In existing systems, third party instructions, or code, i.e., pre-operating system software (pre-OS), is typically shipped on a read only memory (ROM) residing on the motherboard. For instance, the pre-OS ROM may comprise a basic input output system (BIOS) or unified extensible firmware interface (UEFI) implementation. This third party code typically runs at the same level as code loaded from an option-ROM or OS loader. However, the pre-boot, pre-operating system environment has now become a target for malware, as demonstrated by presentations at a recent Black Hat conference. One such presentation is entitled “Hacking the Extensible Firmware Interface,” by John Heasman, which may be found on the public Internet at URL www*ngssoftware*com/research/papers/BH-VEGAS-07-Heasman.pdf. It should be noted that periods have been replaced with asterisks in URLs in this document to avoid inadvertent hyperlinks. The migration of malware at the operating system (OS) or user level to pre-OS and to the extant firmware standards which expect to run in “Ring-0” are plaguing the computing industry.
Viruses have begun to move into kernel mode, or Ring-0 level programming with the advent of rootkits, in the last several years. And in the most recent events, viruses are employing hardware virtualization to move malware into Ring “-1”, including art such as Joanna Rutkowska's Blue Pill proof-of-concept virtualization malware. More information about this malware may be found on the public Internet at URL invisiblethings*org/papers/joanna%20rutkowska%20-%20subverting%20vista%20kernel.ppt. These types of viruses are particularly worrisome. As operating systems become better at warding off viruses, miscreant programmers continually try to target pre-OS code. Some existing systems load a virtual machine monitor (VMM) prior to loading the option-ROMs to protect the motherboard implementation from third party extensions. However, as systems protect the platform at earlier times in the boot phase, more sophisticated malware is developed to attack the platform at earlier phases, even still. It therefore becomes important to protect the platform at earlier and earlier phases.