Name: Implementing and Using the UEFI Key Management Service (KMS)
Start: 2020-09-17T15:00:00Z
End: 2020-09-17T15:00:38.000Z
Location: BrightTALK
Rating: 5

Through a collaborative approach with world-class companies, institutions and experts, the UEFI Forum advances innovation in firmware technology standards. These extensible, globally-adopted UEFI specifications bring new functionality and enhanced security to the evolution of devices, firmware and operating systems.

Adding new features into UEFI-based platform firmware commonly has challenges due to storage space constraints. Wireless Drivers, which are typically large compared to other UEFI Drivers, have additional challenges due to variants of a particular platform having different chipsets but common BIOS. 

The session will discuss the solutions that were implemented in Dell BIOS to overcome the challenges and the benefits of integrating the wireless drivers like Firmware-Over-The-Air (FOTA) and OS Recovery.

Challenges and Benefits of Integrating Wireless Drivers in UEFI Firmware

The EDK2Code Extension is a Visual Studio Code (VSCODE) extension for EDK2 developers missing Integrated Development Environment (IDE)-like features that are present for other popular development frameworks. The extension reads the compiled information or DSC files to provide full context of what has been integrated into the build process. With this information the extension provides the user with a new set of VSCODE commands to navigate through the source code. Some examples of commands are Goto Library definition, Goto INF file, Goto Library implementation, etc. The Extension also provides context and syntax support for EDK2 files and ACPI files. The EDK2Code Extension has been released as an open-source project and is available through the VSCODE marketplace. 

This webinar will discuss the EDK2Code Extension, including its main commands and functionalities. A demo will also be shown during this presentation to walk through the extension’s capabilities.

EDK2Code: VSCODE Extension for EDK2

In this presentation, speakers will cover Universal Scalable Firmware (USF), including security aspects. This talk will focus on the security and trust elements of USF and relation to others, including those in the UEFI Forum including ACPI, UEFI and PI. Additionally, this talk will cover key USF security topics like post quantum crypto and its impact on the firmware & UEFI, as well as OpenSSL and cryptographic libraries needed to build UEFI features.

Universal Scalable Firmware: Evolutionary Aspects of Security

When the UEFI specification was originally developed, it targeted traditional platforms (servers, desktops, and laptops) using general purpose operating systems. As migration to new platform types has occurred, firmware developers for emerging platform types have pointed out that some UEFI standard required interfaces may not be needed by some platform types. Implementing these unused interfaces and their supporting code can be an unnecessary burden to smaller and constrained devices such as those for the IoT, embedded, automotive and other markets. 

In this webinar, we will discuss the history behind the UEFI specifications and the rationale and benefits of adding in the new Conformance Profiles capability. We will explain how developers can leverage the Conformance Profile Table in the UEFI specification and review real world use cases

UEFI Conformance Profiles: Enabling “Reduced Model” Implementations

Traditionally, capturing a Software Bill of Materials (SBOM) for UEFI firmware has been seen as challenging. Some technical challenges include immutable blobs in the image (e.g., Intel FSP and CPU microcode). Other roadblocks are due to a process where IHVs contribute binary DXE objects to the ODM. Finally, some challenges are due to commercial issues where code might be licensed from the IBV but modified by the ODM. 

This talk will focus on the following topics:

- How to include accurate SBOM metadata that is compliant with NTIA’s The Minimum Elements For a Software Bill of Materials (SBOM) guidelines in a UEFI firmware project?
- What edge conditions and use cases need to be considered when implementing SBOM?
- What approaches can enable extracting and consuming SBOM data from one supply chain partner to another?

The talk plans to address several industry-wide items necessary for a broader adoption of SBOM in the firmware ecosystem.

UEFI Support for Software Bill of Materials (SBOM)

EDK2 has accepted a port of Python 3.6.8 that can be used in the UEFI Shell. Chipsec has adopted it and it can now be used to run Chipsec's suite of tests against the platform. This presentation will show some of the changes that had to be made to the EDK2 version of the python interpreter that were necessary to run Chipsec then we will give a brief overview of the Chipsec framework, some of its capabilities and why it's useful to everyone including but not limited to: IBVs, OEMs.

Using Python 3 in the UEFI Shell for Platform Security Analysis

The process of addressing a firmware security issue can be long and complex. This webinar will provide recommendations for moving security updates into the field fast and addresses in detail the release process of typical firmware security fixes, starting from the initial disclosure from third parties to the processes of addressing the issues with the affected firmware and impacted ODM & OEM teams, all the way to public disclosure. Also addressed is the firmware supply chain’s impact on firmware patch cycles and how different approaches to these cycles can leave devices vulnerable.

Tackling Security Through the Supply Chain

Today, firmware attacks are on the rise. A platform may have different firmware coming from multiple vendors. It is important to know the original source of these firmware components. Trusted Computer Group (TCG) published a set of specifications on reference integrity manifest (RIM) information models and firmware integrity measurement (FIM) to enable compliance with NIST SP 800-155 BIOS Integrity Measurements. 

In this presentation, the speakers will introduce the work to measure firmware at the component level and later use that as evidence for a traceable firmware Bill of Materials (BOM) for verification. This webinar will introduce two examples. The first example is how we provide Intel firmware support package (FSP) component measurement to help trace the Intel Firmware Support Package (FSP) binary. The second example is how we use Secure Protocol and Data Model (SPDM) protocol to communicate and record the device firmware measurement to trace the device firmware.

Traceable Firmware Bill of Materials Overview

For debugging UEFI, print statements (“printf”) are often an engineer’s most powerful tool: some bugs are caused by complex sequences of events that are too long and intricate to root-cause using just breakpoints and watch windows. But printf has some drawbacks: its processing code can run hundreds of instructions in the target code being debugged, and this execution time added to the backpressure caused by transports such as serial console output can cause the performance of the boot code to slow significantly. This can mask timing-dependent bugs that are often the most intermittent or seemingly random. An at-speed version of print statements, enabled by the Intel Trace Hub, provides all the benefits of printf without the performance impact.

This webinar will provide advanced examples on the use of at-speed printf in conjunction with other debugging and trace tools to triage intermittent bugs on Intel platforms.

Recording Note: Please update your BrightTALK settings to 1080p for the best experience in viewing the video demo.

Beyond Printf – Real-Time UEFI Debugging

In order to resist the threat from quantum computers, National Institute of Standard and Technology (NIST) started the Post-Quantum Cryptography (PQC) project in 2016 and tried to define a set of new standard - quantum-resistant public-key cryptographic algorithms. The industry is evaluating the impact of adoption of these post quantum cryptography algorithms, such as network transport layer security (TLS) protocol. The UEFI BIOS includes a set of security feature that requires the cryptography, such as secured boot, capsule update, secure recovery, HTTPS boot, measured boot, etc. 

In this webinar, the speakers will introduce the impact of the PQC to the UEFI BIOS and the prototype work to adopt the PQC in the firmware area.

The Impact of Post Quantum Cryptography on UEFI BIOS

ACPI has been adopted by 64-bit Arm platforms in the server, edge and even client space. While standardization afforded by abstracting the hardware via ACPI and unification with the x86 ecosystem is positive, there are some obstacles with ACPI. Challenges stem from the size of the specification, heft and requirements on the OS supporting code and limitations of the bytecode itself that may preclude ACPI adoption in the embedded, IoT or safety-critical system space.  

This talk explores some strategies and approaches in defining a lighter-weight subset of ACPI. The end goal is to support more variance in hardware using less code, less overhead and less engineering time. The goal of the session is not to push a specific proposal, but to get the conversation started to help chart ACPI's future.

ACPI-Lite: Exploring a Simplified Mechanism for Abstracting Platforms with ACPI

The presentation is inspired by the two new event groups introduced in UEFI 2.9 specification. It showcases the entire family of the UEFI and PI architectural events highlighting applicability and use cases of each event group. It also discusses best practices, do’s and don’ts and corner cases of event handler construction.

Understanding UEFI and PI Architectural Events

UEFI Secure Boot helps provide an effective defense against boot malware, but following today’s best practices in its implementation, deployment and configurability can help its increase its effectiveness against increasingly sophisticated exploits. This webinar will address how the latest recommendations for UEFI firmware from national security organizations can be leveraged to design secure devices that are able to meet stringent national security standards.

Best Practices for UEFI Secure Boot Customization

Compute Express Link (CXL) is an open industry standard interconnect offering high-bandwidth, low latency connectivity between host processor and devices such as accelerators, memory buffers, and smart I/O devices. CXL 1.1 debuted in August 2019. Building on the industry success and acceptance of CXL as evidenced by the 130+ member companies with active participation, CXL Consortium announced the availability of CXL 2.0 in Nov. 2020. CXL 2.0 enables additional usage models while maintaining full backward compatibility with CXL 1.1. 

CXL 2.0 enhances the CXL specification in many areas: CXL Switch, persistent memory, standardized Memory Device interface, Hot-plug and link security. In this presentation, we will go over each of these areas and their implications to ACPI and UEFI interfaces as well as the UEFI Firmware Layer.

Compute Express Link 2.0 Update

Architectural Event Trace (AET) is a technology on modern Intel silicon that enables processors to provide real-time event trace information. AET differs from code execution trace, which is concerned with the path a processor takes through code; AET traces interactions between individual processors in a system and other processors, the BIOS, OS, device drivers, and external peripherals. Events such as hardware interrupts, exceptions, MSR reads/writes and many others can easily be traced with modern debuggers. And especially when used in conjunction with code execution trace, AET provides additional insight into the root causes of hardware, firmware and software issues.

This webinar will provide advanced examples on the utility of AET and other debug and trace logic on Intel platforms.

UEFI Debug with Intel Architectural Event Trace

Arm SystemReady is a new program bringing a level of consistency across a broad range of Arm-based devices in the cloud, in the network and in high-performance IoT (HPIoT) endpoints. It includes new set of standards and a compliance certification program, with the goal of ensuring that Arm systems "Just Work" with standard off-the-shelf operating systems and hypervisors. The program is based on a set of minimum hardware and firmware requirements. Firmware standards such as UEFI, ACPI, and SMBIOS are key elements in these requirements. This talk introduces the Arm SystemReady program, the Base Boot Requirements (BBR) and the Base Boot Security Requirements (BBSR) firmware specifications. The session show-cases enablement efforts for devices under this program, using open source firmware projects such as TianoCore and U-Boot. It also highlights open source firmware test suites used in SystemReady certification.

Arm SystemReady and the UEFI Firmware Ecosystem

Intel® Trust Domain Extensions (Intel® TDX) introduce architectural elements to help deploy hardware-isolated, virtual machines (VMs) called trust domains (TDs). Intel TDX is designed to isolate VMs from the virtual-machine manager (VMM)/hypervisor and any other non-TD software on the platform to protect TDs from a broad range of software. 

This presentation introduces the architecture for TDX Virtual Firmware (TDVF), and the firmware reference implementation available in open source. The talk covers how TDVF runs from the TD reset vector, records runtime measurements, manages private memory, interacts with the Intel TDX module in Secure Arbitration Mode (SEAM), and loads the operating system (OS).

Virtual Firmware for Intel Trust Domain Extensions

In 2011, the USG National Institute of Standards and Technology (NIST) published a draft of “BIOS Integrity Measurement Guidelines” (NIST Special Publication 800-155). For various reasons, these guidelines have not been widely accepted or implemented. Last year, NIST entered a collaboration with the Trusted Computing Group (TCG) to develop specifications that could be industry accepted and TCG has started publishing drafts of these specifications. This presentation will update the UEFI Forum membership on the status of this collaboration and how it will likely affect platform firmware.

Firmware Integrity Measurements and Attestation

The UEFI specification has had the Key Management Service (KMS) protocol definition since version 2.3.1 and provides services to generate, store, retrieve, and manage cryptographic keys. As normal, the specification provides just the definition for the service and the underlying implementation can vary. There are several implementation options to implement the KMS protocol. A simple implementation is to build it on top of something already in the system such as a TPM. The most practical implementation requires interfacing with a Key Management Interoperability Protocol (KMIP) Server over a secure network connection. This presentation will cover the high-level interactions between a UEFI firmware and a KMIP server to implement the UEFI KMS protocol and several real use cases of the KMS protocol in modern systems.

Implementing and Using the UEFI Key Management Service (KMS)

UEFI

Firmware

Key Management

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

The data center management community focuses on the holistic management and optimization of the data center. From technologies such as virtualization and cloud computing to data center design, colocation, energy efficiency and monitoring, the BrightTALK data center management community provides the most up-to-date and engaging content from industry experts to better your infrastructure and operations. Engage with a community of your peers and industry experts by asking questions, rating presentations and participating in polls during webinars, all while you gain insight that will help you transform your infrastructure into a next generation data center.

Data Center Management

Join thousands of engaged IT professionals in the application management community on BrightTALK. Interact with your peers in relevant webinars and videos on the latest trends and best practices for application lifecycle management, application performance management and application development.

Application Management

Network infrastructure professionals understand that a reliable and secure infrastructure is crucial to enabling business execution. Join the network infrastructure community to interact with thousands of IT professionals. Browse hundreds of on-demand and live webinars and videos to learn about the latest trends in network computing, SDN, WAN optimization and more.

Network Infrastructure

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Implementing and Using the UEFI Key Management Service (KMS)

Presented by

About this talk

More from this channel