Part 1: Overview

Chapter 1: Introduction Security

Threat Model

Design

Validation

Chapter 2: Introduction Host Firmware

Industry Standard

Boot Flow / Phase hand-off

Minimal Firmware Requirement

Hardware ROT

CPU/silicon init

PCI resource allocation.

Jump to OS.

Runtime Interface (SMM, UEFI Runtime, ASL)

General Principle -  Protect / Detect / Recovery

Part 2: Boot Security

Chapter 3: Firmware Resilience - Protection

Flash Lock

Flash Wear out

Capsule Flow (*)

Signed Update

Chapter 4: Firmware Resilience - Detection

Boot Flow (*)

Intel Boot Guard

OBB Verification

UEFI Secure Boot

Local

Remote

TXT- SX

(coreboot)

Chapter 5: Firmware Resilience – Recovery

Recovery Flow (*)

Signed Recovery

Top Swap

Rollback, SVNs

Chapter 6: OS/Loader Resilience

Platform Recovery

OS Recovery

(Android Verified Boot)

Chapter 7: Trusted Boot

Measured Boot Flow (*)

SRTM (Boot Guard)

DRTM (TXT)

TPM1.2/2.0

Physical Presence

MOR / Secure MOR

Chapter 8: Authentication

User Authentication

HDD Password

OPAL Password

Chapter 9: S3 resume

S3 resume flow (*)

LockBox

Chapter 10: Device Security

PCI Bus (*)

DMA protection

Device Measurement

Device Authentication

Device firmware update

Chapter 11: Silicon Security Configuration

Flash SPI lock

SMM Lock

BAR Lock

Chapter: Supply Chain (Vincent)

OEM/ODM/BIOS vendor/IHV

Open source

Fingerprinting

Manufacturing flow to shipment

Part 3: Data Security

Chapter 12: UEFI Kernel

DXE/PEI Core (*)

Heap Guard

Stack Guard

NX protection

Enclave

SMM Core (*)

SMM Communication (*)

StandaloneMM (*)

MMIO Protection

Secure SMM Communication

Intel Runtime Resilience

STM (SMI Transfer Monitor)

Chapter: UEFI Variable (Vincent)

Authentication

Variable Lock

Variable Check

Variable Quota Management

Confidentiality

Integrity and Rollback

TPM Binding

RPMB

RPMC

Part 4: Miscellaneous

Chapter 14: General Coding Practice

Buffer Overflow

Banned API

Integer Overflow

SafeInt lib

Chapter: Cryptograph (Vincent)

Hash usage in firmware

Encryption usage in firmware

Signing & verification usage in firmware

Chapter 15: Compiler Defensive Technology

Stack Cookie

Non-Executable

Address Space Randomization

Control Flow Integrity (CFI) / Control Flow Enforcement (CET)

Runtime Check (stack/un-initialized data/integer overflow)

Chapter: Race Condition (Vincent)

BSP/AP handling in UEFI

BSP/AP handling in SMM

TOC/TOU

Chapter 16: Information Leak

Side Channel

MDS

SMM

C Language

Rust Language

Part: Security Test

Chapter 18: HBFA

Hardware Emulation

Security Unit Test

Fuzzing (AFL)

Static analysis

Chapter 19: chipsec

Configuration Check

SMI Fuzzing

Variable fuzzing

Whitelisting/Blacklisting

Part 5: Other

Chapter 20: Conclusion

Part 6: Appendices

Secure coding checklist

Secure review checklist

API summary

Part 7: References

Jiewen Yao is a principal engineer in the Intel Architecture, Graphics, and Software Group. He has been engaged as a firmware developer for over 15 years. He is a member of the UEFI Security sub team, and the TCG PC Client sub working group. He has presented at industry events such as the Intel Developer Forum, UEFI Plugfest, and RSA conference. He worked with co-author Vincent Zimmer to publish 30 “A Tour Beyond BIOS” technical papers for tianocore.org and firmware.intel.com. He holds 40 US patents.

Vincent Zimmer is a senior principal engineer in the Intel Architecture, Graphics, and Software Group. He has been engaged as a firmware developer for over 25 years and leads the UEFI Security sub team. He has presented at industry events such as the Open Source Firmware Conference, Linux Fest Northwest, Intel Developer Forum, UEFI Plugfest, Open Compute Project Summit, BlackHat Las Vegas, BSides Seattle, Toorcon, and Cansecwest. In addition to collaborating with Jiewen Yao on many white papers, he has co-authored several books on firmware, papers, and over 400 issued US patents.

Use this book to build secure firmware.