![]() At a minimum, this will occur automatically on reboot, but pre-validation is recommended for reliability and user experience reasons. When signed, the signature of the updated firmware must be possible to validate by the systems' firmware loader during boot. The following diagram indicates the signer for the various components discussed in the rest of this article. ![]() If the firmware update isn't protected by other means, the capsule must be signed in order to protect the firmware update itself and to ensure authenticity of the update package before being installation. For connected standby systems, #1 is also required for all system firmware. On a secure boot-enabled system, all UEFI firmware must be signed, which implies that #1 is required when the update concerns UEFI drivers or applications. ![]() Of these tasks, only #3 is always required. Signing the firmware update package provided to the operating system this package will contain the capsule. Signing the capsule carrying the updated firmware. When signing UEFI firmware updates intended for consumption by Windows devices with UEFI secure boot active, the signing process entails some combination of the following tasks: Firmware update signing process and requirements for UEFI secure boot The IHV/OEM is responsible for ensuring the integrity and security of the firmware through signature verification, encryption or other means. The signature on the UEFI firmware or device firmware update is validated by the platform firmware, and is not checked by Windows. Windows does not provide the security catalog to the firmware. The signature on the driver package, delivered via security catalog, is used by Windows to verify the integrity of firmware.bin before handing it to the UEFI. ![]() Signing of the driver package is different from signing the UEFI firmware or device firmware itself.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |