Safeguarding UEFI Ecosystem - Firmware Supply Chain is Hardcoded

Explore the complexities of supply chain security in the UEFI ecosystem through this 41-minute Black Hat conference talk. Delve into the challenges posed by multiple parties involved in firmware code development, including Intel/AMD's reference code and core frameworks from AMI, Phoenix, and Insyde. Understand why hardware platform vendors contribute less than 10% to the UEFI system firmware code base and the implications of this reality. Examine how vulnerabilities can be discovered not only in platform vendor codebases but also within reference code, potentially impacting the entire ecosystem. Learn about the varying patch cycles across vendors, the extended periods vulnerabilities can remain unpatched, and the difficulties in verifying fixes due to inconsistent patching methods. Gain insights from experts Alexander Tereshkin, Alexander Matrosov, and Adam Zabrocki on safeguarding the UEFI ecosystem and addressing the hardcoded challenges in firmware supply chain security.

Safeguarding UEFI Ecosystem: Firmware Supply Chain is Hard(coded)