« 英国政府も中国のサイバー攻撃に警告を出していますね。。。 | Main | 欧州議会 暗号資産のリスクに関する報告書を発表、サイバー耐性とプライバシーを重要な関心事として強調 »

2020.09.18

NSA : Unified Extensible Firmware Interface (UEFI) Secure Boot Customization

こんにちは、丸山満彦です。

米国NSAがUnified Extensible Firmware Interface (UEFI) Secure Boot Customizationを公開していますね・・・

National Security Agency

・2020.09.15 NSA Releases Cybersecurity Technical Report on UEFI Secure Boot Customization

・[PDF] UEFI Secure Boot Customization


Executive summary

Secure Boot is a boot integrity feature that is part of the Unified Extensible Firmware Interface (UEFI) industry standard. Most modern computer systems are delivered to customers with a standard Secure Boot policy installed. This document provides a comprehensive guide for customizing a Secure Boot policy to meet several use cases.

UEFI is a replacement for the legacy Basic Input Output System (BIOS) boot mechanism. UEFI provides an environment common to different computing architectures and platforms. UEFI also provides more configuration options, improved performance, enhanced interfaces, security measures to combat persistent firmware threats, and support for a wider variety of devices and form factors.

Malicious actors target firmware to persist on an endpoint. Firmware is stored and executes from memory that is separate from the operating system and storage media. Antivirus software, which runs after the operating system has loaded, is ineffective at detecting and remediating malware in the early-boot firmware environment that executes before the operating system.

Secure Boot provides a validation mechanism that reduces the risk of successful firmware exploitation and mitigates many published early-boot vulnerabilities.

Secure Boot is frequently not enabled due to issues with incompatible hardware and software.

Custom certificates, signatures, and hashes should be utilized for incompatible software and hardware. Secure Boot can be customized to meet the needs of different environments.

Customization enables administrators to realize the benefits of boot malware defenses, insider threat mitigations, and data-at-rest protections. Administrators should opt to customize Secure Boot rather than disable it for compatibility reasons. Customization may – depending on implementation – require infrastructures to sign their own boot binaries and drivers.

Recommendations for system administrators and infrastructure owners:  Machines running legacy BIOS or Compatibility Support Module (CSM) should be migrated to UEFI native mode.

  • Secure Boot should be enabled on all endpoints and configured to audit firmware modules, expansion devices, and bootable OS images (sometimes referred to as Thorough Mode).
  • Secure Boot should be customized, if necessary, to meet the needs of organizations and their supporting hardware and software.
  • Firmware should be secured using a set of administrator passwords appropriate for a device's capabilities and use case.
  • Firmware should be updated regularly and treated as importantly as operating system and application updates.
  • A Trusted Platform Module (TPM) should be leveraged to check the integrity of firmware and the Secure Boot configuration.

 

 

 

Contact information
Purpose
Additional resources
Executive summary

Contents

1 Unified Extensible Firmware Interface (UEFI)

2 UEFI Secure Boot
 2.1 Platform-Specific Caveats

3 Use Cases For Secure Boot
 3.1 Anti-Malware
 3.2 Insider Threat Mitigation
 3.3 Data-at-Rest

4 Customization
 4.1 Dependencies

 4.2 Backup Factory Values
  4.2.1 Backup Secure Boot Values
  4.2.2 EFI Signature List (ESL) Format

 4.3 Initial Provisioning of Certificates and Hashes
  4.3.1 Create Keys and Certificates
  4.3.2 Sign Binaries
  4.3.3 Calculate and Capture Hashes
  4.3.4 Load Keys and Hashes

 4.4 Updates and Changes
  4.4.1 Update the PK
  4.4.2 Update a KEK
  4.4.3 Update the DB or DBX
  4.4.4 Update MOK or MOKX

 4.5 Validation

5 Advanced Customizations
 5.1 Trusted Platform Module (TPM)
 5.2 Trusted Bootloader

6 References
 Cited Resources
 Command References
 Uncited Related Resources

7 Appendix
 7.1 UEFI Lockdown Configuration
 7.2 Acronyms
 7.3 Frequently Asked Questions (FAQ)

|

« 英国政府も中国のサイバー攻撃に警告を出していますね。。。 | Main | 欧州議会 暗号資産のリスクに関する報告書を発表、サイバー耐性とプライバシーを重要な関心事として強調 »

Comments

Post a comment



(Not displayed with comment.)




« 英国政府も中国のサイバー攻撃に警告を出していますね。。。 | Main | 欧州議会 暗号資産のリスクに関する報告書を発表、サイバー耐性とプライバシーを重要な関心事として強調 »