2. Tony Mangefeste Senior Program Manager SYS-005T

3. Why UEFI? UX value prop from Day one: Fast Boot, OEM Certification, smooth transitions, etc. Secure Boot eDrive support for BitLocker SOC support WDS Multicast Boot Next support Seamless Boot Network unlock support for BitLocker Support for > 2.2 TB system disks 3

4. Windows 8 Boot Flow Windows 8 installs UEFI OS Loader if UEFI is detected Most PCs today boot through CSM path For compatibility the CSM boot path available 4

5. Optimizing for UEFI Redesign legacy Option ROMs into UEFI Option ROMs IHVs – deploy UEFI option ROM support, manufacturing tools and device drivers with UEFI support ODMs – provide service with updated toolsets, 64-bit environments, native factory tools with UEFI OEMs – secure your firmware, optimize for speed Consumer – look for newer UEFI based platform firmware 5

7. Norl Wu Senior Engineer

8. Agenda UEFI Firmware Debugging solution Secure Firmware solution Key provisioning & signing server UEFI Manufacturing processes

10. AMI has the remedy for these debugging problems …

13. 13

19. UEFI defined Capsule format: NIST SP 800-147 compliant Capsule (“Capsule-in-Memory”) Capsule is put in memory by an application in the OS Mailbox event is set to inform BIOS of pending update System reboots, verifies the image and update is preformed securely by the BIOS Recovery (“Capsule-on-Disk”) Capsule is stored on a predefined disk Mailbox event is set to inform BIOS of pending update System reboots, loads the image from disk, verifies the image and update is preformed securely by the BIOS

20. Flash App IssuesReboot FW verifies Capsule Image Flash App queries FW API Flash App sends preferred Flash update method to FW API Abort flash process if new image fails verification checks FW Sets mailbox event

21. PowerOn/Reset Launch PEI Locate New Flash Image Verify New Flash Image Abort flash process if image fails authentication Flash New Image Reset With New Image DONE! Launch DXE From Trusted New Image

24. Factory Reset – BIOS Initiated Reverts Firmware to Initial Default State PK KEK – MS KEKpub + OEM KEK(optional) “db” – at least 1 certificate: MS CA “dbx” – empty The scenario above also applies to Catastrophic firmware reset

30. BIOS Firmware will hold the KEK and UEFI signatures for authenticated FW images UEFI signatures originate from a Certificate Authority (CA) Who acts as a CA for Windows 8 boot manager image and all other UEFI images? Who signs other OS’ (e.g. Linux) boot loaders?

31. Full testing without installing an OS! Full testing without installing an OS!

32. Run AMIDiag from a PXE server (network boot) or USB drive (local storage) Set up batch script for burn-in cycle (24-48 hours) or integration test (30- 60 min) Automate batch scripts using the UEFI shell Log “all errors” to create a full testing report Run AMIDiag from a PXE server (network boot) or USB drive (local storage) Set up batch script for burn-in cycle (24-48 hours) or integration test (30- 60 min) Automate batch scripts using the UEFI shell Log “all errors” to create a full testing report Embed AMIDiag into the BIOS ROM, or run from a system service partition Run using local VGA display or console redirection (for embedded/server systems) Users select pre-defined batch scripts or specific system tests from the menu Log “errors only” to quickly identify system faults Embed AMIDiag into the BIOS ROM, or run from a system service partition Run using local VGA display or console redirection (for embedded/server systems) Users select pre-defined batch scripts or specific system tests from the menu Log “errors only” to quickly identify system faults Manufacturing Line Field Diagnostics

34. AMIDiag for UEFI is designed to run in the “UEFI Boot Services” environment – the same environment used by the EFI Shell AMIDiag for UEFI is designed to run in the “UEFI Boot Services” environment – the same environment used by the EFI Shell

35. Closing Remarks

36. Blank board Provisioned Field serviced