Comparing Clark-Wilson and UEFI Secure Boot
The following table illustrates how the UEFI Secure Boot Chain maps to Clark-Wilson certification and enforcement rules.
Table 1-8: Comparison between Clark-Wilson and Secure Boot Chain
Rule | Clark-Wilson | Secure Boot Chain |
---|---|---|
C1 | The system will have an IVP for validating the integrity of any CDI. | Not applied today. No one validates the CDI. The integrity may be verified by using a signature check. If TCG trusted boot is enabled, PCR validation can also be done. |
C2 | The application of a TP to any CDI must maintain the integrity of that CDI | Not applied. No User in UEFI. UEFI does not provide isolation. Ideally, the TP should not change CDI not managed by TP. But the reality is hard to enforce. SMM might be OK. ? |
C3 | A CDI can only be changed by a certified TP. Separation of duties / least privilege. | Not applied. No User in UEFI. Similar to C2. Only SMM has isolation. Data in SMM can only be changed in SMM. But SMM only used for UEFI Secure Boot authenticated variable trust anchors, and Intel® BIOS Guard update. |
C4 | TP actions are logged. | TPM Event Log |
C5 | TP actions on UDIs result in valid CDIs. | YES. Input Verification – secure boot chain |
E1 | Only certified TPs may act on CDIs. | The verification TP is inside of verified firmware. |
E2 | Subjects may access CDIs only through TPs for which they are authorized. | Not applied. No User in UEFI. All code in same privilege, except SMM. |
E3 | Subjects attempting to execute a TP must first be authenticated. | SMM |
E4 | Only administrators can specify TP authorizations. | NO. CPU – hardware owner. |