Important!

Blog moved to https://blog.apdu.fr/

I moved my blog from https://ludovicrousseau.blogspot.com/ to https://blog.apdu.fr/ . Why? I wanted to move away from Blogger (owne...

Wednesday, May 27, 2015

UEFI Smart Card Reader Protocol

The release 2.5, April 2015 of the Unified Extensible Firmware Interface Specification (UEFI) contains 2 new protocols:
  • Smart Card Reader Protocol
  • Smart Card Edge Protocol

The specification is available in at http://www.uefi.org/sites/default/files/resources/UEFI%202_5.pdf from the UEFI web site.

Smart Card Reader Protocol

The Smart Card Reader Protocol is described in chapter 35.6.1 page 2241 (yes, the specification is one huge document of 14 MB and 2588 pages).

The functions provided are:
typedef struct _EFI_SMART_CARD_READER_PROTOCOL {
 EFI_SMART_CARD_READER_CONNECT    SCardConnect;
 EFI_SMART_CARD_READER_DISCONNECT SCardDisconnect;
 EFI_SMART_CARD_READER_STATUS     SCardStatus;
 EFI_SMART_CARD_READER_TRANSMIT   SCardTransmit;
 EFI_SMART_CARD_READER_CONTROL    SCardControl;
 EFI_SMART_CARD_READER_GET_ATTRIB SCardGetAttrib;
} EFI_SMART_CARD_READER_PROTOCOL;

You may be surprised that there is no function to list the available readers. This is because UEFI has its own way to enumerate resources. Each smart card reader will have its own EFI_SMART_CARD_READER_PROTOCOL structure. The program just have to iterate over all the protocols identified as EFI_SMART_CARD_READER_PROTOCOL_GUID.

Usage

The planned usage of the Smart Card Reader Protocol is to be used from an UEFI application so before the operating system (Windows, GNU/Linux, Mac OS X, etc.) is started.
This can be used to access a smart card and get a secret key from the smart card after a PIN has been verified. The secret key could be used to decipher the hard disk.

Smart Card Edge Protocol

The Smart Card Edge Protocol is described in chapter 35.6.2 page 2253.

The functions provided are:
typedef struct _EFI_SMART_CARD_EDGE_PROTOCOL {
 EFI_SMART_CARD_EDGE_GET_CONTEXT        GetContext;
 EFI_SMART_CARD_EDGE_CONNECT            Connect;
 EFI_SMART_CARD_EDGE_DISCONNECT         Disconnect;
 EFI_SMART_CARD_EDGE_GET_CSN            GetCsn;
 EFI_SMART_CARD_EDGE_GET_READER_NAME    GetReaderName;
 EFI_SMART_CARD_EDGE_VERIFY_PIN         VerifyPin;
 EFI_SMART_CARD_EDGE_GET_PIN_REMAINING  GetPinRemaining;
 EFI_SMART_CARD_EDGE_GET_DATA           GetData;
 EFI_SMART_CARD_EDGE_GET_CREDENTIAL     GetCredential;
 EFI_SMART_CARD_EDGE_SIGN_DATA          SignData;
 EFI_SMART_CARD_EDGE_DECRYPT_DATA       DecryptData;
 EFI_SMART_CARD_EDGE_BUILD_DH_AGREEMENT BuildDHAgreement;
} EFI_SMART_CARD_EDGE_PROTOCOL;

Usage

This API allows to easily use a PKI card. It is the same idea as a PKCS#11 or MiniDriver library: abstract the smart card specificities and make an UEFI application able to use different PKI smart cards without writing specific source code.

Can I use it now?

The specification is now public. You can implement it yourself and play with it. Or you can wait for someone else to implement it and provide it in the UEFI of your next computer.

I already implemented the Smart Card Reader Protocol. I will proposed it for inclusion to TianoCore.

Conclusion

Stay tuned. Do not expect to have it included in the UEFI of your next computer before some time.

But if you are a developer you can play with it now.