SYS005 T Tony Mangefeste Senior Program Manager Why

SYS-005 T Tony Mangefeste Senior Program Manager

Why UEFI? • UX value prop from Day one: Fast Boot, OEM Certification, smooth • • 3 transitions, etc. Secure Boot e. Drive support for Bit. Locker SOC support WDS Multicast Boot Next support Seamless Boot Network unlock support for Bit. Locker Support for > 2. 2 TB system disks

Windows 8 Boot Flow • Windows 8 installs UEFI OS Loader if UEFI is detected • Most PCs today boot through CSM path • For compatibility the CSM boot path available 4

Optimizing for UEFI • Redesign legacy Option ROMs into UEFI Option ROMs • IHVs – deploy UEFI option ROM support, manufacturing tools and device drivers with UEFI support • ODMs – provide service with updated toolsets, 64 -bit environments, native factory tools with UEFI • OEMs – secure your firmware, optimize for speed • Consumer – look for newer UEFI based platform firmware 5

Norl Wu Senior Engineer

Agenda • • UEFI Firmware Debugging solution Secure Firmware solution Key provisioning & signing server UEFI Manufacturing processes

AMI has the remedy for these debugging problems …

13

UEFI defined Capsule format: NIST SP 800 -147 compliant Capsule (“Capsule-in-Memory”) • • • Capsule is put in memory by an application in the OS Mailbox event is set to inform BIOS of pending update System reboots, verifies the image and update is preformed securely by the BIOS Recovery (“Capsule-on-Disk”) • • • Capsule is stored on a predefined disk Mailbox event is set to inform BIOS of pending update System reboots, loads the image from disk, verifies the image and update is preformed securely by the BIOS

Flash App queries FW API FW verifies Capsule Image Abort flash process if new image fails verification checks Flash App sends preferred Flash update method to FW API FW Sets mailbox event Flash App Issues Reboot

Power. On/Reset Launch PEI Locate New Flash Image Verify New Flash Image DONE! Reset With New Image Launch DXE From Trusted New Image Flash New Image Abort flash process if image fails authentication

• Factory Reset – BIOS Initiated • Reverts Firmware to Initial Default State • • PK KEK – MS KEKpub + OEM KEK(optional) “db” – at least 1 certificate: MS CA “dbx” – empty • The scenario above also applies to Catastrophic firmware reset

• BIOS Firmware will hold the KEK and UEFI signatures for authenticated FW images • UEFI signatures originate from a Certificate Authority (CA) • Who acts as a CA for Windows 8 boot manager image and all other UEFI images? • Who signs other OS’ (e. g. Linux) boot loaders?

Move Away from DOS-based testing: Full testing without installing an OS!

Manufacturing Line • • Run AMIDiag from a PXE server (network boot) or USB drive (local storage) Set up batch script for burn-in cycle (24 -48 hours) or integration test (3060 min) Automate batch scripts using the UEFI shell Log “all errors” to create a full testing report Field Diagnostics • • Embed AMIDiag into the BIOS ROM, or run from a system service partition Run using local VGA display or console redirection (for embedded/server systems) Users select pre-defined batch scripts or specific system tests from the menu Log “errors only” to quickly identify system faults

• Adds the diagnostic as a UEFI firmware volume • Aptio 4. x e. Module available for easy integration • Removal of shell dependency for AMIDiag for UEFI • Execution of diagnostic from central repository • Can be used for manufacturing environments or in- house quality assurance testing

AMIDiag for UEFI is designed to run in the “UEFI Boot Services” environment – the same environment used by the EFI Shell

Closing Remarks

Blank board Provisioned Field serviced