UEFI Smart Card Reader Protocol

The release 2.5, April 2015 of the Unified Extensible Firmware Interface Specification (UEFI) contains 2 new protocols:
  • Smart Card Reader Protocol
  • Smart Card Edge Protocol

The specification is available in at http://www.uefi.org/sites/default/files/resources/UEFI%202_5.pdf from the UEFI web site.

Smart Card Reader Protocol

The Smart Card Reader Protocol is described in chapter 35.6.1 page 2241 (yes, the specification is one huge document of 14 MB and 2588 pages).

The functions provided are:
typedef struct _EFI_SMART_CARD_READER_PROTOCOL {
EFI_SMART_CARD_READER_CONNECT SCardConnect;
EFI_SMART_CARD_READER_DISCONNECT SCardDisconnect;
EFI_SMART_CARD_READER_STATUS SCardStatus;
EFI_SMART_CARD_READER_TRANSMIT SCardTransmit;
EFI_SMART_CARD_READER_CONTROL SCardControl;
EFI_SMART_CARD_READER_GET_ATTRIB SCardGetAttrib;
} EFI_SMART_CARD_READER_PROTOCOL;

You may be surprised that there is no function to list the available readers. This is because UEFI has its own way to enumerate resources. Each smart card reader will have its own EFI_SMART_CARD_READER_PROTOCOL structure. The program just have to iterate over all the protocols identified as EFI_SMART_CARD_READER_PROTOCOL_GUID.

Usage

The planned usage of the Smart Card Reader Protocol is to be used from an UEFI application so before the operating system (Windows, GNU/Linux, Mac OS X, etc.) is started.
This can be used to access a smart card and get a secret key from the smart card after a PIN has been verified. The secret key could be used to decipher the hard disk.

Smart Card Edge Protocol

The Smart Card Edge Protocol is described in chapter 35.6.2 page 2253.

The functions provided are:
typedef struct _EFI_SMART_CARD_EDGE_PROTOCOL {
EFI_SMART_CARD_EDGE_GET_CONTEXT GetContext;
EFI_SMART_CARD_EDGE_CONNECT Connect;
EFI_SMART_CARD_EDGE_DISCONNECT Disconnect;
EFI_SMART_CARD_EDGE_GET_CSN GetCsn;
EFI_SMART_CARD_EDGE_GET_READER_NAME GetReaderName;
EFI_SMART_CARD_EDGE_VERIFY_PIN VerifyPin;
EFI_SMART_CARD_EDGE_GET_PIN_REMAINING GetPinRemaining;
EFI_SMART_CARD_EDGE_GET_DATA GetData;
EFI_SMART_CARD_EDGE_GET_CREDENTIAL GetCredential;
EFI_SMART_CARD_EDGE_SIGN_DATA SignData;
EFI_SMART_CARD_EDGE_DECRYPT_DATA DecryptData;
EFI_SMART_CARD_EDGE_BUILD_DH_AGREEMENT BuildDHAgreement;
} EFI_SMART_CARD_EDGE_PROTOCOL;

Usage

This API allows to easily use a PKI card. It is the same idea as a PKCS#11 or MiniDriver library: abstract the smart card specificities and make an UEFI application able to use different PKI smart cards without writing specific source code.

Can I use it now?

The specification is now public. You can implement it yourself and play with it. Or you can wait for someone else to implement it and provide it in the UEFI of your next computer.

I already implemented the Smart Card Reader Protocol. I will proposed it for inclusion to TianoCore.

Conclusion

Stay tuned. Do not expect to have it included in the UEFI of your next computer before some time.

But if you are a developer you can play with it now.
Previous
Next Post »