Skip to content
Snippets Groups Projects
Unverified Commit b16aee12 authored by Ilias Apalodimas's avatar Ilias Apalodimas Committed by GitHub
Browse files

Merge pull request #5 from jmarinho/master

reword FW authorization -- NIST 800-193
parents 9c7b1b60 39625a76
No related branches found
No related tags found
No related merge requests found
......@@ -111,20 +111,13 @@ The FW image authenticity should be implemented by authenticating the different
The FW update authorization should be implemented by verifying that the capsule or its components were assembled
by the platform owner.
Capsule authorization
^^^^^^^^^^^^^^^^^^^^^
The OS can expose the UpdateCapsule interface to any non-priveliged system user.
The FW updates initiator or the FW update package creator should
be an authorized user [NIST_800_193]_.
The capsule or the FW images contained in the capsule should be signed by a platform owner key.
The UEFI implementation should authenticate the capsule or
the different fw images included in the capsule using the platform owner key.
FW update authorization
^^^^^^^^^^^^^^^^^^^^^^^
The capsule or FW image components are signed by the platform owner in a platform specific way.
The FW update authorization [NIST_800_193]_ can be checked by the OS, using OS specific methods, before calling
UpdateCapsule. Alternatively, the FW update authorization can rely on the FW image authenticity check.
If all FW images in the capsule are authentic then the user is deemed authorized to progress with the FW update procedure.
The platform owner public key is kept in an platform specific NV region.
FW image authentication
^^^^^^^^^^^^^^^^^^^^^^^
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment