Abstract: A mechanism for controlling the execution of Option ROM code on a Unified Extensible Firmware Interface (UEFI)-compliant computing device is discussed. A security policy enforced by the firmware may be configured by the computing platform designer/IT administrator to take different actions for different types of detected expansion cards or other devices due to the security characteristics of Option ROM drivers associated with the expansion card or device. The security policy may specify whether authorized signed UEFI Option ROM drivers, unauthorized but signed UEFI Option ROM drivers, unsigned UEFI Option ROM drivers and legacy Option ROM drivers are allowed to execute on the UEFI-compliant computing device.

Abstract: A firmware-based mechanism for protecting against physical attacks on ROM areas holding Authenticated Variables. A first hash of contents of at least one Authenticated Variable is created by a computing device's UEFI-compliant firmware and stored in a non-volatile storage location. Subsequently a second hash of contents of the at least one Authenticated Variable is created by the firmware and compared by the firmware to the stored hash to identify unauthorized modifications of the at least one Authenticated Variable occurring after the creation of the first hash.

Abstract: Firmware in a computing device is used to administer and alter a Secure Boot process for the computing device while continuing to provide protection from unauthorized third-party code.

Abstract: A mechanism for allowing firmware in a UEFI-compliant device to implement the UEFI specification driver signing and Authenticated Variable elements while at the same time protecting the system security database holding the library of approved keys and lists of allowed and forbidden programs from unauthorized modifications is discussed.

Abstract: Firmware in a computing device is used to administer and alter a Secure Boot process for the computing device while continuing to provide protection from unauthorized third-party code.

Abstract: Firmware in a UEFI-compliant computing device is used to administer and alter a Secure Boot process for the computing device while continuing to provide protection from unauthorized third-party code.

Abstract: A firmware-based mechanism for protecting against physical attacks on ROM areas holding Authenticated Variables. A first hash of contents of at least one Authenticated Variable is created by a computing device's UEFI-compliant firmware and stored in a non-volatile storage location. Subsequently a second hash of contents of the at least one Authenticated Variable is created by the firmware and compared by the firmware to the stored hash to identify unauthorized modifications of the at least one Authenticated Variable occurring after the creation of the first hash.

Abstract: A mechanism for allowing firmware in a UEFI-compliant device to implement the UEFI specification driver signing and Authenticated Variable elements while at the same time protecting the system security database holding the library of approved keys and lists of allowed and forbidden programs from unauthorized modifications is discussed.