A colleague brought the following Microsoft Security Advisory to my attention, that says “Microsoft is revoking the digital signature for four private, third-party UEFI (Unified Extensible Firmware Interface) modules that could be loaded during UEFI Secure Boot.” We investigated and SecureDoc is NOT impacted by these revocations. But what is it all about? We think it’s an interesting point of education for customers and prospects that requires a little explanation:
UEFI (Unified Extensible Firmware Interface) is the BIOS replacement for notebooks and servers. It has been around for a while, but was not widely used until Windows 8 started shipping (The computer OEMs typically ship Windows 7 machines in legacy BIOS mode and they are not impacted by this advisory). One of the key features of UEFI is “Secure Boot” with Secure Boot enabled the UEFI Boot Manager firmware that is built into the computer checks the signature of each UEFI driver and application that it loads. If the module is not properly signed (i.e. not trusted) or it has been revoked then the UEFI Boot Manager rejects the module and may display and error such as ‘Security Violation” at boot time.
How do modules get to be “trusted” in the first place and how do they get revoked?
In theory the computer OEM or even computer owner can sign and trust third party UEFI drivers and applications, but this would be very onerous. For example, when WinMagic updates its UEFI Pre-Boot application for SecureDoc we would have to get it signed by all the computer OEMs, as each one builds in an OEM specific key into their firmware. There are dozens of OEMs so this just wouldn’t work. This is where Microsoft stepped up and stood up for their own UEFI signing and revocation system for third party modules. The Microsoft signature checking key is built into all UEFI computers, so we just have to get it signed once.
We appreciate that Microsoft supports the PC ecosystem partners in this way. It is not an easy thing to do and is not without taking some risk and responsibility on. First Microsoft has to set the rules of behavior and standards for modules that they can trust and sign. Then they have to educate and enforce the rules. Finally if a third party module that was signed is found to be not secure they have to manage the revocation of the trust. This is done by distributing updates with the SHA256 file hashes of the revoked UEFI modules. That is what Security Advisory is about. In this case the “partner modules” distributed in backup and recovery software were requested to be revoked by their author.