BIOS and UEFI Security
BIOS/UEFI Security
Pre-Operating System Environment - area of the computer that can be attacked during bootup phase
Supervisor/Administrator/Setup Password - protects access to the BIOS/UEFI config program and prevents unauthorized access
User/System Password - used to lock access to entire computer
Storage/Hard Drive Password - locks access to hard drive connected to the system and requires end user’s password
Secure Boot - enabled in the UEFI interface and settings; not supported by BIOS
- ensures OS is trusted and not compromised by rootkits
- to work, must be enabled in UEFI and be supported by OS
UEFI can be configured to block USB ports or restrict mass storage devices
TPM & HSM
TPM (Trusted Platform Module) - specification for hardware based storage of digital certificates, keys, password hashes and other user and platform identification information
- each TPM microprocessor is hard-coded with a unique and unchangeable key
- is a Hardware RoT
- ensures secured boot-up
- provides encryption for storage devices
HSM (Hardware Security Module) - appliance for generating and storing cryptographic keys that are less susceptible to tampering and insider threats
- digital key
Hardware RoT (Root of Trust) - cryptographic module embedded in a computer system that endorses trusted execution and attests to boot settings and metrics
- foundation of all secure operations of a computing system
- contains keys used for cryptographic functions
- enables secure boot process
- used to scan boot metrics in OS files