Intel® Boot Guard

UEFI Secure Boot assumes the OEM platform firmware is a Trusted Computing Base (TCB) and trusts it implicitly. A better implementation relies on a smaller TCB to verify the OEM platform firmware. A solution can be implemented using Intel® Boot Guard. This feature verifies the entire OEM platform firmware image using two components:

  • Authenticated Code Module (ACM) Initial Boot Block (IBB) Verification

  • Microcode ACM Verification.

Figure 2-4 shows the components involved in Intel® Boot Guard. Table 2-4 shows the key usage in Intel® Boot Guard.

Figure 2-4: Intel® Boot Guard diagram (credit: “CYBER-RESILIENCY IN CHIPSET AND BIOS” by Dell EMC)

Table 2-4: Key Usage in Intel® Boot Guard

Key Verifies Storage Verified By
ACM Key ACM CPU Microcode
Key Hash Key Manifest PCH ACM
BP Key Boot Policy Manifest Key Manifest (Flash) ACM
IBB Hash IBB Boot Policy Manifest (Flash) ACM

Please note that Intel Boot Guard is not the only solution available for OEM platform firmware verification. This document uses it as an example to illustrate the concept.

Table 2-5 shows how to reduce TCB from OEM platform firmware to ACM.

ACM IBB Verification

Table 2-5: ACM IBB Verification

Item Entity Provider Location
TP ACM IBB Verification Intel Originally on flash, loaded into Authenticated Code RAM (AC-RAM)
CDI ACM Code Intel Originally on flash, loaded into AC-RAM
Boot Policy Manifest (Policy) OEM Originally on flash, loaded into cache
Key Manifest (Policy) OEM Originally on flash, loaded into cache
Key Hash (Policy) OEM Write once PCH register, programmed in manufacture fuse.
UDI Firmware Initial Boot Block, aka IBB OEM Originally on flash, loaded into cache

Intel introduced the Intel® Boot Guard Authenticated Code Module (ACM), which is a module signed by Intel. The ACMs modules assume responsibility to verify OEM platform firmware before the host CPU transfers control to OEM firmware. Because verifying the entire image is time-consuming, the ACM only verifies the initial boot block (IBB) code. The IBB is then responsible for verifying the OEM boot block (OBB).

Signing

The UDI here is the firmware IBB, so only the IBB needs to be signed.

Public Key Storage

Intel® Boot Guard defines a set of Manifests to record the signature information.

  1. Boot Policy Manifest – It records the hash of IBB and is signed by the Key Manifest Key.

  2. Key Manifest – It records a set of hashes for the public key pair which signs the Boot Policy Manifest, and it is signed Boot Guard Key.

  3. Key Hash - It records the hash for the public key pair which signs the Key Manifest. It is provisioned into the PCH hardware.

The Key Hash is read-only. It cannot be updated.

The Boot Policy Manifest and Key Manifest can be updated in the firmware.

Verification

During runtime update, the TP – ACM IBB Verification gets the CDI - Key Hash from PCH - and verify the first UDI – the Key Manifest. If the verification passes, the Key Manifest is transformed into a CDI. Then ACM continues to get the key hash from the CDI - Key Manifest - and verify the UDI - Boot Policy Manifest. If the verification passes, the Boot Policy Manifest is transformed into a CDI. Then the ACM gets the final UDI – Firmware IBB code - and verify it according to the CDI – Boot Policy Manifest. If the final verification passes, then the Firmware IBB is transformed into a CDI, and the ACM transfers control to the IBB.

Microcode ACM Verification

The ACM binary is signed by Intel. Now the question becomes who verifies the ACM binary. The answer is the CPU Microcode.

Table 2-6: Microcode ACM Verification

Item Entity Provider Location
TP Microcode ACM Verification Intel CPU
CDI Microcode Intel CPU
ACM Key hash Intel CPU
UDI ACM Code Intel Originally on flash, loaded into AC-RAM

Signing

The UDI is the ACM binary. As such, the ACM needs to be signed with the Intel key.

Public Key Storage

The hash of the ACM public key is inside of the CPU. A debug ACM is signed with the debug key. A production ACM is signed with the production key.

The policy can NOT be updated.

Verification

During the ACM launch, the CPU Microcode loads the UDI - ACM to authenticated code execution area. Then the TP – ACM verification performs the verification. If the verification passes, then the UDI is transformed to CDI, the ACM starts executing. If the verification fails, the TXT shutdown is signaled.

The Intel® Boot Guard is one implementation to support boot ROM verification. Some other projects may have similar functions, such as Cerberus.

OBB Verification

Intel® Boot Guard only verifies the initial boot block (IBB) of the whole OEM Firmware. To make sure the whole OEM Firmware is unmodified, the IBB needs to verify the reset OEM boot block (OBB).

Table 2-7: OBB Verification

Item Entity Provider Location
TP OBB Verification OEM Originally on flash, loaded into DRAM
CDI Firmware Initial Boot Block, aka IBB OEM Originally on flash, loaded into DRAM
OBB Hash, OBB public key hash (Policy) OEM Originally on flash, loaded into DRAM
UDI Firmware OEM Boot Block, aka OBB OEM Originally on flash, loaded into DRAM

Signing

The UDI is OBB, which is not verified by IBB. Since both IBB and OBB are provided by OEM, the OEM may define a separate specific format to sign the OBB.

Public Key Storage

The OBB public key hash must be stored into the IBB region to make sure it is validated by ACM. As implementation choice, OEM may store the OBB hash directly to the IBB without using the public key.

Verification

During Firmware boot, the TP is the OBB verification code inside of IBB. If the OBB passes the verification, the OBB is installed by IBB. If the OBB fails the verification, the OBB is skipped.