It has been a while since I have written about UEFI, Secure Boot and their impact on Full Disk Encryption (FDE) pre-boot authentication (PBA) so it’s time for an update on what is new in this area, but first here is a recap because this is a bit of an arcane technical subject. UEFI stands for “Unified Extensible Firmware Interface”. The UEFI specification defines a standard model for the interface between personal-computer operating systems and platform firmware. It provides a standard environment for booting an operating system and running pre-boot applications such as the PBA for FDE. It replaces the traditional legacy BIOS interface that was used with Windows 7 and older systems. Now that Windows 10 is being widely adopted I expect to see UEFI used on almost all new machines.
A colleague brought the following Microsoft Security Advisory to my attention, that says “Microsoft is revoking the digital signature for four private, third-party UEFI (Unified Extensible Firmware Interface) modules that could be loaded during UEFI Secure Boot.”
A colleague and I attended the Spring 2014 UEFI Plugfest in Seattle earlier this month. It was well worth attending as we had the opportunity to test and have one on one conversations with: Microsoft, Intel, the PC OEMs including HP, Lenovo, Dell, and of course the BIOS companies AMI, Insyde, and Phoenix. It was my second year in a row attending, and the third for my colleague, so we are now getting to see how things develop and change over time.
The TCG is hosting its annual security workshop at the RSA Security Conference on Mon Feb 25th in San Francisco. I have attended for the last 5 years and always found the panels and speakers well worth the time invested to attend.