Building Secure Firmware: Armoring the Foundation of the Platform (Paperback)

· 제목 : Building Secure Firmware: Armoring the Foundation of the Platform (Paperback) 
· 분류 : 외국도서 > 컴퓨터 > 보안 > 일반
· ISBN : 9781484261057
· 쪽수 : 930쪽
· 출판일 : 2020-10-28

Part 1: Overview

 

Chapter 1: Introduction Security

Threat Model

Design

Validation

 

Chapter 2: Introduction Host Firmware

Industry Standard

Boot Flow / Phase hand-off

Minimal Firmware Requirement

Hardware ROT

CPU/silicon init

PCI resource allocation.

prepare platform info (memmap/ACPI)

Jump to OS.

Runtime Interface (SMM, UEFI Runtime, ASL)

General Principle -  Protect / Detect / Recovery

 

Part 2: Boot Security

 

Chapter 3: Firmware Resilience - Protection

Flash Lock

Flash Wear out

Capsule Flow (*)

Signed Update

 

Chapter 4: Firmware Resilience - Detection

Boot Flow (*)

Intel Boot Guard

OBB Verification

UEFI Secure Boot

Local

Remote

TXT- SX

(coreboot)

 

Chapter 5: Firmware Resilience ? Recovery

Recovery Flow (*)

Signed Recovery

Top Swap

Rollback, SVNs

 

Chapter 6: OS/Loader Resilience

Platform Recovery

OS Recovery

(Android Verified Boot)

 

Chapter 7: Trusted Boot

Measured Boot Flow (*)

SRTM (Boot Guard)

DRTM (TXT)

TPM1.2/2.0

Physical Presence

MOR / Secure MOR

 

Chapter 8: Authentication

User Authentication

HDD Password

OPAL Password

 

Chapter 9: S3 resume

S3 resume flow (*)

LockBox

 

Chapter 10: Device Security

PCI Bus (*)

DMA protection

Device Measurement

Device Authentication

Device firmware update

 

Chapter 11: Silicon Security Configuration

Flash SPI lock

SMM Lock

BAR Lock

Chapter: Supply Chain (Vincent)

OEM/ODM/BIOS vendor/IHV

Open source

Fingerprinting

Manufacturing flow to shipment

 

Part 3: Data Security

 

Chapter 12: UEFI Kernel

DXE/PEI Core (*)

Heap Guard

Stack Guard

NX protection

Enclave

 

Chapter 13: Management Mode

SMM Core (*)

SMM Communication (*)

StandaloneMM (*)

MMIO Protection

Secure SMM Communication

Intel Runtime Resilience

STM (SMI Transfer Monitor)

Chapter: UEFI Variable (Vincent)

Authentication

Variable Lock

Variable Check

Variable Quota Management

Confidentiality

Integrity and Rollback

TPM Binding

RPMB

RPMC

 

Part 4: Miscellaneous

 

Chapter 14: General Coding Practice

Buffer Overflow

Banned API

Integer Overflow

SafeInt lib

Chapter: Cryptograph (Vincent)

Hash usage in firmware

Encryption usage in firmware

Signing & verification usage in firmware

 

Chapter 15: Compiler Defensive Technology

Stack Cookie

Non-Executable

Address Space Randomization

Control Flow Integrity (CFI) / Control Flow Enforcement (CET)

Runtime Check (stack/un-initialized data/integer overflow)

Chapter: Race Condition (Vincent)

BSP/AP handling in UEFI

BSP/AP handling in SMM

TOC/TOU

 

Chapter 16: Information Leak

Side Channel

MDS

SMM

 

Chapter 17: Programming Language

C Language

Rust Language

Part: Security Test

 

Chapter 18: HBFA

Hardware Emulation

Security Unit Test

Fuzzing (AFL)

Static analysis

 

Chapter 19: chipsec

Configuration Check

SMI Fuzzing

Variable fuzzing

Whitelisting/Blacklisting

 

Part 5: Other

 

Chapter 20: Conclusion

 

Part 6: Appendices

 

Secure coding checklist

Secure review checklist

API summary

 

Part 7: References