Securing the EDK II Image Loader
This work is significant for system manufacturers and users, as it aims to enhance the security of the foundational firmware loading process, which is critical for system integrity.
The paper addresses security vulnerabilities in the TianoCore EDK II UEFI Image Loader, which is widely used across x86, ARM, and RISC-V platforms. It proposes a formally verified Image Loader that supports both PE and TE images, offering fine-grained hardening and seamless integration with EDK II.
The Unified Extensible Firmware Interface (UEFI) is a standardised interface between the firmware and the operating system used in all x86-based platforms over the past ten years, which continues to spread to other architectures such as ARM and RISC-V. The UEFI incorporates a modular design based on images containing a driver or an application in a Common Object File Format (COFF) either as a Portable Executable (PE) or as a Terse Executable (TE). The de-facto standard generic UEFI services implementation, including the image loading functionality, is TianoCore EDK II. Its track of security issues shows numerous design and implementation flaws some of which are yet to be addressed. In this paper we outline both the requirements for a secure UEFI Image Loader and the issues of the existing implementation. As an alternative we propose a formally verified Image Loader supporting both PE and TE images with fine-grained hardening enabling a seamless integration with EDK II and subsequently with the other firmwares.