The promise and practice of UEFI for Full Disk Encryption

When I first heard about UEFI a few years ago I thought it was a great idea. It could make life easier in the long run for developers of full disk encryption to provide advanced authentication and maintenance features for their customers. With this in mind I joined WinMagic up to UEFI.org.  Having implemented pre-boot authentication on Apple Macs, which used EFI, we were already familiar with UEFI’s predecessor.

From UEFI.org: “UEFI stands for “Unified Extensible Firmware Interface”. The UEFI specification defines a new model for the interface between personal-computer operating systems and platform firmware. The interface consists of data tables that contain platform-related information, plus boot and runtime service calls that are available to the operating system and its loader. Together, these provide a standard environment for booting an operating system and running pre-boot applications.“

Historically “IBM compatible” PCs booted up via the BIOS (Basic Input Output System) built into the ROM (Read Only Memory) of almost all PCs.  The BIOS got the job done but it didn’t make it easy for developers who needed to use the capabilities of the machines such as the WAN card or the USB stack for tokens in pre-boot environment.  In the BIOS environment the solution was to develop our own “pre boot mini OS” or boot Linux, perform pre-boot authentication and then boot Windows.

PC OEMs  (e.g. HP, Lenovo, Dell, etc.) have been shipping UEFI capable machines for a long while but with almost all configured to legacy (BIOS) booting mode so it made no difference in practice for pre-boot applications.  This all changed with the release of Windows 8 in late 2012. Microsoft made it a Windows 8 Logo requirement to ship the BIOS in “native” UEFI mode.  Since we had our UEFI pre-boot application implemented utilizing “standard” features from the UEFI specification AND had successfully tested on some Windows 8 logo machines this marked a major milestone.

However there are “standards” and then there are “implementations”.  Often it takes time for the implementations to converge to the standard. We have found that many of the implementations of UEFI just don’t support the UEFI features needed by pre-boot FDE pre-boot applications. As a consequence the number of Windows 8/UEFI platforms that are supported is limited. The good news is that the PC OEMs and BIOS vendors really are committed to delivering on the promise of UEFI and are open to work with ‘application’ writers such as WinMagic. It is going to take some time but as the PC OEMs ship their new PCs with improved UEFI ROMs, the pre-applications written by WinMagic and others are going to benefit from the long journey from BIOS to UEFI. Afterall, ROM wasn’t built in a day.

References:

*1           http://www.uefi.org/home/

*2           http://en.wikipedia.org/wiki/BIOS

Previous Post
What is going on in Healthcare?
Next Post
The value of SEDs

Related Posts

The Million Dollar Question

We’ve seen the countless benefits encryption can have for organizations.  So why aren’t organizations putting encryption at the top of their priority list when it can help mitigate such a huge business risk?  Over the years, there have been many…
Read more

The “Key” to Playing it Safe

Apple this week rolled out a new version of its operating system running mobile devices such as iPads and iPhones. It also announced it will no longer be able to comply with requests of law enforcement to unlock the encryption…
Read more

4 Comments. Leave new

  • Since I’m new to the SED game… AND I’m new to Linux, I’m really struggling to find answers on how to utilize/manage an SED on a Linux workstation and NAS. What resources/applications/tools are available for Linux machines to ensure that their SEDs are not locked doors with the keys left in them? What do I need to be looking for when I purchase motherboards and drives?

  • Hi Daniel, here’s a quick response via Garry:

    We are not aware of any native support built into Linux for SEDs. Our approach for supporting Linux is via what we call SecureDoc OSA (OS Agnostic) http://www.winmagic.com/products/enterprise-server-encryption/securedoc-osa

    We utilize the MBR shadow of the TCG Opal SED to perform PBA (Pre-boot authentication), unlock all the attached drives and then boot into whatever the original OS was. Given the tittle of the Blog “The Promise and practice of UEFI for FDE” we feel obliged to point out that currently OSA only supports mother boards that can boot in legacy BIOS mode (Not UEFI).

    This approach works with software Raid but not hardware RAID cards.

    Finally, currently only TCG Opal SEDs (laptop style drives) are supported by OSA but we are taking a close look at how TCG Enterprise SEDs (for servers) can be supported by OSA

  • Hi Darren,

    Can you direct me somewhere I can purchase a copy of SecureDoc for Linux for a personal laptop? It’s not available from your Store nor can I purchase it from Lenovo (who advertised “SecureDoc for Lenovo” as a selling point when I purchased this W530).

    Thanks,
    -Jeremy

    (If you reply here, please also send a copy to my e-mail address. Thanks.)

  • Hi Jeremy,

    I followed-up directly with you on e-mail. Thanks for your inquiry.

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu