A UEFI System with SPDM to Protect Against Unauthorized Device Connections

TL;DR

This paper proposes a UEFI system utilizing SPDM to authenticate peripherals, enhancing security against malicious devices, with an open-source proof-of-concept demonstrating acceptable performance overhead.

Contribution

It introduces a novel UEFI security mechanism using SPDM for device authentication and provides an open-source emulation to evaluate its effectiveness.

Findings

Device connection restrictions effectively prevent malicious peripherals.

The security enhancements cause a 13% increase in instructions and 8% in CPU cycles during boot.

The overhead is acceptable for high-security applications.

Abstract

Attackers willing to compromise computing systems can use malicious peripherals as an attack vector, threatening users that cannot verify the hardware's authenticity. To address this problem, our work uses the Security Protocol and Data Model to propose a UEFI system capable of authenticating PCIe and USB devices trying to connect with it. We also develop an open source proof-of-concept using emulation to evaluate and illustrate our proposal, which is capable of restricting the devices' connections to only those allowed, thus protecting the system against malicious peripherals. Then, using kernel virtualization features to evaluate the emulation, we collect the number of instructions and CPU cycles during boot. Our experiments reveal that, during firmware execution, the number of instructions and the number of CPU cycles increased respectively 13% and 8% on average. This processing overhead is acceptable in view of enhanced security. Institutions requiring high security levels can leverage our proof-of-concept to tailor their own system based on their own requirements.