| UEFI is an acronym of "Unified Extensible Firmware Interface", which isproposed by Intel as next-generation firmware system to replace the traditional BIOS.It is a set of definitions of interfaces and data structures between platform firmwareand operating system. The details of these definitions depend on the developers. andall the firmware drivers developed in the UEFI interface specification can cooperatewith each other. UEFI BIOS has a lot of advantages compared with previousgenerations, including the powerful cross-platform compatibility, support for mousegraphical user interface, modular scalability and reducing development effort. Theseadvantages make UEFI develop rapidly. Now there are more and more manufacturerschoose UEFI BIOS to be preloaded in their equipments.The fast development of UEFI BIOS also bring some problem which need badlyto be solved, especially security problem. The file system of UEFI BIOS need abigger storage space, so it is not stored in ROM in motherboard, but in a isolatedpartition of hard disk. Although this method improves the performance, it also bringsrisks. Data saved in hard disk is easily to be tampered and attacked, especially whenUEFI BIOS updates. Because UEFI BIOS can get update files directly from mobilestorage devices, and doesn’t have any testing mechanism, so we can’t ensure thesecurity when updating UEFI BIOS.These security issues of UEFI BIOS can be solved by an update securitymechanism. UEFI update security mechanism contains three components: distributionmodule, verification module, and implementation module. These security mechanismscan ensure that the update files loaded by system are not tampered, unauthorizedaccessed and compatible with the hardware. This study focused on the distributionmodule in security mechanisms. The distribution module should mainly used by UEFIBIOS developers. The developers can use distribution module to package update fileswith an outer layer. In the verification module, this outer layer can verify whether theupdate files are tampered, unauthorized accessed and compatible with the hardware.Distribution module package the update files by signing them to keep them not beingtampered, encrypting them to keep them not being unauthorized accessed and writingdescription to them to show compatibility. In short, the content of this article, are mainly about the distribution module insecurity mechanism. This article researched the methods and techniques to keepupdate files not being tampered, unauthorized accessed and being compatible with thehardware, and also design and implementation the distribution module. |
PDF Full Text Request