Of all the gin joints in all the towns in all the world, Blibbet had to walk 
into mine at 11:14:29 on Wednesday 09 September 2015 and say:

> I have some questions about UEFI and the below excerpts from NIST
> SP-147, from sections 3.1.1 and 3.2.
> 
> Is this "gold master image" possible with UEFI? Are any enterprises
> practicing this? What tools are they using? I can't any information on
> any enterprise who does this today.
> 
> I currently doubt it is possible with UEFI, given how little information
> -- by UEFI Forum, IBVs, OEMs or IHVs -- is provided to system owners on
> how to backup/restore their BIOS.  At least I can't find any info so far.
> 
> Can anyone point me to a case where an organization can "assert greater
> control" or "actively participate in the update process", like below?
> 
> Most of the security in these guidelines are based on crypto, yet I've
> yet to find a CRL or OSCP URL by an IBV/OEM/IHV for any of their UEFI
> signed code.
> 
> Can anyone point to a case where someone is able to test the security of
> this signed code?
> 
> How can "multi-party control" with below PKI if the enterprise can't
> even access the original keys?
> 
> I could see the below with UEFI in a fully-open source firmware
> scenerio. But all UEFI IBVs are closed-source, and Intel's FSP is
> closed-source, so I don't see how mainstream UEFI-based systems can be
> used with 147 enterprise guidelines.
> 
> If anyone can point to any more info on this, please speak up.
> 
> I'm giving a talk to some sysadmins on integrating SP-147 with UEFI
> along with traditional hardware lifecycle models on Thursday... :-)

Oh sure, no pressure.

As you say, the closed source nature of most BIOSes makes complying with these 
requirements nearly impossible for most organizations. The only exceptions I 
can think of are big companies with connections to the IBVs (e.g. Intel, 
Microsoft) or the government/military. Something tells me none of them will in 
any rush to talk to you though. :)

-Bill

> Thanks,
> Lee
> RSS: http://firmwaresecurity.com
> 
> ----snip----
> 
> Some organizations may wish to assert greater control over BIOS updates
> in high-security environments. The authenticated update mechanism may be
> designed to permit organizational control over the update process, where
> updates to the BIOS or rollbacks of the BIOS to an earlier version are
> permitted only if the update or rollback has been authorized by the
> organization. For example, specific BIOS images could be authorized by
> an organization by countersigning them with an organization-controlled
> key, which would be verified during the update process.
> 
> Provisioning Phase:
> It is crucial that the organization institute a mechanism for
> identifying, inventorying, and tracking the different computer systems
> across the enterprise throughout their life cycle. Identifying and
> monitoring the BIOS image characteristics such as manufacturer name,
> version, or time stamp allows the organization to perform update,
> rollback, and recovery. The organization should maintain a “golden
> master image” for each approved system BIOS, including superseded
> versions, in secure offline storage.
> If the platform has a configurable Root of Trust for Update (RTU), the
> organization needs to maintain a copy of the key store and signature
> verification algorithm. If the RTU is integrated into the system BIOS
> then this guideline is satisfied by maintaining the golden BIOS image.
> If the RTU is not integrated into the system BIOS, the security afforded
> the RTU should be at least as strong as that for the golden BIOS image.
> Most organizations will rely upon the manufacturer as the source for the
> authenticated BIOS. In this case, the organization does not maintain any
> private keys, and the RTU contains only public keys provided by the
> manufacturer. Where the organization prefers to participate actively in
> the BIOS authentication process by countersigning some or all approved
> system BIOS updates, the RTU may contain one or more public keys
> associated with the organization. In this case, the organization must
> securely maintain the corresponding private key so that the next BIOS
> update can be signed. Private keys should be maintained under
> multi-party control to protect against insider attacks. For
> organizational keys, the corresponding public keys must also be
> maintained securely (to ensure authentication of origin).
> 
> Operation and Maintenance Phase:
> Where the organization participates actively in the update process, the
> multi-party control process must be executed to retrieve the private key
> from secure storage and generate the digital signature. The BIOS
> installation package should also be signed, and the digital signature
> should be verified before execution. Once the update has executed
> successfully, the configuration baseline should be validated to confirm
> that the computer system is still in compliance with the organization’s
> defined policy.
> 
> Disposition Phase:
> Before the computer system is disposed and leaves the organization, the
> organization should remove or destroy any sensitive data from the system
> BIOS. The configuration baseline should be reset to the manufacturer’s
> default profile; in particular, sensitive settings such as passwords
> should be deleted from the system and keys should also be removed from
> the key store. If the system BIOS includes any organization-specific
> customizations then a vendor-provided BIOS image should be installed.
> This phase of the platform life cycle reduces chances for accidental
> data leakage.
> 
> ----snip----
> 
> _______________________________________________
> edk2-devel mailing list
> [email protected]
> https://lists.01.org/mailman/listinfo/edk2-devel

-- 
=============================================================================
-Bill Paul            (510) 749-2329 | Senior Member of Technical Staff,
                 [email protected] | Master of Unix-Fu - Wind River Systems
=============================================================================
   "I put a dollar in a change machine. Nothing changed." - George Carlin
=============================================================================
_______________________________________________
edk2-devel mailing list
[email protected]
https://lists.01.org/mailman/listinfo/edk2-devel

Reply via email to