Vincent on UEFI and free chapter of new Beyond BIOS 3rd edition

Vincent has a multi-topic blog post, including insight on UEFI spec, and pointer to a free chapter of the 3rd edition of Beyond BIOS:





new editions of Beyond BIOS and Harnessing the UEFI Shell

Intel Press published the first and second editions of these two books a few years ago, but it appears Degruyter is publishing revised third editions!

Harnessing the UEFI Shell: Moving the Platform Beyond DOS, Third Edition
Rothman, Michael / Zimmer, Vincent / Lewis, Tim

Beyond BIOS: Developing with the Unified Extensible Firmware Interface, Third Edition
Zimmer, Vincent / Marisetty, Suresh / Rothman, Michael



UEFI Capsule Update and Recovery whitepaper


Vincent is co-author of this paper, and mentions it — along with a bunch of other UEFI-related things — in his current blog post:




New Intel/UEFI whitepaper: Establishing the Root of Trust


Vincent Zimmer and Michael Krau of Intel have written a new whitepaper for the UEFI Forum: “Establishing the root of trust”.

The first step in securing a computing device – from a simple embedded device to a supercomputer and everything in between – is to ensure that it can start up under the following conditions:
– It is operating as expected
– All the firmware needed to run the system is intact
– It has not been tampered with in any way

As described in the first white paper in this series, Understanding the Chain of Trust and Its Vital Role in Keeping Computing Systems Secure, the UEFI specification includes a mechanism for ensuring the integrity and security of firmware (the all-important link between the hardware and the operating system) as a system starts up. This mechanism is called Secure Boot and uses public key cryptography to validate that each piece of firmware has been digitally signed and is therefore unmodified as the system starts up. In a chain of trust, each piece of firmware must be digitally signed before it can start up. Once one piece of code has been validated, it can then validate the next section and so on until the system is fully booted and control handed over to the operating system. But how does that chain get started? While difficult, it would be possible for an attacker to inject malicious attack code of some sort prior to start of the chain of trust to gain low-level and nearly undetectable control over the system. To prevent this, the chain of trust requires a strong foundation. In modern systems, this is known as the root of trust. A root of trust, one that can be counted on to anchor the chain of trust in the face of the most determined attackers, can be established in a number of ways. The most secure approaches use some form of an unchangeable section of hardware to validate the initial keyed signature, but there are a number of effective approaches. Ultimately it comes down to the level of security you’re comfortable with and an understanding of the approach used to establish the root of trust. This white paper looks at several common methods for establishing a root of trust as the basis for the UEFI Secure Boot process. […]