheme is accomplished in the EFI core and EFI Image verification technology is achieved.