| Before the traditional computer operating system start-up, BIOS(Basic Input/output System) complete the control right of the hardware initialization work and thebooting of operating system. As the development of computer science and for theBIOS drawbacks, INTEL has developed a next-generation BIOS technology "EFI(Extensible Firmware Interface, Extensible Firmware Interface)”. UEFI BIOS is thelatest generation technology, which gives users the most intuitive graphical interfaceof two feelings and supports for mouse operation. But because the features of theloading mode of UEFI components, advanced language and software framework, suchas most of the programs are written in C language, it means that many people caneasily decipher UEFI, so we need more attention to its security. Security objectivesare: confidentiality, integrity, availability. General requirements are to preventmalicious code attacks and behavior, internal/external access control and dataprotection. Because of the uniqueness and its special position in the PC UEFIarchitecture makes unauthorized changes to the UEFI conducted by malware maycause a significant threat to your computer. Malicious UEFI changes may be part of asophisticated attack aimed at causing permanent denial of service or an ongoingmalware. UEFI content is not static, in order to solve the BUG, patches, support fornew hardware, and so on, we need to update the UEFI. Security problems occur, themalicious code may jeopardize UEFI and system security, so we need to develop Biosupdate security update process, and research methods according to specifications.Therefore, this article discusses security issues of UEFI update mechanism anddesign a set of basic protection process based on the characteristics of updatemechanism. I embed the authentication module into the UEFI drive, based on thecode in UEFI DXE phase, to verify the UEFI update, and then let the updatemechanism more secure. First, the article introduces the UEFI-related knowledge,especially UEFI update mechanism, and an analysis of the serious consequences thatoccur during updates and hackers exploit vulnerabilities caused. Then it givesadditional information and recommendations to achieve UEFI protection, clearlygives the specification security features. Secondly, according to the specification, we initially developed a simple process. This process can be roughly divided into threeparts, BIOS signature, BIOS validation, updating BIOS, but this paper mainly designand implementation the authentication phase, which occurs in the running UEFI DXEphase (expected to be in the drive to achieve its function in doing). They can enter thestage as long as the authenticated BIOS update. Encryption algorithms and specificsignature verification process also requires a combination of stages, steps andmethods should be corresponding. Authentication section requires being completed inDXE phase, but there are two methods of UFEI drive. One is directly embedded intothe code. The features are simple and practical, small footprint. The other is written inthe agreement, is characterized by a modular, reusable high easier for programmers toread. After comparing the two drive modes, I chose the latter module to writer and ithas perfect butt for front and back steps. It makes the whole process works well, andthe specific method for each step will be described in the text. |
PDF Full Text Request