'UEFI secure boot, how (or will) the PCIE device (firmware) are checked?
Recently I'm searching for info about if PCIe devices are involved in the uefi secure boot, and if so, how it is done.
From the uefi specification, the main boot sequence is roughly shown below: Platform init --> load EFI image (may also load EFI drivers/applications)-->load EFI OS loader --> boot ends
It means that if PCIe devices are involved in the secure boot, it should appear in the EFI driver loading stage, such as the driver's (the device's firmware?) checksum/hash can be calculated and checked.
However, searching for PCIE uefi secure boot gave little information.
So far, I have found two sources. First, a HPE post (https://techlibrary.hpe.com/docs/iss/proliant_uefi/UEFI_TM_030617/s_configure_secure_boot.html) explaining secure boot as
Secure Boot validates the software identity of the following components in the boot process:
UEFI drivers loaded from PCIe cards
UEFI drivers loaded from mass storage devices
Pre-boot UEFI shell applications
OS UEFI boot loaders
Which seems to match my assumption. But my question is, (please correct me if I'm wrong), the PCIe devices boot automatically if power provided, then how can the above HPE way guarantees that no harm is done if the malicious PCIe uefi is booted before checking?
The second one is from NVIDIA A100 card (https://www.nvidia.com/content/dam/en-zz/Solutions/Data-Center/a100/pdf/PB-10577-001_v02.pdf).
Basically, nvidia has a dedicated hardware root-of-trust in the GPU card, so the PCIe secure boot (or even measured boot) is performed separately from the platform (motherboard/cpu/os...) uefi secure boot flow.
My question is,
- Will PCIe (or its uefi firmware) involved in the classic uefi secure boot?
- What's the difference between the PCIe uefi driver and PCIe uefi firmware?
- Which way is the correct/most close to the secure boot concept, HPE's or nvidia's?
Solution 1:[1]
Well, after some googling and talking to professionals, I will try to answer my own question.
Will PCIe (or its uefi firmware) involved in the classic uefi secure boot?
No, pcie devices are not included.
What's the difference between the PCIe uefi driver and PCIe uefi firmware?
They are two different things. PCIE device firmware, are more complex, as they more contain EFI/BIOS + a mini/tiny os. However, pcie uefi driver, to my understanding, is for the host/mobo efi to use the device, imagining that efi is a small os.
Which way is the correct/most close to the secure boot concept, HPE's or NVidia's?
Nvidia's. As you will need a TPM/HSM on the pcie device to measure/check the device efi.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | Quin |