Abstract: Approaches for locally attesting an operational condition of a computer system during powering on the computer system. Prior to an operating system being loaded, an attestation client, executing on a computer system, analyzes a set of resources of the computer system to create measurement data. The attestation client provides the measurement data to an attestation server executing in a secure enclave on the computer system. The attestation server processes the measurement data and provides the processed measurement data to a remediation server. Upon the computer system being determined to be operationally healthy, the remediation server provides an unlock key to a locked persistent storage to permit the computer system to read the operating system stored on the persistent storage. Thereafter, a BIOS on the computer system may read the operating system and permit the same to be loaded on the computer system.

Abstract: Approaches for securing a host machine against security attacks conducted using Direct Memory Access (DMA). Platform firmware does not enable bus mastering during PCI bus enumeration. When the platform firmware determines that an expansion card has been plugged into an expansion card slot of the host machine, the platform firmware determines whether the expansion card slot has been approved by a user of the host machine for permitting Direct Memory Access (DMA) with the host machine. Unless the expansion card slot has been determined to be approved by the user for permitting Direct Memory Access (DMA) with the host machine, the platform firmware does not allow drivers that might enable DMA to connect to the device and does not grant permission to the expansion card slot and any upstream bridges to conduct Direct Memory Access (DMA) with the host machine.

Abstract: Approaches for locally attesting an operational condition of a computer system during powering on the computer system. Prior to an operating system being loaded, an attestation client, executing on a computer system, analyzes a set of resources of the computer system to create measurement data. The attestation client provides the measurement data to an attestation server executing in a secure enclave on the computer system. The attestation server processes the measurement data and provides the processed measurement data to a remediation server. Upon the computer system being determined to be operationally healthy, the remediation server provides an unlock key to a locked persistent storage to permit the computer system to read the operating system stored on the persistent storage. Thereafter, a BIOS on the computer system may read the operating system and permit the same to be loaded on the computer system.

Abstract: Approaches for securing a host machine against security attacks conducted using Direct Memory Access (DMA). Platform firmware does not enable bus mastering during PCI bus enumeration. When the platform firmware determines that an expansion card has been plugged into an expansion card slot of the host machine, the platform firmware determines whether the expansion card slot has been approved by a user of the host machine for permitting Direct Memory Access (DMA) with the host machine. Unless the expansion card slot has been determined to be approved by the user for permitting Direct Memory Access (DMA) with the host machine, the platform firmware does not allow drivers that might enable DMA to connect to the device and does not grant permission to the expansion card slot and any upstream bridges to conduct Direct Memory Access (DMA) with the host machine.

Abstract: Approaches for customizing a unified extensible firmware interface (UEFI) compatible firmware component to support multiple hardware components. The UEFI compatible firmware component may be implemented by linking one or more executive drivers created in an executive module of the firmware component. The executive drivers, instead of platform drivers, are executed by UEFI dispatchers. The platform module, rather than being a collection of drivers, functions as a platform library that links to the executive drivers. One or more programs for providing one or more library functions to the one or more executive drivers are also linked into the firmware component. Call outs to board library functions provided by a board module are implemented in the executive drivers, instead of drivers of the platform module. The board library functions replace the one or more library functions provided to the executive drivers and reflect a change in a customer reference board (CRB).

Abstract: A method and apparatus for providing support for customization of a build configuration of a Unified Extensible Firmware Interface (UEFI) compatible component. The method includes modifying the build configuration of the UEFI compatible component to reflect modifications to a first file. A configuration parameter is received. The configuration parameter is used to create a configuration parameter symbol pointing to the first file. The first file is replaced with a second file, which includes modifications to the first file. The modifications support a functionality desired by a user.

Abstract: Approaches for customizing a unified extensible firmware interface (UEFI) compatible firmware component to support multiple hardware components. The UEFI compatible firmware component may be implemented by linking one or more executive drivers created in an executive module of the firmware component. The executive drivers, instead of platform drivers, are executed by UEFI dispatchers. The platform module, rather than being a collection of drivers, functions as a platform library that links to the executive drivers. One or more programs for providing one or more library functions to the one or more executive drivers are also linked into the firmware component. Call outs to board library functions provided by a board module are implemented in the executive drivers, instead of drivers of the platform module. The board library functions replace the one or more library functions provided to the executive drivers and reflect a change in a customer reference board (CRB).

Abstract: A method and apparatus for providing support for customization of a build configuration of a Unified Extensible Firmware Interface (UEFI) compatible component. The method includes modifying the build configuration of the UEFI compatible component to reflect modifications to a first file. A configuration parameter is received. The configuration parameter is used to create a configuration parameter symbol pointing to the first file. The first file is replaced with a second file, which includes modifications to the first file. The modifications support a functionality desired by a user.