The Research And Implementation Of UEFI BIOS Security Update Mechanism Based On Digital Signature

Modern computers rely on a basic system firmware, it is often referred as BasicInput Output System (BIOS).Its main role is to complete the hardware platforminitialization process and transmit the right of control to the operating system.Because of the uniqueness and its special position in the PC architecture, unauthorizedmodifications to BIOS through a malware might be cause a significant and seriousthreat to the computer. UEFI (Unified Extensible Firmware Interface) is thenext-generation BIOS (Basic Input/output System) technology dominated by Intel,which has become the de facto standard and specification to replace the legacy BIOS.Malicious code needs to be considered as a serious threat in the information securityfield and UEFI is also inevitably faced with this problem. The UEFI boot processfrom the boot of firmware until the load and start of operating system is the blankstage in which a traditional security system cannot protect the computer system.In order to ensure its own security of UEFI BIOS from a trusted source, it cangreatly reduce malicious software threats and the execution of BIOS code that istampered, according to the requirements of BIOS firmware security update andupgrade presented in this paper. These requirements apply to BIOS firmware imagewhich is stored in the Flash memory in the system, including the BIOS code,encryption keys and static data as part of BIOS updating trusted root that are alsostored in the BIOS flash memory chip. This paper mainly focus on research andanalysis of the security of the system BIOS image update and upgrade process, thenlearns well a new generation of BIOS architecture and development process based onUEFI specifications. In this paper, the research goal is to propose and design asecurity update mechanism of UEFI BIOS image in the BIOS Setup Utilityenvironment based on a digital signature method, because the signature andverification for a BIOS image can ensure the integrity and source credibility of imageand prevent the intrusion of malicious code. Then it complete a correspondingengineering implementation of UEFI BIOS image security update system based onRSA digital signature algorithm. The system has four parts project module, includinghuman-interface module, signature section, verification module and update module.Then the system is tested by experimental methods and functional verification. At last, this paper makes a number of programs to improve the security update mechanismand study how to extend it to the application on security update of a server’s BIOS.