This work addresses the critical lack of runtime observability in existing UEFI firmware, which hampers effective defense against sophisticated bootkit attacks that bypass mechanisms like Secure Boot. To bridge this gap, the authors propose a modular framework that introduces, for the first time, verifiable and tamper-resistant dynamic monitoring during the UEFI runtime phase. By integrating a hardware root of trust via TPM, an encrypted logging agent, and a cross-platform OS collaboration mechanism, the framework enables integrity protection and remote attestation of firmware behavior. This approach effectively closes the detection blind spot between firmware and the operating system. Empirical evaluation in real-world environments demonstrates its practicality and efficacy by successfully identifying multiple UEFI bootkits, including Glupteba, BlackLotus, LoJax, and MosaicRegressor.

Modern computing platforms rely on the Unified Extensible Firmware Interface (UEFI) to initialize hardware and coordinate the transition to the operating system. Because this execution environment operates with high privileges and persists across reboots, it has increasingly become a target for advanced threats, including bootkits documented in real systems. Existing protections, including Secure Boot and static signature verification, are insufficient against adversaries who exploit runtime behavior or manipulate firmware components after signature checks have completed. In contrast to operating system (OS) environments, where mature tools provide dynamic inspection and incident response, the pre-OS stage lacks practical mechanisms for real-time visibility and threat detection. We present Peacock, a modular framework that introduces integrity-assured monitoring and remote verification for the UEFI boot process. Peacock consists of three components: (i) a UEFI-based agent that records Boot and Runtime Service activity with cryptographic protection against tampering; (ii) a cross-platform OS Agent that extracts the recorded measurements and produces a verifiable attestation bundle using hardware-backed guarantees from the platform's trusted module; and (iii) a Peacock Server that verifies attestation results and exports structured telemetry for enterprise detection. Our evaluation shows that Peacock reliably detects multiple real-world UEFI bootkits, including Glupteba, BlackLotus, LoJax, and MosaicRegressor. Taken together, these results indicate that Peacock provides practical visibility and verification capabilities within the firmware layer, addressing threats that bypass traditional OS-level security mechanisms.