Background

Firmware is a special type of software, mainly used for the control and communication of the underlying hardware. The scope of firmware is too broad, different areas of firmware involved in security issues vary greatly. This article only discusses the firmware running on general computer, such as servers, notebooks and desktops.

The current problem

UEFI is still the mainstream firmware solution at the moment. There are several problems in UEFI ecosystem:

The long supply chain makes the bug fix cycle longer. More importantly, the delays or refusals to fix known vulnerabilities increase the risk to the user's production environment.

"Next-Gen" firmware

In the winter of 1999, Ron Minnich, a researcher at Los Alamos National Laboratory, launched a project called LinuxBIOS, which was designed to replace proprietary firmware with free software, with the philosophical idea of having as less code as possible at the stage of hardware initialization and load a Linux based payload to take care of the rest when the hardware initialization was complete. LinuxBIOS was later renamed as coreboot. Today's coreboot supports a wide range of payloads other than Linux, and this architecture is an important foundation for the industry in the 2020s as it revisits firmware issues and explores “next-generation” firmware, perhaps due to both inevitability and probability.

The industry has begun to explore various firmware security options since 2010s. One of Verified Boot solution from UEFI also known as “Secure Boot” that builds a chain of trust to validate signatures, which has been wide spread in the marketing. Another option is MeasuredBoot but it's not well-known as “Secure Boot”. Because only limited number of chipset support TXT (if the user intend to use DRTM) and other features under TCG specification is hard to implement in UEFI. In 2016, Trammell Hudson, a researcher at hedge fund Two Sigma, drew on LinuxBIOS's philosophy of developing a Linux based payload called heads, which has several security features, including measured boot and loading it with coreboot. This solves the problem that UEFI eco-system has struggled to solve for several years at a low cost, and the industry continues to build on the 1999 version of the “Next Generation Firmware” architecture. In 2017, Google and the heads community jointly developed a payload called NERF, which uses a mode of retaining PEI and minimizing DXE to be OEM-compatible with UEFI firmware, but it didn't work on some machine models due to relocation issues. Another feature of NERF is that the userland is based on Go Runtime, and interestingly, NERF's attempt to take linux-based payload schemes to a more standardized stage: LinuxBoot.

As you can see from the figure above. LinuxBoot, the “next-generation firmware” architecture, is still not beyond the 1999 LinuxBIOS's philosophical idea, but its goal is to support more hardware initialization firmware solutions.

VaultBoot: The heart of Gondor

VaultBoot is a firmware payload highly focused on firmware security, trusted computing, and advanced threat protection. VaultBoot can bring the greatest benefits if it work with coreboot, which co-op on the provisioning stage of CBnT and other tons of ACMs.

VaultBoot is also compatible with OEM's UEFI firmware. HardenedVault is a long-term contributor in heads community. So the public version of VaultBoot is based on heads, but VaultBoot is also compatible with LinuxBoot and offers both C and Go runtime environments.

The key features of VaultBoot:

Conclusion

Firmware runs at a higher level than RING 0, where the operating system is located. If the user's threat model includes the attacker persistence, firmware security cannot be ignored. Both offsensive and defensive sides in this area are receiving increasing industry attention. The National Institute of Standards and Technology (NIST) issued 4 special publications about firmware security:

On May 26, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) unveiled the VBOS (Vulnerablity below the OS program at the RSA 2021 conference, which aims to protect the security of both operating systems and lower-level components, even though the confrontations at firmware level have never stopped in past 15 years. The VBOS program drag the covert warfare out on the table now. Although there are no systematic firmware security compliance guidelines in EU like those in the United States. But European Commission has funded a large number of open source chip and firmware security projects via Horizon 2020 which was launched in 2014. The German Federal Office for Information Security (BSI) has repeatedly publicly mentioned support and follow-up work for open source firmware. In 2019, BSI certified the network security products of genua GmbH, a German security vendor (no. BSI-DSZ-CC-1085-2019), to support open firmware system.

In the global trend of advanced threat protection, firmware is one of the core in overall defense. VaultBoot has developed a several of securit features based on the current attack surfaces. HardenedVault currently offers security firmware solution for KabyLake/CoffeeLake server platform for x86 and the support of arm64 should be come out in FY2022.