presented by Deploying Secure Boot: Key Creation and Management UEFI Summer Summit – July 16-20, 2012 Presented by Arie van der Hoeven (Microsoft Corporation) Updated 2011-06-01 UEFI Summer Summit – July 2012 www.uefi.
Agenda • • • • • Introduction Secure Boot Basics Secure Boot Keys Key Deployment Key Creation and Management • Checklist UEFI Summer Summit – July 2012 www.uefi.
Introduction • Today partners are testing Secure Boot using WHCK tools and Microsoft provided certificates – But passing Windows requirements is just a start • OEMs and ODMs need to have a plan for securely creating and managing their own keys – Customers will increasingly ask about this – What is your story? • Reputations are on the line UEFI Summer Summit – July 2012 www.uefi.
Trusted Boot Architecture Secure Boot prevents malicious Boot code and OS loader UEFI Boot 1 2 BitLocker Unlocks Disk if TPM and Secure Boot Integrity in place Boot Policy Measurements of components including AM software are stored in the TPM Bootmgfw.
UEFI Secure Boot Keys • Platform Key (PK) – One only – Allows modification of KEK database • Key Exchange Key (KEK) – Can be multiple – Allows modification of db and dbx • Authorized Database (db) – CA, Key, or image hash to allow • Forbidden Database (dbx) – CA, Key, or image hash to block UEFI Summer Summit – July 2012 www.uefi.
Keys Required for Secure Boot Key/db Name Variable Owner Details PKpub PK OEM PK – 1 only.
Optional Keys for Secure Boot (non WinRT only) Recommended for non WinRT Systems Key/db Name Variable Owner Notes Microsoft UEFI driver signing CA db Microsoft signer for 3’rd party UEFI binaries via DevCenter program Microsoft Optional for Customization Key/db Name Variable Owner Notes OEM or 3’rd party KEKpub KEK OEM/3rd party Allows db/dbx updates e.g.
Key Deployment Process Create Platform Key (PK) and Secure FW Update Key Create PK Backup (Recommended) Add KEK (w/db, dbx)and sign with PKpri Protect PKpri and Secure Update (pri) Enroll PKpub Add Secure Update Key (pub) Ensure Network and Physical Security Manage and refine security practices UEFI Summer Summit – July 2012 www.uefi.
Hardware Security Modules • Microsoft strongly recommends using a Hardware Security Module (HSM) for key creation • Most HSMs have Federal Information Processing Standard (FIPS) Publication 140-2 level 3 compliance – Requires that keys are not exported or imported from the HSM.
Other Key Creation Options • Trusted Platform Modules (TPM) or Smart Cards – Crypto processors slow for manufacturing environment – Not suitable for storing large number of keys – May not be compliant to FIPS 140-2 level 3 • Software / Crypto API generated keys – Can use encrypted drives, VMs and other security options – Not as secure as using an HSM • Makecert – Intended for testing purposes only – Discouraged by Microsoft UEFI Summer Summit – July 2012 www.uefi.
Checklist Define your security strategy Identify roles Procure server and hardware for key management • Recommended solution – network or standalone HSM • Consider whether you will need one or several HSM’s for high availability and also your key back up strategy Set policy for how frequently will you be rekeying keys Have a contingency plan for Secure Boot Key compromise Identify how many PK and other keys will you be generating Use HSM to pre-generate secure boot related keys and certifica
Resources • Microsoft Connect http://connect.microsoft.com/ • MSDN: http://msdn.microsoft.com/ – Search on keyword “Secure Boot” • http://www.microsoft.com/security • UEFI 2.3.1. Specification errata C: http://www.uefi.org/ • Trusted Computing Group: http://www.trustedcomputinggroup.org/ • Tianocore: http://www.tianocore.sourceforge.net • UEFI and Windows: http://msdn.microsoft.com/enus/windows/hardware/gg463149 • Beyond BIOS: http://www.intel.com/intelpress/sum_efi.
Thanks for attending the UEFI Summer Summit 2012 For more information on the Unified EFI Forum and UEFI Specifications, visit http://www.uefi.org presented by UEFI Summer Summit – July 2012 www.uefi.