continued investments in the uefi ecosystem · 2020-07-06 · presented by microsoft’s continued...
TRANSCRIPT
![Page 1: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/1.jpg)
presented by
Microsoft’s Continued Investments in the UEFI Ecosystem
UEFI 2020 Virtual PlugfestJuly 15, 2020
Presented by Bret Barkelew, Matthew Carlson, & Jeremiah Cox
www.uefi.org 1
![Page 2: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/2.jpg)
Presenter: Jeremiah CoxJeremiah is a Senior Software Engineer in
Microsoft’s Core UEFI team focused on enabling security features. His career has
spanned from cross-platform driver development at National Instruments to over
a dozen years of security development in myriad Windows security teams enabling UEFI Secure Boot, TPM 2.0, DRTM, & Secured Core PCs. His recent work includes both the Device
and Manufacturing Firmware Configuration Interfaces which respectively enable secure
remote configuration of UEFI by an IT administrator and enable secure re-
configuration of security settings by an OEM.
www.uefi.org 2
![Page 3: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/3.jpg)
Presenter: Bret Barkelew• Viceroy of UEFI Security• ROM Farmer and Commit
Miner for Microsoft Firmware, Most Valuable Champion in Trials by Codenames Combat
![Page 4: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/4.jpg)
Presenter: Matthew Carlson
www.uefi.org 4
Software Engineer II at Microsoft in Core UEFI focusing on open-source efforts.
![Page 5: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/5.jpg)
Agenda
• Introduction• Open Source Effort• Code First• Questions?
www.uefi.org 5
![Page 6: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/6.jpg)
Today’s Boot Landscape
• Vertically-integrated iBoot, the boot for iOS
• Vertically-integrated uBoot, the boot for Android, Chromebooks, routers, kindle, etc
• PCs (UEFI)
www.uefi.org 6
![Page 7: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/7.jpg)
Committed to UEFI• Successfully enables boot of a
wide variety of operating systems, hardware, & virtual platforms
• Componentization supports the existing business realities
• Built by a community familiar with the challenges of scalability and flexibility
www.uefi.org 7
![Page 8: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/8.jpg)
Open Source ContributionsMicrosoft’s
www.uefi.org 8
![Page 9: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/9.jpg)
Pytools
www.uefi.org 9
• Started in Mu• Library• Extension• Stuart
https://github.com/tianocore/edk2-pytool-libraryhttps://github.com/tianocore/edk2-pytool-extensions
![Page 10: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/10.jpg)
Pytools
• Full Github Process (PR, Issues, Milestones, etc)
• Invocable framework• Extensible/Flexible• Meant to make life easier• Helps others contribute to community
www.uefi.org 10
Stuart
![Page 11: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/11.jpg)
EDK2 CI & Unit Tests
www.uefi.org 11
• Leverages Pytools-Library and Pytools-Extensions to have a cohesive, turnkey experience
• Plugin model enables easy test contribution or in-house development
• Several plugins already enabled, including: Compile, Host-Based Tests, and DSC Completeness checks
![Page 12: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/12.jpg)
Implementation-First InitiativesMicrosoft’s
www.uefi.org 12
![Page 13: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/13.jpg)
DFCI
Device Firmware Configuration Interface
www.uefi.org 13
![Page 14: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/14.jpg)
Device Firmware Configuration Interface
• Secure configuration of UEFI from Microsoft Intune in Azure
• UEFI documentation & code in Project Mu
• Available now
www.uefi.org 14
![Page 15: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/15.jpg)
Manufacturer Firmware Configuration Interface (MFCI)• Securely enable non-retail device behavior
–E.g. remanufacturing mode–Strongly-authenticated, rollback
protected–Per-device targeting (make, model, SN)
www.uefi.org 15
![Page 16: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/16.jpg)
Manufacturer Firmware Configuration Interface (MFCI)• Microsoft provides
– Project Mu: example UEFI code & docs– Signing service for device manufacturers
• https://github.com/microsoft/mu_plus/tree/release/202002/MfciPkg
www.uefi.org 16
![Page 17: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/17.jpg)
Variable Policy• It’s like VariableLock, but WAY more
complicated• Code-first approach that is currently in
review.– Functionality approved and will land within
the next stable iteration of EDK2• Following the proposed process of: RFC ➡
Code ➡ Spec/Standard
www.uefi.org 17
![Page 18: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/18.jpg)
Protected Runtime Mechanism (PRM)• Joint firmware and OS feature targeted at moving a class of modules from
SMM to an OS runtime environment.• Initial POC developed by Intel and discussed at past UEFI Plugfests
– https://uefi.org/sites/default/files/resources/8_Sarathy_Intel_case%20study%20smm%20alternatives.pdf
• Current iteration developed by Microsoft and Intel.• Open sourced and available to any collaborators• Published to EDK2-Staging:
– Documentation, samples, and technical details available – https://github.com/tianocore/edk2-
staging/tree/PlatformRuntimeMechanism
www.uefi.org 18
![Page 19: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/19.jpg)
Binary ModelDeep Dive
www.uefi.org 19
![Page 20: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/20.jpg)
Binary Model
• Packaging a driver into a binary form that can be easily included in a platform with verifiable source
• Improves developer productivity• Improves serviceability
www.uefi.org 20
![Page 21: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/21.jpg)
BaseCryptoOnProtocol
• The first attempt at a binary model• Many, many iterations internally• Made it into edk2 Feb 7, 2020• Harder than you might think• ~100-200kb DXE savings (compressed)• 3-5 minutes of build time saved
www.uefi.org 21
![Page 22: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/22.jpg)
Where To Store
• NuGet• Azure DevOps Artifacts• Github Releases• Github Packages• File Mirror• Email Archive
www.uefi.org 22
![Page 23: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/23.jpg)
Lessons Learned
• Every platform is different, but they can all be supported if planned
• Provable source/versioning is crucial• Independent serviceability is hard without
crypto
www.uefi.org 23
![Page 24: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/24.jpg)
Looking Forward
• Improving transparency of binaries• Improving ease of integration into
platforms• Looking to binaryitize more components
www.uefi.org 24
![Page 25: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/25.jpg)
Takeaways
www.uefi.org 25
![Page 26: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/26.jpg)
Takeaways
• Committed to development experience improvements
• Investing in open source implementations• Broadening the open source feature set
www.uefi.org 26
![Page 27: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/27.jpg)
Questions?
www.uefi.org 27
![Page 28: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/28.jpg)
DFCI Links• UEFI enablement code & documentation
– Project Mu: https://microsoft.github.io/mu/dyn/mu_plus/DfciPkg/Docs/Scenarios/DfciScenarios/
• DFCI in Microsoft Intune– https://docs.microsoft.com/en-us/intune/configuration/device-
firmware-configuration-interface-windows
• DFCI in Windows Autopilot Deployment– https://docs.microsoft.com/en-us/windows/deployment/windows-
autopilot/dfci-management
www.uefi.org 28
![Page 29: Continued Investments in the UEFI Ecosystem · 2020-07-06 · presented by Microsoft’s Continued Investments in the UEFI Ecosystem. UEFI 2020 Virtual Plugfest. July 15, 2020. Presented](https://reader034.vdocuments.net/reader034/viewer/2022050606/5fad7b6b5ab969027624ad32/html5/thumbnails/29.jpg)
Thanks for attending the UEFI 2020 Virtual Plugfest
For more information on UEFI Forum and UEFI Specifications, visit http://www.uefi.org
presented by
www.uefi.org 29