SYSTEM AND METHOD FOR VERIFYING CHANGES TO UEFI AUTHENTICATED VARIABLES

摘要

A mechanism for certifying that an operating system-based application has authorization to change a UEFI authenticated variable held in the system firmware is discussed. Embodiments of the present invention receive with the system firmware a request from an operating system-based application to change a UEFI authenticated variable. The request includes an authentication descriptor header with a timestamp and pre-determined GUID. The request also includes a hash calculated using a password known to the firmware. The system firmware certifies that the caller has authorization to change an authenticated variable by first verifying the information in the header and then creating a new hash using the password. The new hash is compared to the received hash and must match in order for the system firmware to allow the alteration of the UEFI authenticated variable. In one embodiment, the password is the system firmware password.

主权项

1. A computing device-implemented method for trusting an operating system application attempting to change a UEFI authenticated variable comprising:
receiving with system firmware a request from an operating system application to alter a UEFI authenticated variable; examining the request, the examining verifying that a portion of an authentication header is set to a pre-determined GUID and that the request contains a timestamp value later than a current timestamp value associated with the UEFI authenticated variable for which alteration is requested; calculating with the firmware a new hash based on a password; comparing the new hash to a hash contained in the request that was created using the same password; and allowing alteration of the UEFI authenticated variable in event of a match between the new hash and the hash contained in the request.