Good points, Brian. The typical solution to this sort of problem requires hardware support, where a key is hidden in a piece of hardware that is readable after reset but then can be locked. In this way, once your driver reads the key from the lockable storage, it then locks it, uses it and then scrubs all references from memory. This does not protect you against agents that run before you, or hardware snooping devices, but it does protect you from anyone running after you.
Tim -----Original Message----- From: Brian J. Johnson [mailto:bjohn...@sgi.com] Sent: Friday, February 21, 2014 9:40 AM To: edk2-devel@lists.sourceforge.net Subject: Re: [edk2] UEFI writing protection variable On 02/21/2014 04:41 AM, miguelro...@ua.pt wrote: > Hello all, > > > I'm a master's student and for my final thesis I am writing a UEFI > Application/Driver. > > > In my UEFI Application/Driver I need to have access to a non volatile > variable that must be visible (write permission) only to my UEFI > Application/Driver and invisible (no read permission) for other drivers, > applications or operating systems. > > > Does UEFI provide any mechanism to create a non volatile variable (or > some kind of data storage) that is only accessible to my driver? Can I > have some hints on how to do this? > > > I have been reading about the Secure Boot secure variables and Key > Managment Service but, the first does not seem to provide reading > protection and the second does not specify read/write protections for > the saved keys. > You could encrypt the variable's contents with a key known only to your driver. That's the scheme used for updating the secure Machine Owner Key (MOK) database from a running OS: encrypt the data into a non-secure transit variable, then reboot, decrypt, and validate it from a signed driver in a secure environment. As Tim Lewis pointed out, this wouldn't protect you from all threats, but at least it could ensure that only signed/trusted software is running at the point you decrypt your data. See the IDF presentations and other info linked from http://uefidk.intel.com/blog/using-mok-and-uefi-secure-boot-suse-linux (I'm not a security researcher, so take all the above with a grain of salt. I just thought the scheme presented at IDF was interesting, and it seemed applicable.) -- Brian J. Johnson -------------------------------------------------------------------- "I use not only the brains I have, but all I can borrow." -- Woodrow Wilson ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel
