Creating an Embedded Product with Support for UEFI Secure Boot

Embedded system designers want to control what software runs on their system. This enhances of a system, and makes it much more difficult for to run during the boot of a system. However, to ship a system with the feature enabled, fundamental changes need to be made to the way the system is designed, manufactured, deployed, and maintained. Many companies have used signing services for operating system drivers, but supporting the secure boot infrastructure on a product line is a much more difficult proposition.

This paper discusses aspects of this problem and reviews resources that can help solve it. The focus is on , but the principles are applicable to any computer system. Remember that releasing a system with secure boot peaks hacker interest and makes the system a target, so every effort must be made to minimize security holes from design phase to field deployment.