View The Document

Accession Number:



Securing UEFI: An Underpinning Technology for Computing


Author Organization(s):

Report Date:



Each time you boot up your computer, software called firmware wakes up your computer, and often it remains active in the background, silently supporting the functions of the operating system. Originally, this software, known as the Basic Input/Output System (BIOS), contained a small amount of code without much more responsibility than to ensure that the operating system started up properly. Over decades, this firmware has grown in capability, size, and complexity. Many functions that used to be implemented either directly in hardware or in the operating system are now increasingly implemented in this critical layer of software. Most modern desktops and servers have firmware based on a standard known as the Unified Extensible Firmware Interface (UEFI), which replaces BIOS. A typical UEFI-based firmware is composed of software components from several suppliers, often including code from open-source projects, all knit together by an original equipment manufacturer (OEM), such as a laptop manufacturer. These software components are primarily written in low-level programming languages like C that facilitate direct access to the hardware and physical memory. These software components require high-privilege access to the central processing unit (CPU). The Chain of Trust model in the UEFI standard is designed to enable secure cryptographic verification of these components, establishing assurances that only trusted software is executed during the early boot cycle [Wilkins 2016]. Even after the boot cycle is complete, UEFI still provides an interface to the operating system to enable configuration changes or software updates to the firmware. Unlike the operating system, UEFI software remains invisible to most of us, despite its critical role in the functioning of a modern system. Because of its criticality and invisibility, vulnerabilities in UEFI-related software pose high risks to system security.



File Size:





Communities of Interest:

Distribution Statement:

Approved For Public Release

View The Document