Show
This document helps guide OEMs and ODMs in creation and management of the Secure Boot keys and certificates in a manufacturing environment. It addresses questions related to creation, storage and retrieval of Platform Keys (PKs), secure firmware update keys, and third party Key Exchange Keys (KEKs).
Note These steps are not specific to PC OEMs. Enterprises and customers can also use these steps to configure their servers to support Secure Boot. Windows requirements for UEFI and Secure Boot can be found in the Windows Hardware Certification Requirements. This paper does not introduce new requirements or represent an official Windows program. It is intended as guidance beyond certification requirements, to assist in building efficient and secure processes for creating and managing Secure Boot Keys. This is important because UEFI Secure Boot is based on the usage of Public Key Infrastructure to authenticate code before allowed to execute. The reader is expected to know the fundamentals of UEFI, basic understanding of Secure Boot (Chapter 27 of the UEFI specification), and PKI security model. Requirements, tests, and tools validating Secure Boot on Windows are available today through the Windows Hardware Certification Kit (HCK). However, these HCK resources do not address creation and management of keys for Windows deployments. This paper addresses key management as a resource to help guide partners through deployment of the keys used by the firmware. It is not intended as prescriptive guidance and does not include any new requirements. On this page: This document serves as a starting point in developing customer ready PCs, factory deployment tools and key security best practices. 1. Secure Boot, Windows and Key ManagementThe UEFI (Unified Extensible Firmware Interface) specification defines a firmware execution authentication process called Secure Boot. As an industry standard, Secure Boot defines how platform firmware manages certificates, authenticates firmware, and how the operating system interfaces with this process. Secure Boot is based on the Public Key Infrastructure (PKI) process to authenticate modules before they are allowed to execute. These modules can include firmware drivers, option ROMs, UEFI drivers on disk, UEFI applications, or UEFI boot loaders. Through image authentication before execution, Secure Boot reduces the risk of pre-boot malware attacks such as rootkits. Microsoft relies on UEFI Secure Boot in Windows 8 and above as part of its Trusted Boot security architecture to improve platform security for our customers. Secure Boot is required for Windows 8 and above client PCs, and for Windows Server 2016 as defined in the Windows Hardware Compatibility Requirements. The Secure Boot process works as follows and as shown in Figure 1:
Figure 1: Windows Trusted Boot Architecture Implementation of UEFI Secure Boot is part of Microsoft’s Trusted Boot Architecture, introduced in Windows 8.1. A growing trend in the evolution of malware exploits is targeting the boot path as a preferred attack vector. This class of attack has been difficult to guard against, since antimalware products can be disabled by malicious software that prevents them from loading entirely. With Windows Trusted Boot architecture and its establishment of a root of trust with Secure Boot, the customer is protected from malicious code executing in the boot path by ensuring that only signed, certified "known good" code and boot loaders can execute before the operating system itself loads. 1.1 Public-Key Infrastructure (PKI) and Secure BootThe PKI establishes authenticity and trust in a system. Secure Boot leverages PKI for two high-level purposes:
A PKI consists of:
1.2 Public Key CryptographyPublic key cryptography uses a pair of mathematically related cryptographic keys, known as the public and private key. If you know one of the keys, you cannot easily calculate what the other one is. If one key is used to encrypt information, then only the corresponding key can decrypt that information. For Secure Boot, the private key is used to digitally sign code and the public key is used to verify the signature on that code to prove its authenticity. If a private key is compromised, then systems with corresponding public keys are no longer secure. This can lead to boot kit attacks and will damage the reputation of the entity responsible for ensuring the security of the private key. In a Secure Boot public key system you have the following:
1.3 Secure Boot PKI requirementsThe UEFI-defined root of trust consists of the Platform Key and any keys an OEM or ODM includes in the firmware core. Pre-UEFI security and a root of trust are not addressed by the UEFI Secure Boot process, but instead by National Institute of Standards and Technology (NIST), and Trusted Computing Group (TCG) publications referenced in this paper.
1.4 Signature Databases (Db and Dbx)
1.5 Keys Required for Secure Boot on all PCs
Table 1: Keys/db needed for Secure Boot 2. Key Management SolutionsBelow are given some of the metrics we used for comparison. 2.1 Metrics usedThe following metrics can help you select a HSM PC based on the requirements of UEFI specification 2.3.1 Errata C and your needs.
Pricing
Manufacturing environment
Standards and Compliance
Reliability and disaster recovery
2.2 Key Management Options
2.3 HSM Key generation and storage for Secure Boot keys
2.4 Secure Boot and 3rd party signing
This section intends to summarize the above sections and show a step by step approach:
3.1 ResourcesSecurity Strategies White Paper - https://go.microsoft.com/fwlink/p/?linkid=321288 Windows HCK Submission -https://go.microsoft.com/fwlink/p/?linkid=321287 Appendix A – Secure Boot PKI checklist for manufacturingBelow is a high-level checklist summarizing the steps needed for enabling Secure Boot on non-Windows RT PCs. Setting up Secure Boot
Servicing (Updating firmware)You may need to update firmware for several reasons such as updating an UEFI component or fixing Secure Boot key compromise or periodic rekeying of Secure Boot keys. For more info, see Section 1.3.5 and section 1.3.6. Appendix B – Secure Boot APIs
Secure Boot Key Generation and Signing Using HSM (Example) UEFI Validation Option ROM Validation Guidance Secure Boot Overview |