Building Secure Firmware: Armoring the Foundation of the Platform (Paperback)

Use this book to build secure firmware.
As operating systems and hypervisors have become successively more hardened, malware has moved further down the stack and into firmware. Firmware represents the boundary between hardware and software, and given its persistence, mutability, and opaqueness to today's antivirus scanning technology, it represents an interesting target for attackers.

As platforms are universally network-connected and can contain multiple devices with firmware, and a global supply chain feeds into platform firmware, assurance is critical for consumers, IT enterprises, and governments. This importance is highlighted by emergent requirements such as NIST SP800-193 for firmware resilience and NIST SP800-155 for firmware measurement.

This book covers the secure implementation of various aspects of firmware, including standards-based firmware--such as support of the Trusted Computing Group (TCG), Desktop Management Task Force (DMTF), and Unified Extensible Firmware Interface (UEFI) specifications--and also provides code samples and use cases. Beyond the standards, alternate firmware implementations such as ARM Trusted Firmware and other device firmware implementations (such as platform roots of trust), are covered.

What You Will Learn

• Get an overview of proactive security development for firmware, including firmware threat modeling
• Understand the details of architecture, including protection, detection, recovery, integrity measurement, and access control
• Be familiar with best practices for secure firmware development, including trusted execution environments, cryptography, and language-based defenses
• Know the techniques used for security validation and maintenance

Who This Book Is For
Given the complexity of modern platform boot requirements and the threat landscape, this book is relevant for readers spanning from IT decision makers to developers building firmware

使用本書來建立安全的韌體。
隨著作業系統和虛擬化技術的不斷加強，惡意軟體已經逐漸向下移動到韌體層面。韌體代表著硬體和軟體之間的邊界，並且由於其持久性、可變性以及對當今防毒掃描技術的不透明性，它成為攻擊者感興趣的目標。

由於平台普遍連接到網絡並且可能包含多個具有韌體的設備，以及全球供應鏈為平台韌體提供支援，對於消費者、IT企業和政府來說，保證是至關重要的。這一重要性在新出現的要求（例如NIST SP800-193的韌體強韌性和NIST SP800-155的韌體測量）中得到了突出。

本書涵蓋了韌體各個方面的安全實施，包括基於標準的韌體，例如支援可信計算組織（TCG）、桌面管理工作組（DMTF）和統一可擴展韌體介面（UEFI）規範，並提供了代碼示例和使用案例。除了標準之外，還涵蓋了其他韌體實現，例如ARM可信韌體和其他設備韌體實現（例如平台信任根）。

你將學到什麼：
- 瞭解韌體的主動安全開發概述，包括韌體威脅建模
- 瞭解韌體架構的細節，包括保護、檢測、恢復、完整性測量和訪問控制
- 熟悉安全韌體開發的最佳實踐，包括可信執行環境、加密和基於語言的防禦
- 了解用於安全驗證和維護的技術

適合閱讀本書的讀者範圍從IT決策者到韌體開發人員，考慮到現代平台引導要求的複雜性和威脅環境。

Jiewen Yao is a principal engineer in the Intel Architecture, Graphics, and Software Group. He has been engaged as a firmware developer for over 15 years. He is a member of the UEFI Security sub team, and the TCG PC Client sub working group. He has presented at industry events such as the Intel Developer Forum, UEFI Plugfest, and RSA conference. He worked with co-author Vincent Zimmer to publish 30 "A Tour Beyond BIOS" technical papers for tianocore.org and firmware.intel.com. He holds 40 US patents.

Vincent Zimmer is a senior principal engineer in the Intel Architecture, Graphics, and Software Group. He has been engaged as a firmware developer for over 25 years and leads the UEFI Security sub team. He has presented at industry events such as the Open Source Firmware Conference, Linux Fest Northwest, Intel Developer Forum, UEFI Plugfest, Open Compute Project Summit, BlackHat Las Vegas, BSides Seattle, Toorcon, and Cansecwest. In addition to collaborating with Jiewen Yao on many white papers, he has co-authored several books on firmware, papers, and over 400 issued US patents.

Jiewen Yao 是 Intel 架構、圖形和軟體群組的首席工程師。他從事固件開發工作已超過15年。他是 UEFI 安全子小組和 TCG PC 客戶端子工作小組的成員。他曾在 Intel Developer Forum、UEFI Plugfest 和 RSA conference 等行業活動上發表演講。他與合著者 Vincent Zimmer 合作，在 tianocore.org 和 firmware.intel.com 上發表了30篇「超越BIOS之旅」的技術論文。他擁有40項美國專利。

Vincent Zimmer 是 Intel 架構、圖形和軟體群組的高級首席工程師。他從事固件開發工作已超過25年，並領導 UEFI 安全子小組。他曾在 Open Source Firmware Conference、Linux Fest Northwest、Intel Developer Forum、UEFI Plugfest、Open Compute Project Summit、BlackHat Las Vegas、BSides Seattle、Toorcon 和 Cansecwest 等行業活動上發表演講。除了與 Jiewen Yao 合作撰寫許多白皮書外，他還合著了幾本關於固件的書籍、論文和超過400項美國專利。