Modern computing platforms rely on the Unified Extensible Firmware Interface (UEFI) to initialize hardware and coordinate the transition to the operating system. Because this execution environment operates with high privileges and persists across reboots, it has increasingly become a target for advanced threats, including bootkits documented in real systems. Existing protections, including Secure Boot and static signature verification, are insufficient against adversaries who exploit runtime behavior or manipulate firmware components after signature checks have completed. In contrast to operating system (OS) environments, where mature tools provide dynamic inspection and incident response, the pre-OS stage lacks practical mechanisms for real-time visibility and threat detection. We present Peacock, a modular framework that introduces integrity-assured monitoring and remote verification for the UEFI boot process. Peacock consists of three components: (i) a UEFI-based agent that records Boot and Runtime Service activity with cryptographic protection against tampering; (ii) a cross-platform OS Agent that extracts the recorded measurements and produces a verifiable attestation bundle using hardware-backed guarantees from the platform's trusted module; and (iii) a Peacock Server that verifies attestation results and exports structured telemetry for enterprise detection. Our evaluation shows that Peacock reliably detects multiple real-world UEFI bootkits, including Glupteba, BlackLotus, LoJax, and MosaicRegressor. Taken together, these results indicate that Peacock provides practical visibility and verification capabilities within the firmware layer, addressing threats that bypass traditional OS-level security mechanisms.

翻译：现代计算平台依赖统一可扩展固件接口（UEFI）来初始化硬件并协调向操作系统的过渡。由于该执行环境以高权限运行且能跨越重启持续存在，它日益成为高级威胁的目标，包括真实系统中记录的引导工具包。现有保护措施（包括安全启动和静态签名验证）不足以抵御利用运行时行为或在签名检查完成后操纵固件组件的攻击者。与具备成熟动态检测和事件响应工具的操作系统（OS）环境不同，操作系统前阶段缺乏实时可视化和威胁检测的实用机制。我们提出孔雀（Peacock）——一个为UEFI引导过程引入完整性保障监控与远程验证的模块化框架。该框架包含三个组件：（i）基于UEFI的代理，以密码学防篡改保护方式记录引导与运行时服务活动；（ii）跨平台操作系统代理，通过平台可信模块提供的硬件支持保证提取记录数据并生成可验证的证明包；（iii）孔雀服务器，用于验证证明结果并导出结构化遥测数据以供企业检测。评估表明，孔雀能可靠检测多种真实世界UEFI引导工具包，包括Glupteba、BlackLotus、LoJax和MosaicRegressor。综合来看，这些结果表明孔雀在固件层提供了实用的可视化与验证能力，可应对绕过传统操作系统级安全机制的威胁。