The Research And Implementation Of UEFI Variable Check Based On EDK2

The UEFI specification defines the interface between the operating system and the platform firmware,and the PI specification establishes the internal architecture in firmware and interfaces between the hardware platform and firmware.Generally,UEFI BIOS is implemented based on the UEFI and PI specification and stored in a NOR Non-Volatile block storage device(for example,SPI FLASH).As a modern,feature-rich,cross-platform UEFI firmware development environment,EDK2 has been widely used in the industry.NV Variable region will occupy some blocks of NOR FLASH,it has limited storage size,but stores very important data that includes platform setup information,boot option settging,authenticated variable for secure boot,etc.UEFI Variable runtime services define the interface between components to access variable.Because NV Variable has non-volatility and UEFI Variable services are runtime available,NV Variable and NV Variable region with important information are easy to be attached by malicious programs,so the protection to NV Variable is very important.This thesis analyzes the existing Variable protection and recovery mechanisms-Variable Lock and the platform setup Variable default value recovery,and the security of Variable interfaces.The existing mechanisms could not be used in many cases of the various malicious attacks,so we need to introduce a new protection and recovery mechanism-UEFI Variable Check based on EDK2 to better protect NV Variable and NV Variable region.This thesis researches and impements a new protection and recovery mechanism-UEFI Variable Check.The mechanism makes use of UEFI and PI specification defined various Variable services and interfaces and the property of Variable region and Variable itself,learns the disk space quota management of modern operating system,and implements Variable Check library and Variable Check protocol.Through the property check,data size check,grammar check,semantic check,quota management,error logging and recovery,the mechanism can ensure the legality of variable attributes,data and data size from SetVariable interface in UEFI variable runtime services,thus better protect NV Variable and NV Variable region.The verification test result through NT32 reflects the new protection and recovery mechanism-UEFI Variable Check could well defense the attacks from malicious programs.