Windows Secure Boot Primal Creation and Management Guidance

This document helps guide OEMs and ODMs in creation and direction of the Secure Boot keys and certificates in a manufacturing environment. Information technology addresses questions related to cosmos, storage and retrieval of Platform Keys (PKs), secure firmware update keys, and 3rd party Key Exchange Keys (KEKs).

Notation

These steps are non specific to PC OEMs. Enterprises and customers can too use these steps to configure their servers to support Secure Boot.

Windows requirements for UEFI and Secure Boot can be found in the
Windows Hardware Certification Requirements. This paper does non innovate new requirements or represent an official Windows plan. It is intended as guidance across certification requirements, to aid in building efficient and secure processes for creating and managing Secure Boot Keys. This is important considering UEFI Secure Kicking is based on the usage of Public Fundamental Infrastructure to cosign code before allowed to execute.

The reader is expected to know the fundamentals of UEFI, basic understanding of Secure Kicking (Affiliate 27 of the
UEFI specification), and PKI security model.

Requirements, tests, and tools validating Secure Boot on Windows are available today through the
Windows Hardware Certification Kit (HCK). Yet, these HCK resources do non address cosmos and management of keys for Windows deployments. This paper addresses key management every bit a resource to assist guide partners through deployment of the keys used by the firmware. Information technology is non intended as prescriptive guidance and does not include whatsoever new requirements.

On this page:

This document serves every bit a starting point in developing customer fix PCs, factory deployment tools and fundamental security best practices.

1. Secure Boot, Windows and Key Management

The UEFI (Unified Extensible Firmware Interface) specification defines a firmware execution authentication process called Secure Kick. As an manufacture standard, Secure Boot defines how platform firmware manages certificates, authenticates firmware, and how the operating organization interfaces with this process.

Secure Boot is based on the Public Fundamental Infrastructure (PKI) procedure to cosign modules before they are immune to execute. These modules can include firmware drivers, choice ROMs, UEFI drivers on disk, UEFI applications, or UEFI boot loaders. Through image authentication before execution, Secure Boot reduces the risk of pre-boot malware attacks such as rootkits. Microsoft relies on UEFI Secure Boot in Windows 8 and above as office of its Trusted Boot security compages to improve platform security for our customers. Secure Kick is required for Windows 8 and higher up client PCs, and for Windows Server 2016 as defined in the Windows Hardware Compatibility Requirements.

The Secure Boot process works as follows and every bit shown in Effigy ane:

  1. Firmware Kick Components:
    The firmware verifies the Os loader is trusted (Windows or another trusted operating system.)
  2. Windows boot components: BootMgr, WinLoad, Windows Kernel Startup.
    Windows kicking components verify the signature on each component. Any non-trusted components will non be loaded and instead will trigger Secure Boot remediation.

    • Antivirus and Antimalware Software initialization:
      This software is checked for a special signature issued by Microsoft verifying that it is a trusted boot critical commuter, and volition launch early in the boot process.
    • Boot Disquisitional Driver initialization:
      The signatures on all Boot-critical drivers are checked as office of Secure Boot verification in WinLoad.
  3. Additional OS Initialization
  4. Windows Logon Screen

This Uefi Firmware Features Loads Only Trusted Operating System Bootloaders

Effigy i: Windows Trusted Boot Architecture

Implementation of UEFI Secure Boot is function of Microsoft’s Trusted Boot Architecture, introduced in Windows eight.1. A growing tendency in the evolution of malware exploits is targeting the boot path as a preferred attack vector. This class of attack has been hard to baby-sit against, since antimalware products tin be disabled past malicious software that prevents them from loading entirely. With Windows Trusted Kick architecture and its establishment of a root of trust with Secure Kick, the customer is protected from malicious lawmaking executing in the boot path past ensuring that just signed, certified “known skillful” code and kicking loaders tin execute before the operating organisation itself loads.

ane.one Public-Fundamental Infrastructure (PKI) and Secure Kick

The PKI establishes actuality and trust in a system. Secure Kicking leverages PKI for two high-level purposes:

  1. During boot to determine if early kicking modules are trusted for execution.
  2. To authenticate requests to service requests include modification of Secure Boot databases and updates to platform firmware.

A PKI consists of:

  • A certificate authority (CA) that issues the digital certificates.
  • A registration authority which verifies the identity of users requesting a certificate from the CA.
  • A central directory in which to store and index keys.
  • A certificate management system.

i.two Public Key Cryptography

Public key cryptography uses a pair of mathematically related cryptographic keys, known as the public and private key. If you know one of the keys, you cannot hands summate what the other one is. If one cardinal is used to encrypt data, and so only the corresponding primal tin decrypt that data. For Secure Boot, the private key is used to digitally sign lawmaking and the public key is used to verify the signature on that code to testify its actuality. If a private key is compromised, then systems with respective public keys are no longer secure. This tin lead to boot kit attacks and volition damage the reputation of the entity responsible for ensuring the security of the private key.

In a Secure Kick public fundamental arrangement y’all accept the following:

  • i.two.one RSA 2048 Encryption

    RSA-2048 is an asymmetric cryptographic algorithm. The space needed to store an RSA-2048 modulus in raw form is 2048 bits.

  • 1.two.2 Self-signed certificate

    A certificate signed by the private key that matches the public central of the certificate is known as a cocky-signed certificate. Root certification authority (CA) certificates fall into this category.

  • one.two.3 Certification Authorisation

    The certification authority (CA) bug signed certificates that affirm the identity of the document subject and bind that identity to the public key contained in the certificate. The CA signs the certificate by using its individual central. It problems the corresponding public cardinal to all interested parties in a self-signed root CA certificate.

    In Secure Kick, Certification Authorities (CAs) include the OEM (or their delegates) and Microsoft. The CAs generate the central pairs that form the root of trust and and so utilize the individual keys to sign legitimate operations such as allowed early boot EFI modules and firmware servicing requests. The corresponding public keys are shipped embedded into the UEFI firmware on Secure Kicking-enabled PCs and are used to verify these operations.

    (More information on usage of CAs and fundamental exchanges is readily available on the internet which relates to the Secure Boot model.)

  • one.two.4 Public Key

    The public Platform Key ships on the PC and is attainable or “public”. In this document we will use the suffix “pub” to announce public cardinal. For example, PKpub denotes the public half of the PK.

  • 1.two.5 Private Key

    For PKI to work the private key needs to exist securely managed. It should be accessible to a few highly trusted individuals in an arrangement and located in a physically secure location with strong access policy restrictions in place. In this certificate we will utilise the suffix “priv” to denote private central. For instance, the PKpriv indicates private one-half of the PK.

  • one.two.6 Certificates

    The principal use for digital certificates is to verify the origin of signed data, such as binaries etc. A common employ of certificates is for internet message security using Transport Layer Security (TLS) or Secure Sockets Layer (SSL). Verifying the signed data with a document lets the recipient know the origin of the information and if it has been altered in transit.

    A digital certificate in general contains, at a high level, a distinguished proper noun (DN), a public key, and a signature. The DN identifies an entity — a visitor, for example — that holds the private fundamental that matches the public central of the document. Signing the certificate with a private primal and placing the signature in the certificate ties the private key to the public fundamental.

    Certificates can incorporate some other types of data. For instance, an X.509 certificate includes the format of the certificate, the serial number of the certificate, the algorithm used to sign the certificate, the proper noun of the CA that issued the document, the name and public key of the entity requesting the certificate, and the CA’s signature.

  • 1.2.7 Chaining certificates

    From:
    Certificate bondage:

    root ca is self-signed, others signed by root ca

    Figure 2: Iii-certificate chain

    User certificates are oft signed by a unlike private key, such as a individual primal of the CA. This constitutes a two-certificate chain. Verifying that a user certificate is genuine involves verifying its signature, which requires the public key of the CA, from its certificate. Merely before the public primal of the CA can exist used, the enclosing CA certificate needs to be verified. Considering the CA certificate is cocky-signed, the CA public key is used to verify the certificate.

    A user certificate need not be signed by the individual central of the root CA. Information technology could be signed past the individual key of an intermediary whose certificate is signed by the private key of the CA. This is an case of a 3-document concatenation: user certificate, intermediary document, and CA certificate. But more than one intermediary can be part of the chain, so certificate chains tin be of whatsoever length.

1.3 Secure Boot PKI requirements

The UEFI-defined root of trust consists of the Platform Fundamental and any keys an OEM or ODM includes in the firmware core. Pre-UEFI security and a root of trust are not addressed by the UEFI Secure Kicking procedure, just instead by National Establish of Standards and Technology (NIST), and Trusted Computing Group (TCG) publications referenced in this newspaper.

  • 1.3.one Secure Kicking requirements

    You’ll need to consider the following parameters for implementing Secure Kicking:

    • Customer requirements
    • Windows Hardware Compatibility requirements
    • Key generation and direction requirements.

    You would need to pick hardware for Secure Boot key management similar Hardware Security Modules (HSMs), consider special requirements on PCs to ship to governments and other agencies and finally the procedure of creating, populating and managing the life bicycle of various Secure Kicking keys.

  • 1.3.2 Secure Boot related keys

    The keys used for Secure Boot are beneath:

    pk, kek, db, dbx, and firmware key, winrt key

    Figure 3: Keys related to Secure Kicking

    Figure 3 above represents the signatures and keys in a PC with Secure Boot. The platform is secured through a platform key that the OEM installs in firmware during manufacturing. Other keys are used by Secure Boot to protect admission to databases that store keys to allow or disallow execution of firmware.

    The authorized database (db) contains public keys and certificates that correspond trusted firmware components and operating system loaders. The forbidden signature database (dbx) contains hashes of malicious and vulnerable components as well as compromised keys and certificates and blocks execution of those malicious components. The strength of these policies is based on signing firmware using Authenticode and Public Primal Infrastructure (PKI). PKI is a well-established process for creating, managing, and revoking certificates that constitute trust during information exchange. PKI is at the core of the security model for Secure Boot.

    Beneath are more than details on these keys.

  • 1.3.3 Platform Cardinal (PK)

    Equally per department 27.five.one of the UEFI two.3.1 Errata C, the platform key establishes a trust human relationship between the platform owner and the platform firmware. The platform possessor enrolls the public half of the key (PKpub) into the platform firmware as specified in
    Section 7.ii.i of the UEFI 2.3.1 Errata C. This footstep moves the platform into user style from setup mode. Microsoft recommends that the Platform Central be of type
    EFI_CERT_X509_GUID
    with public key algorithm RSA, public primal length of 2048 bits, and signature algorithm sha256RSA. The platform owner may use type
    EFI_CERT_RSA2048_GUID
    if storage space is a concern. Public keys are used to check signatures as described earlier in this document. The platform owner tin can later use the private one-half of the primal (PKpriv):

    • To change platform buying you must put the firmware into UEFI divers
      setup manner
      which disables Secure Boot. Revert to setup fashion only if in that location is a need to do this during manufacturing.
    • For desktop PC, OEMs manage PK and necessary PKI associated with information technology. For Servers, OEMs by default manage PK and necessary PKI. Enterprise customers or Server customers tin also customize PK, replacing the OEM-trusted PK with a custom-proprietary PK to lock down the trust in UEFI Secure Boot firmware to itself.

    1.three.3.1 To enroll or update a Key Exchange Key (KEK) Enrolling the Platform Key

    The platform owner enrolls the public half of the Platform Central (PKpub) past calling the UEFI Boot Service SetVariable() as specified in Department 7.2.1 of UEFI Spec 2.3.1 errata C, and resetting the platform. If the platform is in setup way, then the new
    PKpub
    shall exist signed with its
    PKpriv
    analogue. If the platform is in user mode, then the new
    PKpub
    must be signed with the current
    PKpriv. If the PK is of type
    EFI_CERT_X509_GUID, and then this must be signed by the firsthand
    PKpriv, non a private key of any certificate issued under the PK.

    1.3.3.two Clearing the Platform Fundamental

    The platform owner clears the public half of the Platform Fundamental (PKpub) by calling the UEFI Boot Ser¬vice SetVariable() with a variable size of 0 and resetting the platform. If the platform is in setup style, so the empty variable does not need to exist authenticated. If the platform is in user mode, then the empty variable must be signed with the electric current
    PKpriv; see Section seven.2(Variable Services) under
    UEFI specification
    2.3.i Errata C for details. Information technology is strongly recommended that the production PKpriv never be used to sign a package to reset the platform since this allows Secure Boot to be disabled programmatically. This is primarily a pre-production exam scenario.

    The platform key may also be cleared using a secure platform-specific method. In this case, the global variable Setup Manner must too be updated to 1.

    image: pk determines setup mode or user mode

    Figure 4: Platform Cardinal State diagram

    1.3.3.3 PK generation

    As per UEFI recommendations, the public key must be stored in non-volatile storage which is tamper and delete resistant on the PC. The Private keys stay secure at Partner or in the OEM’s Security Role and only the public fundamental is loaded onto the platform. There are more details under section ii.two.1 and ii.three.

    The number of PK generated is at the discretion of the Platform possessor (OEM). These keys could be:

    1. I per PC. Having one unique key for each device. This may be required for regime agencies, financial institutions, or other server customers with high-security needs. It may require additional storage and crypto processing ability to generate private and public keys for large numbers of PCs. This adds the complexity of mapping devices with their corresponding PK when pushing out firmware updates to the devices in the time to come. There are a few unlike HSM solutions available to manage large number of keys based on the HSM vendor. For more than info, see
      Secure Kick Key Generation Using HSM.

    2. One per model. Having one key per PC model. The tradeoff hither is that if a key is compromised all the machines inside the aforementioned model would be vulnerable. This is recommended by Microsoft for desktop PCs.

    3. 1 per production line. If a key is compromised a whole product line would be vulnerable.

    4. One per OEM. While this may be the simplest to set upwardly, if the fundamental is compromised, every PC you manufacture would be vulnerable. To speed up operation on the factory flooring, the PK and potentially other keys could be pre-generated and stored in a rubber location. These could exist afterwards retrieved and used in the associates line. Chapters 2 and 3 accept more details.

    ane.3.3.iv Rekeying the PK

    This may be needed if the PK gets compromised or as a requirement by a customer that for security reasons may decide to enroll their own PK.

    Rekeying could be done either for a model or PC based on what method was selected to create PK. All the newer PCs will get signed with the newly created PK.

    Updating the PK on a production PC would require either a variable update signed with the existing PK that replaces the PK or a firmware update packet. An OEM could also create a SetVariable() package and distribute that with a simple application such as PowerShell that but changes the PK. The firmware update package would be signed by the secure firmware update key and verified past firmware. If doing a firmware update to update the PK, care should be taken to ensure the KEK, db, and dbx are preserved.

    On all PCs, it is recommended to non utilise the PK as the secure firmware update key. If the PKpriv is compromised then and then is the secure firmware update cardinal (since they are the same). In this case the update to enroll a new PKpub might not be possible since the process of updating has also been compromised.

    On SOCs PCs, in that location is another reason to not employ the PK equally the secure firmware update central. This is because the secure firmware update central is permanently burnt into fuses on PCs that meet Windows Hardware Certification requirements.

  • 1.3.iv Key Exchange Key (KEK)
    Key exchange keys establish a trust relationship between the operating system and the platform firmware. Each operating organisation (and potentially, each 3rd party application which demand to communicate with platform firmware) enrolls a public key (KEKpub) into the platform firmware.

    1.iii.4.1 Enrolling Key Exchange Keys

    Key exchange keys are stored in a signature database equally described in
    1.iv Signature Databases (Db and Dbx)). The signature database is stored as an authenticated UEFI variable.

    The platform owner enrolls the cardinal exchange keys past either calling SetVariable() as specified in Section 7.two(Variable Services) nether
    UEFI specification
    two.iii.1 Errata C. with the
    EFI_VARIABLE_APPEND_WRITE
    aspect set up and the Data parameter containing the new key(s), or by reading the database using GetVariable(), appending the new key exchange key to the existing keys and then writing the database using SetVariable()equally specified in Department 7.2(Variable Services) nether
    UEFI specification
    2.iii.1 Errata C without the
    EFI_VARIABLE_APPEND_WRITE
    attribute ready.

    If the platform is in setup mode, the signature database variable does non need to exist signed but the parameters to the SetVariable() phone call shall still be prepared every bit specified for authenticated variables in Section seven.two.1. If the platform is in user mode, the signature database must be signed with the electric current PKpriv

    1.3.4.ii Clearing the KEK

    It is possible to “clear” (delete) the KEK. Note that if the PK is not installed on the platform, “clear” requests are not required to be signed. If they are signed, then to articulate the KEK requires a PK-signed package, and to clear either db or dbx requires a package signed by any entity present in the KEK.

    one.3.four.3 Microsoft KEK

    The Microsoft KEK is required to enable revocation of bad images by updating the dbx and potentially for updating db to prepare for newer Windows signed images.

    Include the Microsoft Corporation KEK CA 2011 in the KEK database, with the following values:

    • SHA-1 cert hash:
      31 59 0b fd 89 c9 d7 4e d0 87 df ac 66 33 4b 39 31 25 4b 30.
    • SignatureOwner GUID:
      {77fa9abd-0359-4d32-bd60-28f4e78f784b}.
    • Microsoft will provide the certificate to partners and information technology tin can be added either as an
      EFI_CERT_X509_GUID
      or an
      EFI_CERT_RSA2048_GUID
      blazon signature.

    The Microsoft KEK certificate tin be downloaded from:
    https://go.microsoft.com/fwlink/?LinkId=321185.

    1.3.4.4 KEKDefault
    The platform vendor may provide a default set of Key Exchange Keys in the KEKDefault variable. Please reference
    UEFI specification
    section 27.3.three for more than information.

    one.three.iv.5 OEM/3rd party KEK – adding multiple KEK

    Customers and Platform Owners don’t need to have their own KEK. On non-Windows RT PCs the OEM may have additional KEKs to allow additional OEM or a trusted 3rd party control of the db and dbx.

  • one.three.five Secure Boot firmware update centralThe Secure firmware update central is used to sign the firmware when it needs to exist updated. This central has to take a minimum key forcefulness of RSA-2048. All firmware updates must be signed securely by the OEM, their trusted delegate such equally the ODM or IBV (Independent BIOS Vendor), or by a secure signing service.

    Equally per
    NIST publication 800-147 Field Firmware Update
    must back up all elements of guidelines:

    Any update to the firmware flash store must be signed by creator.

    Firmware must check signature of the update.

  • one.three.half dozen Creation of keys for Secure Firmware Update

    The same primal will be used to sign all firmware updates since the public one-half will be residing on the PC. Y’all could also sign the firmware update with a key which bondage to Secure Firmware update cardinal.

    There could be i key per PC like PK or one per model or ane per product line. If there is one primal per PC that would mean that millions of unique update packages will demand to exist generated. Delight consider based on resource availability what method would work for y’all. Having a key per model or product line is a skilful compromise.

    The Secure Firmware Update public key (or its hash to save space) would be stored in some protected storage on the platform – generally protected flash (PC) or one-time-programmable fuses (SOC).

    If only the hash of this primal is stored (to save space), and then the firmware update volition include the key, and the first stage of the update process will exist verifying that the public key in the update matches the hash stored on the platform.

    Capsules are a means past which the OS can pass data to UEFI surroundings across a reboot. Windows calls the UEFI UpdateCapsule() to deliver system and PC firmware updates. At kick time prior to calling ExitBootServices(),Windows will pass in whatever new firmware updates found in the Windows Driver Shop into UpdateCapsule(). UEFI organisation firmware can use this process to update system and PC firmware. By leveraging this Windows firmware support an OEM can rely on the same common format and process for updating firmware for both organization and PC firmware. Firmware must implement the ACPI ESRT table in order to support UEFI UpdateCapsule() for Windows.

    For details on implementing support for the Windows UEFI Firmware Update Platform consult the post-obit documentation: Windows UEFI Firmware Update Platform.

    Update capsules can be in memory or on the deejay. Windows supports in retentiveness updates.

    one.3.six.ane Capsule (Capsule-in-Memory)

    Following is the menstruum of events for an In-retentiveness update capsule to work.

    1. A capsule is put in memory by an application in the Bone
    2. Mailbox event is set to inform BIOS of pending update
    3. PC reboots, verifies the capsule image and update is performed by the BIOS
  • 1.3.7 Workflow of a typical firmware update

    1. Download and install the firmware driver.
    2. Reboot.
    3. OS Loader detects and verifies the firmware.
    4. Bone Loader passes a binary blob to UEFI.
    5. UEFI performs the firmware update (This process is owned past the silicon vendor).
    6. Os Loader detection completes successfully.
    7. OS finishes booting.
Read:  How to Update 3ds to Specific Firmware

one.4 Signature Databases (Db and Dbx)

  • 1.4.1 Allowed Signature database (db)

    The contents of the EFI
    _IMAGE_SECURITY_DATABASE
    db command what images are trusted when verifying loaded images. The database may comprise multiple certificates, keys, and hashes in club to identify immune images.

    The
    Microsoft Windows Production PCA 2011
    with a SHA-1 Cert Hash of
    58 0a 6f 4c c4 e4 b6 69 b9 eb dc 1b 2b 3e 08 7b 80 d0 67 8d
    must be included in db in order to allow the Windows Bone Loader to load. The Windows CA tin be downloaded from hither:
    https://go.microsoft.com/fwlink/p/?linkid=321192.

    On non-Windows RT PCs the OEM should consider including the
    Microsoft Corporation UEFI CA 2011
    with a SHA-i Certificate Hash of
    46 de f6 3b 5c e6 1c f8 ba 0d e2 e6 63 9c 10 nineteen d0 ed 14 f3. Signing UEFI drivers and applications with this certificate will allow UEFI drivers and applications from 3rd parties to run on the PC without requiring additional steps for the user. The UEFI CA can be downloaded from here:
    https://become.microsoft.com/fwlink/p/?linkid=321194.

    On non-Windows RT PCs the OEM may also have boosted items in the db to allow other operating systems or OEM-approved UEFI drivers or apps, but these images must not compromise the security of the PC in whatever way.

  • i.4.2 DbDefault: The platform vendor may provide a default set of entries for the Signature Database in the dbDefault variable. For more information see section 27.v.three in the UEFI specification.

  • ane.4.three Forbidden Signature Database (dbx)

    The contents of
    EFI_IMAGE_SIGNATURE_DATABASE1
    dbx must be checked when verifying images before checking db and whatever matches must preclude the image from executing. The database may contain multiple certificates, keys, and hashes in social club to identify forbidden images. The Windows Hardware Certification Requirements land that a dbx must be present, so any dummy value, such as the SHA-256 hash of
    , may exist used as a safe placeholder until such time as Microsoft begins delivering dbx updates.
    Click Hither
    to download the latest UEFI revocation listing from Microsoft.

  • ane.iv.iv DbxDefault: The platform vendor may provide a default set of entries for the Signature Database in the dbxDefault variable. For more information encounter department 27.five.iii in the UEFI specification.

ane.5 Keys Required for Secure Boot on all PCs

Key/db Name Variable Owner Notes

PKpub

PK

OEM

PK – 1 only. Must be RSA 2048 or stronger.

Microsoft Corporation KEK CA 2011

KEK

Microsoft

Allows updates to db and dbx:

https://go.microsoft.com/fwlink/p/?linkid=321185.

Microsoft Windows Product CA 2011

db

Microsoft

This CA in the Signature Database (db) allows Windows to kick:
https://become.microsoft.com/fwlink/?LinkId=321192.

Forbidden Signature Database

dbx

Microsoft

Listing of known bad Keys, CAs or images from Microsoft

Secure firmware update central

OEM

Recommendation is to have this cardinal be different from PK

Table 1: Keys/db needed for Secure Kick

ii. Cardinal Management Solutions

Below are given some of the metrics we used for comparison.

2.i Metrics used

The following metrics tin can help y’all select a HSM PC based on the requirements of
UEFI specification
2.three.one Errata C and your needs.

  • Does it support RSA 2048 or higher? – The
    UEFI specification
    2.3.i Errata C recommends the keys to be RSA-2048 or better.
  • Does it have the ability to generate keys and sign?
  • How many keys can information technology shop? Does it store keys on HSM or an attached server?
  • Hallmark method for key retrieval. Some PCs support multiple authentication entities to be present for key retrieval.

Pricing

  • What is the toll point? HSMs can range in cost from $1,500 to $70,000 depending on bachelor features.

Manufacturing environs

  • Speed of operation on manufacturing plant floor. Crypto processors can speed upwardly key cosmos and access.
  • Ease of setup, deployment, maintenance.
  • Skillset and training required?
  • Network access for fill-in and Loftier Availability

Standards and Compliance

  • What level of FIPS compliance does information technology have? Is it tamper resistant?
  • Support for other standards, for example, MS crypto APIs.
  • Does information technology run into government and other agency requirements?

Reliability and disaster recovery

  • Does it allow for Key Backup?

    Backups can exist stored both onsite in a safe location that is a different physical location than the CA calculator and HSM and /or at an offsite location.

  • Does information technology allow for High Availability for disaster recovery?

2.two Cardinal Management Options

  • ii.two.ane Hardware Security Module (HSM)

    Based on the above criteria this is probably the most suitable and secure solution. Nigh HSM accept FIPS 140-two level iii compliance. FIPS 140-2 level iii compliance is strict on hallmark and requires that keys are not exported or imported from the HSM.

    They back up multiple ways of key storage. They could be stored either locally on the HSM itself or on the server attached to the HSM. On the server the keys are encrypted and stored and is preferable for solutions which requires lots of keys to be stored.

    The cryptographic module security policy shall specify a physical security policy, including physical security mechanisms that are implemented in a cryptographic module such as, tamper-evident seals, locks, tamper response and zeroization switches, and alarms. It also allows specifying actions required by the operator(s) to ensure that physical security is maintained such as periodic inspection of tamper-evident seals or testing of tamper response and zeroization switches.

    • 2.two.1.1 Network HSM

      This solution is the best in its grade in terms of security, adherence to standards, key generation, storage and retrieval. Most of these PCs support high availability and have power to fill-in keys.

      The costs of these products tin be in tens of thousands of dollars based on the extra services they offer.

    • 2.2.1.ii Standalone HSM

      These work bully with standalone servers. One tin can use Microsoft CAPI and CNG or any other secure API supported past HSM. These HSMs come in multifariousness of class factors supporting USB, PCIe and PCMCIA buses.

      They optionally back up fundamental backup and high availability.

  • ii.two.two Custom solutions providers

    Public Cardinal cryptography tin can be challenging and require understanding of cryptographic concepts which maybe new. There are custom solution providers who could assist with the getting Secure Boot to work in the manufacturing environment.

    In that location are varieties of custom solutions offered past BIOS vendors, HSM companies and PKI consulting companies to get Secure Boot PKI working in the manufacturing surroundings.

    Some of the providers are listed beneath:

  • 2.2.iii Trusted Platform Module (TPM)

    A Trusted Platform Module (TPM) is a hardware chip on the motherboard that stores cryptographic keys used for encryption. Many computers include a TPM, merely if the PC doesn’t include information technology, it is not feasible to add together one. Once enabled, the Trusted Platform Module tin assistance secure full disk encryption products such as Microsoft BitLocker capabilities. It keeps hard drives locked, or sealed, until the PC completes a system verification or authentication procedure.

    The TPM can generate, store, and protect keys used in the encryption and decryption procedure.

    The drawbacks of TPMs are that it may non have fast crypto processors to speed upwards processing in the manufacturing environs. They too are non suitable for storing large number of keys. Fill-in and loftier availability and standards compliance to FIPS 140-two level iii may non be available.

  • two.2.iv Smart Cards

    A smart carte du jour tin generate and store keys. They do share some features which HSM back up like authentication and tamper proofing, but they don’t include much key storage or backup. They require manual intervention and may not exist suitable for automation and use in production environment as the performance maybe depression.

    The drawbacks of Smart cards are similar to TPMs. They may not have fast crypto processors to speed upwards processing in the manufacturing surroundings. They also are not suitable for storing large number of keys. Backup and high availability and standards compliance to FIPS 140-2 level iii may not be available.

  • 2.ii.v Extended Validation Certificate

    EV Certificates are high balls certificates whose private keys are stored in hardware tokens. This helps establish stronger key management practices. EV certificates have the same drawbacks as Smart cards.

  • 2.2.half dozen Software-centric approaches (Non RECOMMENDED)

    Use crypto APIs for cardinal management. This may involve storing a key in a key container on an encrypted hard drive and possible for additional sandboxing and security use a Virtual machine.

    These solutions are not equally secure as using an HSM and expose a higher set on vector.

    2.ii.half-dozen.1 Makecert (NOT RECOMMENDED)

    Makecert is a Microsoft tool and can exist used every bit follows for key generation. To brand certain that the attack surface is minimized you may need to “air gap” the PC. The PC that has the PKpriv on should not be continued to the network. It should be in a secure location and ideally should at least utilize a smart card reader if not a real HSM.

                    makecert -pe -ss MY -$ individual -northward "CN=your name here" -len 2048 -r
                    
                  

    For more info, see
    Certificate Creation Tool (Makecert.exe).

    This solution is non recommended.

2.3 HSM Central generation and storage for Secure Boot keys

  • 2.3.1 Storing Private keys

    The infinite requirement for each RSA-2048 key is 2048 bits. The actual location of the storage of the keys depends on the solution called. HSM are a good mode of storing keys.

    The physical location of the PCs on the mill floor would need to be a protected area with express user access similar a secure cage.

    Depending on your requirements these keys could as well exist stored in a various geographical location or backed up in a dissimilar location.

    The rekeying requirements for these keys could vary based on the client (come across Appendix A for Federal bridge certificate authority rekeying guidelines).

    These could be washed in one case per year. You may need to take access to these keys for up to 30 years (depending on the rekeying requirements etc.).

  • 2.3.2 Retrieving the individual Keys

    The keys may need to be retrieved for many reasons.

    1. The PK may need to be retrieved to issue an updated PK due to information technology existence compromised or to attach to government /other agency regulations.
    2. KEKpri volition be used to update the db and dbx.
    3. Secure firmware update fundamental –pri volition exist used to sign newer updates.
  • 2.3.three Authentication

    As per FIPS 140-2 authentication is based on level of admission.

    Level 2

    Security Level 2 requires, at a minimum, part-based authentication in which a cryptographic module authenticates the potency of an operator to presume a specific role and perform a corresponding gear up of services.

    Level 3

    Security Level 3 requires identity-based authentication mechanisms, enhancing the security provided by the role-based authentication mechanisms specified for Security Level ii. A cryptographic module authenticates the identity of an operator and verifies that the identified operator is authorized to assume a specific role and perform a corresponding set of services.

    PCs similar HSM’s back up Security Level 3, which requires identity-based “k of g authentication”. This means one thousand entities are given access to the HSM with a token merely at a given indicate at least k out of the m tokens need to be present for hallmark to work to become access to private keys from HSM.

    For example, you could have iii out of 5 tokens should be authenticated to access HSM. Those members could be the security officers, transaction authorizer and/or members from Executive Management.

    HSM Tokens

    You could accept a policy on the HSM which require the token to be present:

    • Locally

    • Remotely

    • Configured to be automated

    As a good practise, please use a combination of token and per token password.

ii.four Secure Kicking and 3rd party signing

  • 2.four.1 UEFI driver signing

    UEFI Drivers must be signed by a CA or key in the db as described elsewhere in the document, or have the hash of the commuter epitome included in db. Microsoft volition be providing a UEFI driver signing service similar to the WHQL commuter signing service using the
    Microsoft Corporation UEFI CA 2011. Any drivers signed by this will run seamlessly on any PCs that include the Microsoft UEFI CA. It is likewise possible for an OEM to sign trusted drivers and include the OEM CA in the db, or to include hashes of the drivers in the db. In all cases a UEFI driver (Choice ROM) shall not execute if it is not trusted in the db.

    Whatever drivers that are included in the system firmware prototype do not need to be re-verified. Existence part of the overall organization image provides sufficient assurance that the driver is trusted on the PC.

    Microsoft has this fabricated available to anyone who wants to sign UEFI drivers. This certificate is part of the Windows HCK Secure Kicking tests. Follow [this blog]((https://blogs.msdn.microsoft.com/windows_hardware_certification/2013/12/03/microsoft-uefi-ca-signing-policy-updates/) to read more than about UEFI CA signing policy and updates.

  • 2.iv.ii Boot loaders

    The Microsoft UEFI driver signing certificate can be used for signing other OSs. For example, Fedora’s Linux boot loader will be signed by it.

    This solution doesn’t require whatever more certificates to be added to the central Db. In addition to beingness cost effective, it can exist used for any Linux distribution. This solution would work for any hardware which supports Windows and then information technology is useful for a wide range of hardware.

    The UEFI-CA can be downloaded from here:
    https://go.microsoft.com/fwlink/p/?LinkID=321194. The post-obit links accept more information on Windows HCK UEFI signing and submission:

3. Summary and Resource

This department intends to summarize the higher up sections and show a step by step approach:

  1. Constitute a secure CA or identify a partner to securely generate and store keys

    If you are not using a tertiary party solution:

    1. Install and configure the HSM software on the HSM server.
      Check your HSM reference manual for installation instructions. The server will either be continued to a standalone or network HSM.

      For info nearly HSM configuration, see Section 2.ii.1, 2.3 and Appendix C.

      Almost HSMs offer FIPS 140-2 level 2 and 3 compliance. Configure the HSM for either level ii or level 3 compliance. Level 3 compliance has stricter requirements around authentication and key access and hence is more secure. Level 3 is recommended.

    2. Configure HSM for High Availability, Backup and Authentication.
      Check your HSM reference manual.

      Follow HSM provider guidelines on setting upward HSM for High Availability and backup.

      Also, Network HSMs typically have multiple network ports to segregate traffic; allowing a server to communicate with network HSMs on a network separate from the regular production network.

      Once team members who are part of the security team have been identified and tokens assigned to them. You will need to setup HSM hardware for 1000-of-m hallmark.

    3. Secure Kick Keys and certificate pre-generation.
      Come across Sections ane.three to 1.v

      Use HSM APIs to pre-generate (generate in advance) the PK and Firmware Update Key and certificates.

      Required – PK (recommend 1 per model), Firmware Update cardinal (recommend 1 per model), Microsoft KEK, Db, DbxNOTE: The Microsoft KEK, db, and dbx don’t have to be generated by the OEM and are mentioned for completeness.Optional – OEM/3rd party KEK db, dbx and whatever other keys which would go into OEM Db.

  2. Utilize a Windows epitome to the PC.

  3. Install Microsoft db and dbx. See Section 1.3.6 and
    Appendix B – Secure Boot APIs.

    1. Install the
      Microsoft Windows Production PCA 2011
      into db.

    2. Install an empty dbx if Microsoft does not provide one. Windows will automatically update DBX to the latest DBX through Windows Update on commencement reboot.

    Notation

    Apply PowerShell cmdlets which are part of the Windows HCK tests or use methods provided by BIOS vendor.

  4. Install Microsoft KEK. See Section 1.3.three.

    Install Microsoft KEK into the UEFI KEK database

    Caution

    Use PowerShell cmdlets which are part of the Windows HCK tests or utilize methods provided by BIOS vendor.

  5. Optional step – OEM/3rd political party secure kick components. See Section 1.three.4 and 1.4.

    1. Identify if you take demand for creating a OEM/tertiary political party KEK, db and dbx.

    2. Sign OEM/tertiary party db and dbx with OEM/3rd political party KEK(generated earlier) using HSM API.

    3. Install OEM/3rd party KEK, db and dbx.

  6. UEFI commuter signing
    – Come across Section 2.4.

    If supporting add together-in cards or other UEFI drivers/apps/bootloaders, install
    Microsoft Corporation UEFI CA 2011
    into UEFI db.

  7. Secure kick firmware update key
    – Come across Section 1.3.5.

    1. Non-Windows RT PCs merely: Install the Secure firmware update public key or its hash to save space.

    2. On SoC only, y’all may demand to exercise something different, for instance, burn Secure firmware update key: public or its hash.

  8. Enabling Secure Boot. Come across
    Appendix B – Secure Kick APIs.

    1. Install the OEM/ODM PKpub (document preferred, but key is okay) into the UEFI PK.

    2. Enroll the PK using Secure Kick API. The PC should be at present enabled for Secure Kick.

    Annotation

    If you install the PK at the end, the MS KEK, db, dbx don’t need to exist signed – no SignerInfo must be present. This is a shortcut.

  9. Testing Secure Boot: Execute any proprietary tests and Windows HCK tests equally per instructions. See
    Appendix B – Secure Boot APIs.

  10. Ship platform: The PKpriv will likely never be used once more, keep it safe.

  11. Servicing: Future firmware updates are securely signed with the Secure Firmware Update “individual” key using the signing service.

iii.1 Resources

Security Strategies White Newspaper –
https://go.microsoft.com/fwlink/p/?linkid=321288

Windows HCK Submission –https://become.microsoft.com/fwlink/p/?linkid=321287

Appendix A – Secure Boot PKI checklist for manufacturing

Below is a high-level checklist summarizing the steps needed for enabling Secure Kicking on non-Windows RT PCs.

Setting up Secure Boot

  1. Define security strategy (identify threats, define proactive and reactive strategy) as per the white paper in section iv.

  2. Identify security team every bit per the white newspaper in section iv.

  3. Plant a secure CA or identify a partner (recommended solution) to securely generate and store keys.

  4. Identify policy for how frequently you lot will be rekeying keys. This may depend on if you have whatever special customer requirements similar governments or other agencies.

  5. Accept a contingency plan in case the Secure Boot Key is compromised.

  6. Identify how many PK and other keys will you be generating as per section 1.iii.3 and i.5.

    This volition be based on client base, fundamental storage solution and security of PCs.

    You can skip steps 7-8 if you are using the recommended solution of using a 3rd party for fundamental management.

  7. Procure server and hardware for primal management. – network or standalone HSM per section 2.2.one. Consider whether you will need ane or several HSMs for loftier availability and your key back up strategy.

  8. Identify at least 3-iv squad members who volition have an hallmark token for hallmark on HSM.

  9. Use HSM or third political party to pre-generate Secure Kick-related keys and certificates. The keys will depend on the PC type: SoC, Windows RT or non-Windows RT. For more info, come across Sections 1.3 through 1.5.

  10. Populate the firmware with the advisable keys.

  11. Enroll the Secure Boot Platform Key to enable Secure Boot. See Appendix B for more details.

  12. Execute any proprietary tests and HCK Secure Kicking tests equally per instructions. See Appendix B for more details.

  13. Send the PC. The PKpriv volition likely never be used again, go on it safe.

Servicing (Updating firmware)

You lot may need to update firmware for several reasons such as updating an UEFI component or fixing Secure Boot key compromise or periodic rekeying of Secure Boot keys.

For more info, see Department ane.three.five and section 1.iii.6.

Appendix B – Secure Boot APIs

  1. Secure Boot API

    The following APIs are related to UEFI/Secure Boot:

    1. GetFirmwareEnvironmentVariableEx: Retrieves the value of the specified firmware environment variable.

    2. SetFirmwareEnvironmentVariableEx: Sets the value of the specified firmware surround variable.

    3. GetFirmwareType: Retrieves the firmware blazon.

  2. Setting PK

    Use the Gear up-SecureBootUEFI cmdlet to turn on Secure Boot. After your code sets the PK, arrangement enforcement of Secure Kick does not take effect until the side by side reboot. Prior to the reboot, your code could call GetFirmwareEnvironmentVariableEx() or the PowerShell cmdlet: Go-SecureBootUEFI to confirm the contents of the Secure Boot databases.

  3. Verification

    You tin can use Msinfo32.exe or PowerShell cmdlets to cheque Secure Boot variable state. There is no WMI interface. You could also exam by having someone insert an incorrectly-signed bootable USB stick (for instance, from the Windows HCK Secure Boot Manual Logo Test) and verify that it fails to kick.

  4. Secure Boot Powershell Cmdlets

    • Confirm-SecureBootUEFI: Is UEFI Secure Boot “ON”, True or False?

      SetupMode == 0 && SecureBoot == 1

    • Set-SecureBootUEFI: Set or Suspend authenticated SecureBoot UEFI variables

    • Get-SecureBootUEFI: Get authenticated SecureBoot UEFI variable values

    • Format-SecureBootUEFI: Creates EFI_SIGNATURE_LISTs & EFI_VARIABLE_AUTHENTICATION_2 serializations

  5. Windows HCK and Secure Boot Instructions

    The following steps utilise to system tests and non-grade commuter PC tests.

    1. Disable Secure Boot protections.

      Enter your BIOS configuration and disable Secure Kick.

    2. Install the HCK Client software.

    3. Run all of the Windows HCK tests, except for the following:

      • BitLocker TPM and Recovery password tests with PCR[7]
      • BitLocker TPM and Recovery password tests for Arm PCs with Secure Kick
      • Secure Boot Logo Test
      • Secure Boot Manual Logo Test
    4. Enter your BIOS configuration, enable Secure Kick, and restore Secure Kick to the Default configuration.

    5. Run the post-obit BitLocker and Secure Boot tests:

      • BitLocker TPM and Recovery password tests with PCR[vii]
      • BitLocker TPM and Recovery password tests for Arm PCs with Secure Kicking
      • Secure Boot Logo Test (automated)
    6. Enter the BIOS configuration and articulate the Secure Boot configuration. This restores the PC to Setup Way by deleting PK and other keys.

      Note

      Support for clearing is required for x86/x64 PCs.

    7. Run the Secure Boot Manual Logo Test.

      Note

      Secure Boot requires Windows HCK signed or VeriSign drivers on not-Windows RT PCs

  6. Windows HCK Secure Boot Logo Test (automated)

    This test will check for proper out-of-box Secure Boot configuration. This includes:

    • Secure Boot is Enabled.
    • The PK is not a known, exam PK.
    • KEK contains the product Microsoft KEK.
    • db contains the production Windows CA.
    • dbx present.
    • Many 1kB variables are created/deleted.
    • A 32kB variable is created/deleted.
  7. Windows HCK Secure Kick transmission test folder layout

    The Windows HCK Secure Boot Manual Logo test binder layout is described beneath:

    • "\Examination"
      binder has the post-obit:

      • Manufacturing and Servicing Examination
      • Programmatically Enable Secure Boot in examination configuration
      • Servicing Tests
      • Append a cert to db, verify function
      • Append a hash to dbx, verify role
      • Append a cert to dbx, verify function
      • Append 600+ hashes to dbx, verify size
      • Programmatically change the PK
    • "\Generate"
      folder has scripts which evidence the following:

      • How test certificates were created

      • The test certificates and individual keys are included

      • How all of the tests were created

      • Turning certificates and hashes into signed packages

      • Y’all can run this yourself, substitute your ain certificates

    • "\certs"
      binder has all of the certificates you lot need to boot Windows:

      Note

      Delight don’t use the methodology used in
      "ManualTests\generate\TestCerts"
      to generate keys and certificates. This is meant for Windows HCK examination purposes only. It uses keys which are stored on deejay which is very insecure and non recommended. This is not meant for utilise in a production environment.

  • "ManualTests\example\OutOfBox"
    binder has scripts which you tin leverage for installation of Secure Kicking on production PCs.

    The
    "ManualTests\generate\tests\subcreate_outofbox_example.ps1"
    demonstrates how these examples were generated and have “TODO” sections when a partner can substitute their PK and other metadata.

  1. Windows HCK UEFI signing and submission

    The following links take more information:

Appendix C – Federal Span Certification Authority Certificate Policy Assurance Mappings

  1. Rudimentary

    This level provides the lowest degree of assurance concerning identity of the individual. One of the primary functions of this level is to provide data integrity to the data being signed. This level is relevant to environments in which the chance of malicious action is considered to be low. It is not suitable for transactions requiring authentication, and is generally insufficient for transactions requiring confidentiality, but may be used for the latter where certificates having higher levels of assurance are unavailable.

  2. Basic

    This level provides a basic level of assurance relevant to environments where at that place are risks and consequences of information compromise, only they are not considered to be of major significance. This may include access to individual information where the likelihood of malicious admission is not loftier. It is assumed at this security level that users are not probable to exist malicious.

  3. Medium

    This level is relevant to environments where risks and consequences of data compromise are moderate. This may include transactions having substantial monetary value or run a risk of fraud, or involving access to private information where the likelihood of malicious admission is substantial.

  4. High

    This level is appropriate for utilize where the threats to information are high, or the consequences of the failure of security services are high. This may include very high value transactions or loftier levels of fraud risk.

Secure Boot Fundamental Generation and Signing Using HSM (Example)

UEFI Validation Option ROM Validation Guidance

Secure Kicking Overview