The UEFI ecosystem is very complicated in terms of supply chain security where we have multiple parties involved in the firmware code development like Intel/AMD with its reference code, or AMI, Phoenix and Insyde with its core frameworks for system firmware development. The hardware platform vendor contributes less than 10% to the UEFI system firmware code base from all the code shipped to the customers. The reality is vulnerabilities can be discovered not just in the platform vendor codebase, but inside the reference code. This impact can be worse reflecting on the whole ecosystem. The patch cycles are different across vendors and these vulnerabilities can stay unpatched to endpoints for 6-9 months. Moreover, they can be patched differently between vendors making fix verification difficult and expensive...
By: Alexander Tereshkin, Alexander Matrosov & Adam Zabrocki
Full Abstract & Presentation Materials:
[ Ссылка ]
