Name: Implementing and Using the UEFI Key Management Service (KMS)
Start: 2020-09-17T15:00:00Z
End: 2020-09-17T15:00:38.000Z
Location: BrightTALK
Rating: 5

Through a collaborative approach with world-class companies, institutions and experts, the UEFI Forum advances innovation in firmware technology standards. These extensible, globally-adopted UEFI specifications bring new functionality and enhanced security to the evolution of devices, firmware and operating systems.

Independent Firmware Vendors (IFVs), OEMs and ODMs, Independent Hardware Vendors (IHVs), Silicon Providers and Open-Source Software providers (OSS) develop code that is part of the complex supply-chain for UEFI platform firmware. Their code enables modern computing platforms, from IoT devices to mobile devices, personal computing systems, servers and massive cloud infrastructure systems. The firmware that enables these devices must be as secure as we can make it, as it provides the foundation that end-user applications depend on.
This webinar will discuss the application of ‘Secure by Design’ techniques and ‘Zero Trust Architectures’ to platform firmware.
• Governments around the world are mandating these principles to be used in the development of software and firmware for critical systems.
• We will discuss what this means for developers of UEFI firmware. Including, policies and practices to be implemented, actions to be taken, and what zero-trust should mean to you.

Secure by Design and Zero-Trust Architectures for Firmware

Firmware as a Service (FaaS) represents an industry-wide philosophy that directs BIOS designers to consider offering customer firmware-level functionalities from a service standpoint. In the actual design process of BIOS, the FaaS service should exhibit sufficient flexibility and be pluggable, meaning it can be customized and integrated into the user's motherboard when required, and can be conveniently updated. The FaaS design empowers users with greater initiative, enabling them to effortlessly acquire and upgrade the firmware features they genuinely require. Moreover, it enhances the security and flexibility in the design of the system BIOS.

In this webinar, the audience will learn about the FaaS concept that encourages BIOS designers to offer firmware-level functionalities as a service. They will also learn about the requirements and the technical solution for FaaS in the actual BIOS design, specifically its flexibility and pluggability. Attendees will also learn about FaaS features designed using UEFI EDK libraries, including features such as https boot, capsule update, and more. This session will also include a live demonstration of industry common use cases.

Firmware as a Service: Enhancing BIOS Security and Flexibility

This presentation will introduce the EDK2-test and UEFI-SCT suite, including an overview of new features and coverages developed through the open-source community contributions and its impact on the ecosystem. We will discuss Arm’s support in filling gaps in UEFI-SCT upstream and focus on areas like new test coverages in TCG2 Base Protocol tests, TCG2 MOR, secure boot testing, improvements in documentation and critical bug fixes and improvements. We will briefly touch upon the technical coverage areas of these new tests and their gains. 

The presentation will give insights of Arm’s leveraging of UEFI-SCT as a tool in their compliance program and how the requirements in Arm firmware specifications of Base Boot Requirements (BBR) and Base Boot Security (BBSR) have in turn fueled the contributions to new tests and improvements in the UEFI-SCT.

Attendees will learn about the future roadmap of UEFI-SCT, gaps in coverage with respect to the latest UEFI specifications, scope for new coverage and proposed improvements in development process through GitHub and CI, conversion of the SCT case specifications to Markdown for better developer engagement and more. We will briefly introduce the EDK2-test community meetings and call for community contributions and help in maintaining the SCT.

EDK2-Test: New Test Coverages and Future Roadmap

Software Engineering Institute's CERT Coordination Center (CERT/CC) has been coordinating vulnerabilities in software since 1988 connecting security researchers and vendors towards a more Coordinated Vulnerability Disclosure (CVD) process. CERT/CC has recently been focused on handling "Systemic Vulnerabilities", under which UEFI was identified as a specific Firmware concern. UEFI vulnerabilities are critical due to their location at the intersection of hardware and software, making them fit a Systemic Vulnerability class.  This talk provides an inside look at how the CERT/CC is attempting to approach the coordination of UEFI vulnerabilities and help the ecosystem.

We will discuss the technical challenges of identifying these vulnerabilities, the complexities of coordinating with affected vendors, and the strategies used to communicate risks to the public. Through real-world examples, we’ll illustrate the importance of collaboration in addressing these issues and share insights on how various stakeholders can help us achieve this.

Attendees will hopefully learn about the role of CERT/CC in helping organizations and provide practical steps when coordinating UEFI vulnerabilities. The aim is to assist very small to large organizations so they can benefit from our work at CERT/CC to bring transparency and CVD maturity to UEFI ecosystem.

Coordinating UEFI Vulnerabilities as CERT/CC

Recent government and industry activity allows users to know what software what software is used to create and deploy firmware. Software Bills of Materials (SBOM) allow users to see what components were used to create a firmware image, how they are licensed, and which security issues might affect them. 

This session highlights UEFI, open-source and industry efforts to integrate and validate SBOMs in each stage of the firmware development process as well as where more work is still needed. The presenter will explore how to use SBOM tools and explain how SBOM affects the supply chain, including OEMs, ODMs and Enterprise customers. Finally, the session will cover some major uses of SBOM, such as licensing and security.

UEFI Unveiled: Ensuring Transparency in Your Firmware

Adding new features into UEFI-based platform firmware commonly has challenges due to storage space constraints. Wireless Drivers, which are typically large compared to other UEFI Drivers, have additional challenges due to variants of a particular platform having different chipsets but common BIOS. 

The session will discuss the solutions that were implemented in Dell BIOS to overcome the challenges and the benefits of integrating the wireless drivers like Firmware-Over-The-Air (FOTA) and OS Recovery.

Challenges and Benefits of Integrating Wireless Drivers in UEFI Firmware

The EDK2Code Extension is a Visual Studio Code (VSCODE) extension for EDK2 developers missing Integrated Development Environment (IDE)-like features that are present for other popular development frameworks. The extension reads the compiled information or DSC files to provide full context of what has been integrated into the build process. With this information the extension provides the user with a new set of VSCODE commands to navigate through the source code. Some examples of commands are Goto Library definition, Goto INF file, Goto Library implementation, etc. The Extension also provides context and syntax support for EDK2 files and ACPI files. The EDK2Code Extension has been released as an open-source project and is available through the VSCODE marketplace. 

This webinar will discuss the EDK2Code Extension, including its main commands and functionalities. A demo will also be shown during this presentation to walk through the extension’s capabilities.

EDK2Code: VSCODE Extension for EDK2

In this presentation, speakers will cover Universal Scalable Firmware (USF), including security aspects. This talk will focus on the security and trust elements of USF and relation to others, including those in the UEFI Forum including ACPI, UEFI and PI. Additionally, this talk will cover key USF security topics like post quantum crypto and its impact on the firmware & UEFI, as well as OpenSSL and cryptographic libraries needed to build UEFI features.

Universal Scalable Firmware: Evolutionary Aspects of Security

When the UEFI specification was originally developed, it targeted traditional platforms (servers, desktops, and laptops) using general purpose operating systems. As migration to new platform types has occurred, firmware developers for emerging platform types have pointed out that some UEFI standard required interfaces may not be needed by some platform types. Implementing these unused interfaces and their supporting code can be an unnecessary burden to smaller and constrained devices such as those for the IoT, embedded, automotive and other markets. 

In this webinar, we will discuss the history behind the UEFI specifications and the rationale and benefits of adding in the new Conformance Profiles capability. We will explain how developers can leverage the Conformance Profile Table in the UEFI specification and review real world use cases

UEFI Conformance Profiles: Enabling “Reduced Model” Implementations

Traditionally, capturing a Software Bill of Materials (SBOM) for UEFI firmware has been seen as challenging. Some technical challenges include immutable blobs in the image (e.g., Intel FSP and CPU microcode). Other roadblocks are due to a process where IHVs contribute binary DXE objects to the ODM. Finally, some challenges are due to commercial issues where code might be licensed from the IBV but modified by the ODM. 

This talk will focus on the following topics:

- How to include accurate SBOM metadata that is compliant with NTIA’s The Minimum Elements For a Software Bill of Materials (SBOM) guidelines in a UEFI firmware project?
- What edge conditions and use cases need to be considered when implementing SBOM?
- What approaches can enable extracting and consuming SBOM data from one supply chain partner to another?

The talk plans to address several industry-wide items necessary for a broader adoption of SBOM in the firmware ecosystem.

UEFI Support for Software Bill of Materials (SBOM)

EDK2 has accepted a port of Python 3.6.8 that can be used in the UEFI Shell. Chipsec has adopted it and it can now be used to run Chipsec's suite of tests against the platform. This presentation will show some of the changes that had to be made to the EDK2 version of the python interpreter that were necessary to run Chipsec then we will give a brief overview of the Chipsec framework, some of its capabilities and why it's useful to everyone including but not limited to: IBVs, OEMs.

Using Python 3 in the UEFI Shell for Platform Security Analysis

The process of addressing a firmware security issue can be long and complex. This webinar will provide recommendations for moving security updates into the field fast and addresses in detail the release process of typical firmware security fixes, starting from the initial disclosure from third parties to the processes of addressing the issues with the affected firmware and impacted ODM & OEM teams, all the way to public disclosure. Also addressed is the firmware supply chain’s impact on firmware patch cycles and how different approaches to these cycles can leave devices vulnerable.

Tackling Security Through the Supply Chain

Today, firmware attacks are on the rise. A platform may have different firmware coming from multiple vendors. It is important to know the original source of these firmware components. Trusted Computer Group (TCG) published a set of specifications on reference integrity manifest (RIM) information models and firmware integrity measurement (FIM) to enable compliance with NIST SP 800-155 BIOS Integrity Measurements. 

In this presentation, the speakers will introduce the work to measure firmware at the component level and later use that as evidence for a traceable firmware Bill of Materials (BOM) for verification. This webinar will introduce two examples. The first example is how we provide Intel firmware support package (FSP) component measurement to help trace the Intel Firmware Support Package (FSP) binary. The second example is how we use Secure Protocol and Data Model (SPDM) protocol to communicate and record the device firmware measurement to trace the device firmware.

Traceable Firmware Bill of Materials Overview

For debugging UEFI, print statements (“printf”) are often an engineer’s most powerful tool: some bugs are caused by complex sequences of events that are too long and intricate to root-cause using just breakpoints and watch windows. But printf has some drawbacks: its processing code can run hundreds of instructions in the target code being debugged, and this execution time added to the backpressure caused by transports such as serial console output can cause the performance of the boot code to slow significantly. This can mask timing-dependent bugs that are often the most intermittent or seemingly random. An at-speed version of print statements, enabled by the Intel Trace Hub, provides all the benefits of printf without the performance impact.

This webinar will provide advanced examples on the use of at-speed printf in conjunction with other debugging and trace tools to triage intermittent bugs on Intel platforms.

Recording Note: Please update your BrightTALK settings to 1080p for the best experience in viewing the video demo.

Beyond Printf – Real-Time UEFI Debugging

In order to resist the threat from quantum computers, National Institute of Standard and Technology (NIST) started the Post-Quantum Cryptography (PQC) project in 2016 and tried to define a set of new standard - quantum-resistant public-key cryptographic algorithms. The industry is evaluating the impact of adoption of these post quantum cryptography algorithms, such as network transport layer security (TLS) protocol. The UEFI BIOS includes a set of security feature that requires the cryptography, such as secured boot, capsule update, secure recovery, HTTPS boot, measured boot, etc. 

In this webinar, the speakers will introduce the impact of the PQC to the UEFI BIOS and the prototype work to adopt the PQC in the firmware area.

The Impact of Post Quantum Cryptography on UEFI BIOS

ACPI has been adopted by 64-bit Arm platforms in the server, edge and even client space. While standardization afforded by abstracting the hardware via ACPI and unification with the x86 ecosystem is positive, there are some obstacles with ACPI. Challenges stem from the size of the specification, heft and requirements on the OS supporting code and limitations of the bytecode itself that may preclude ACPI adoption in the embedded, IoT or safety-critical system space.  

This talk explores some strategies and approaches in defining a lighter-weight subset of ACPI. The end goal is to support more variance in hardware using less code, less overhead and less engineering time. The goal of the session is not to push a specific proposal, but to get the conversation started to help chart ACPI's future.

ACPI-Lite: Exploring a Simplified Mechanism for Abstracting Platforms with ACPI

The presentation is inspired by the two new event groups introduced in UEFI 2.9 specification. It showcases the entire family of the UEFI and PI architectural events highlighting applicability and use cases of each event group. It also discusses best practices, do’s and don’ts and corner cases of event handler construction.

Understanding UEFI and PI Architectural Events

UEFI Secure Boot helps provide an effective defense against boot malware, but following today’s best practices in its implementation, deployment and configurability can help its increase its effectiveness against increasingly sophisticated exploits. This webinar will address how the latest recommendations for UEFI firmware from national security organizations can be leveraged to design secure devices that are able to meet stringent national security standards.

Best Practices for UEFI Secure Boot Customization

The UEFI specification has had the Key Management Service (KMS) protocol definition since version 2.3.1 and provides services to generate, store, retrieve, and manage cryptographic keys. As normal, the specification provides just the definition for the service and the underlying implementation can vary. There are several implementation options to implement the KMS protocol. A simple implementation is to build it on top of something already in the system such as a TPM. The most practical implementation requires interfacing with a Key Management Interoperability Protocol (KMIP) Server over a secure network connection. This presentation will cover the high-level interactions between a UEFI firmware and a KMIP server to implement the UEFI KMS protocol and several real use cases of the KMS protocol in modern systems.

Implementing and Using the UEFI Key Management Service (KMS)

UEFI

Firmware

Key Management

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

The data center management community focuses on the holistic management and optimization of the data center. From technologies such as virtualization and cloud computing to data center design, colocation, energy efficiency and monitoring, the BrightTALK data center management community provides the most up-to-date and engaging content from industry experts to better your infrastructure and operations. Engage with a community of your peers and industry experts by asking questions, rating presentations and participating in polls during webinars, all while you gain insight that will help you transform your infrastructure into a next generation data center.

Data Center Management

Join thousands of engaged IT professionals in the application management community on BrightTALK. Interact with your peers in relevant webinars and videos on the latest trends and best practices for application lifecycle management, application performance management and application development.

Application Management

Network infrastructure professionals understand that a reliable and secure infrastructure is crucial to enabling business execution. Join the network infrastructure community to interact with thousands of IT professionals. Browse hundreds of on-demand and live webinars and videos to learn about the latest trends in network computing, SDN, WAN optimization and more.

Network Infrastructure

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Implementing and Using the UEFI Key Management Service (KMS)

Presented by

About this talk

UEFI Forum