On 02/21/2014 04:41 AM, miguelro...@ua.pt wrote: > Hello all, > > > I'm a master's student and for my final thesis I am writing a UEFI > Application/Driver. > > > In my UEFI Application/Driver I need to have access to a non volatile > variable that must be visible (write permission) only to my UEFI > Application/Driver and invisible (no read permission) for other drivers, > applications or operating systems. > > > Does UEFI provide any mechanism to create a non volatile variable (or > some kind of data storage) that is only accessible to my driver? Can I > have some hints on how to do this? > > > I have been reading about the Secure Boot secure variables and Key > Managment Service but, the first does not seem to provide reading > protection and the second does not specify read/write protections for > the saved keys. >
You could encrypt the variable's contents with a key known only to your driver. That's the scheme used for updating the secure Machine Owner Key (MOK) database from a running OS: encrypt the data into a non-secure transit variable, then reboot, decrypt, and validate it from a signed driver in a secure environment. As Tim Lewis pointed out, this wouldn't protect you from all threats, but at least it could ensure that only signed/trusted software is running at the point you decrypt your data. See the IDF presentations and other info linked from http://uefidk.intel.com/blog/using-mok-and-uefi-secure-boot-suse-linux (I'm not a security researcher, so take all the above with a grain of salt. I just thought the scheme presented at IDF was interesting, and it seemed applicable.) -- Brian J. Johnson -------------------------------------------------------------------- "I use not only the brains I have, but all I can borrow." -- Woodrow Wilson ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel
