Course Description
As the industry moves toward ever-increasing heterogeneous devices and the explosion of advanced, desktop-like operating systems has led to Windows being present on everything from a car (Windows Automotive Edition) to a console (Xbox One) to a tablet (Surface RT) to a phone (Nokia Lumia), device driver and kernel developers have yearned for an advanced, portable, and next-generation pre-OS environment to handle all their bootstrapping needs. Long gone are the days of the 1980 BIOS, patched by a ROM on the network card, to make it look like the machine is booting from a floppy disk. UEFI, a turn-of-the-century standard, now powers all Apple platforms as well as most Windows ones, and its adoption in Linux is quickly growing as well.
In this course, one can expect to learn the internals of the Unified Extensible Firmware Interface inside and out, from the high-level concepts and overview of its functionality, down to the low-level development of actual UEFI applications, drivers, and services. The seminar will go over the history of UEFI’s development, from its original “Intel Boot Initiative” days to today’s SecureBoot facilities (and controversies), discuss the core UEFI data structures that form the basis of the environment, describe the different internal boot phases of the UEFI Runtime, and go in detail over the main UEFI protocols and their semantics. The course will also cover how UEFI leverages several Microsoft technologies, such as Authenticode and the Portable Executable (PE) format. Finishing off the lecture section will be a deep dive on how Windows 8 and later take advantage of UEFI to support booting off GPT disks, implementing SecureBoot, and speeding up the boot experience. Windows user-mode and kernel-mode APIs that interact with UEFI, as well as internal kernel data structures and capabilities in the UEFI HAL will also be shown off. Often forgotten, ACPI is the second key piece of the UEFI technology story (in fact, the recent standard committees have merged). Although originally designed for runtime use, this part of the standard is strongly discouraged (and even unsupported on Secure Boot systems) by OS Vendors, leaving ACPI to take the place of runtime code execution needs, with its scripting and markup language. Attendees will learn about this standard, how to program against it, and how to leverage it in their Windows offense and defense needs.
Alongside the lecture period, attendees will get their hands dirty with bare-to-the-metal UEFI development using Visual Studio, as well as learning how to setup the UEFI SDK (EDK) to work alongside Microsoft’s development tools. Participants will get the chance to build their own UEFI applications, drivers, and runtime services, as well as learn how to debug and test their work in the OVMF environment alongside QEMU, without requiring actual UEFI hardware. The course will also show how to develop and build SecureBoot-compatible binaries. Throughout the development part of the course, attendees will learn how to use the VisualUefi system, developed by Winsider Seminars & Solutions Inc., to allow full integration with Visual Studio 2015 and avoid usage of the complex EDK-II build system and “.inf” files. Attendees will also use Intel and Microsoft’s ACPI Scripting Language Compiler (ASL) to compile ACPI Markup Language (AML) files that integrate with their UEFI code. Finally, attendees will discover the Windows-specific Boot Application Runtime Environment, how to build compatible applications, and how to leverage the environment from both a UEFI and PCAT perspective. Attendees will then write both offensive and defensive UEFI code that hooks and/or protects the Windows Boot Loader.
This course has a total of 26 lab tutorials/exercises and heavy programming is expected in the 5 day version.
UEFI Course Outline
- Introduction to UEFI
- UEFI Architecture
- UEFI Protocols & Services
- Windows and UEFI
- Windows Boot Application Environment
- Windows Boot Loader Internals
- EDK and Visual Studio Development
- Windows & ACPI/UEFI Interfacing
In-Depth Topics
UEFI Protocols
UEFI Device Handles, UEFI Text and Graphics, UEFI Local and Remote I/O, UEFI USB & PCI, UEFI File System, Custom Protocols
UEFI Services
UEFI Boot Services & Runtime Services, UEFI System Table, ACPI & UEFI, Custom Services
UEFI Architecture
Measured Boot & Secure Boot, UEFI Stages & Layers (SEC, PEI, DXE), GPT Partitioning, Types of UEFI Binaries
Windows & UEFI
Calling UEFI Services, Accessing UEFI Variables, Windows Boot Library and UEFI, BCD and UEFI, HAL and UEFI
Windows Boot Environment
PCAT and UEFI Portability, Core Data Structures, Entrypoint and Callbacks, Building a Windows Boot Application
Windows Boot Loader
Boot Stages, Boot Loader Functionality, Security Services (BitLocker and more), Boot Structures, Handoff to Kernel
UEFI/ACPI Development
Obtaining and Installing the EDK, Setting up Visual Studio with the EDK, EDK Hello World, Interfacing with EDK Libraries, Obtaining and Installing OVMF, VisualUefi, ASL->AML, ACPITABL.DAT
Offensive UEFI/ACPI
Hooking UEFI Services and Protocols, Windows Boot Environment Hooks, Persistence with UEFI, Persistence with ACPI
Defensive UEFI/ACPI
Checking for Boot Loader Integrity, Detecting UEFI Hooks and Bootkits, Detecting Malicious ACPI Tables and Code