Securing UEFI: An Underpinning Technology for Computing
• White Paper
Software Engineering Institute
Most modern computers have firmware based on a standard known as the Unified Extensible Firmware Interface (UEFI). A typical UEFI-based firmware is composed of software components from several suppliers, code from open-source projects, and components from an original equipment manufacturer, such as a laptop manufacturer. The software components are primarily written in low-level programming languages like C that facilitate direct access to the hardware and physical memory. These software components require high-privilege access to the central processing unit. The Chain of Trust model in the UEFI standard is designed to enable secure cryptographic verification of these components, establishing assurances that only trusted software is executed during the early boot cycle. But after the boot cycle is complete, UEFI still provides an interface to the operating system to enable configuration changes or software updates to the firmware. Unlike the operating system, UEFI software remains invisible to most of us, despite its critical role in the functioning of a modern system. Because of its criticality and invisibility, vulnerabilities in UEFI-related software attract attackers and pose high risks to system security. This paper highlights the technical efforts to secure the UEFI-based firmware that serves as a foundational piece of modern computing environments.