BIOS and UEFI Security

BIOS/UEFI Security

Pre-Operating System Environment - area of the computer that can be attacked during bootup phase

Supervisor/Administrator/Setup Password - protects access to the BIOS/UEFI config program and prevents unauthorized access

User/System Password - used to lock access to entire computer

Storage/Hard Drive Password - locks access to hard drive connected to the system and requires end user’s password

Secure Boot - enabled in the UEFI interface and settings; not supported by BIOS

  • ensures OS is trusted and not compromised by rootkits
  • to work, must be enabled in UEFI and be supported by OS

UEFI can be configured to block USB ports or restrict mass storage devices

TPM & HSM

TPM (Trusted Platform Module) - specification for hardware based storage of digital certificates, keys, password hashes and other user and platform identification information

  • each TPM microprocessor is hard-coded with a unique and unchangeable key
  • is a Hardware RoT
  • ensures secured boot-up
  • provides encryption for storage devices

HSM (Hardware Security Module) - appliance for generating and storing cryptographic keys that are less susceptible to tampering and insider threats

  • digital key

Hardware RoT (Root of Trust) - cryptographic module embedded in a computer system that endorses trusted execution and attests to boot settings and metrics

  • foundation of all secure operations of a computing system
  • contains keys used for cryptographic functions
  • enables secure boot process
  • used to scan boot metrics in OS files