| Beyond legacy BIOS, EFI (Extensible Firmware Interface) firmware has some significant advantage. EFI writes in C language and supports modular develop. EFI has its own EFI Driver Mode and Firmware File System and other advanced features. EFI has great extensible capability, and it is able to load EFI files from any storage device, such as local harddisk, U-disk, CD-ROM, even remote network device. Therefore, EFI has to face great challenge from virus and malware that are now threatening OS security heavily. It can be predicted that EFI security will be hot topic in the coming years in IT industry.Starting from trusted computing concept, this paper raises EFI trusted platform model. Based on firmware file system, this paper illustrates trusted chain solution for each stage of EFI boot. The key is to have integrity authentication and integrity measurement for EFI executable file. Integrity authentication means digital signature verification for signed EFI file. Digital signature technic prevents malware to modify EFI file for evil intent, in this way to protect EFI system security. Integrity measurement means to hash all EFI executable images for record. Hash values are stored into TPM chip Platform Configure Registers. The value within a PCR is used for sealed storage, attestation, and re-construction of EFI boot flow. Digital signature and hash algorithm are based on cryptography. This paper digs deeply into cryptography and raises solutions for EFI cryptography implementation. Based on EFI file format, the paper presents solutions for EFI digital signature and hash algorithm implementation in details. The implementation of this paper solution was validated successfully on Intel BearLake platform. The solution that sets up trusted chain in EFI pre-boot environment is proven as reasonable and correct. |
PDF Full Text Request