Special Publication 800-147 BIOS Protection Guidelines Recommendations of the National Institute of Standards and Technology David Cooper William Polk Andrew Regenscheid Murugiah Souppaya
NIST Special Publication 800-147 BIOS Protection Guidelines Recommendations of the National Institute of Standards and Technology David Cooper William Polk Andrew Regenscheid Murugiah Souppaya C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 April 2011 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Dr. Patrick D.
BIOS PROTECTION GUIDELINES Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology.
BIOS PROTECTION GUIDELINES Acknowledgments The authors, David Cooper, William Polk, Andrew Regenscheid, and Murugiah Souppaya of the National Institute of Standards and Technology (NIST) wish to thank their colleagues who reviewed drafts of this document and contributed to its technical content. The authors gratefully acknowledge and appreciate the contributions from individuals and organizations that submitted comments on the public draft of this publication.
BIOS PROTECTION GUIDELINES Table of Contents Executive Summary ....................................................................................................................1 1. Introduction.......................................................................................................................1-1 1.1 1.2 1.3 1.4 2. Background.......................................................................................................................2-1 2.1 2.2 2.3 2.4 2.5 3. Authority ..
BIOS PROTECTION GUIDELINES Executive Summary Modern computers rely on fundamental system firmware, commonly known as the system Basic Input/Output System (BIOS), to facilitate the hardware initialization process and transition control to the operating system. The BIOS is typically developed by both original equipment manufacturers (OEMs) and independent BIOS vendors, and is distributed to end-users by motherboard or computer manufacturers.
BIOS PROTECTION GUIDELINES 1. Introduction 1.1 Authority The National Institute of Standards and Technology (NIST) developed this document in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347.
BIOS PROTECTION GUIDELINES 1.3 Audience The intended audience for this document includes BIOS and platform vendors, and information system security professionals who are responsible for managing the endpoint platforms’ security, secure boot processes, and hardware security modules. The material may also be of use when developing enterprisewide procurement strategies and deployment.
BIOS PROTECTION GUIDELINES 2. Background Modern computers such as desktop and laptop computers contain program code that facilitates the hardware initialization process. The code is stored in non-volatile memory and is commonly referred to as boot firmware. The primary firmware used to initialize the system is called the Basic Input/Output System (BIOS) or the system BIOS.
BIOS PROTECTION GUIDELINES 1. Execute Core Root of Trust: The system BIOS may include a small core block of firmware that executes first and is capable of verifying the integrity of other firmware components. This has traditionally been called the BIOS Boot Block. For trusted computing applications, it may also contain the Core Root of Trust for Measurement (CRTM). 2.
BIOS PROTECTION GUIDELINES Figure 1: Conventional BIOS Boot Process1 Next, the system BIOS searches for other peripherals and microcontrollers, and executes any Option ROMs on these components necessary to initialize them. Option ROMs execute very early in the boot process and can add a variety of features to the boot process. For example, the Option ROM on a network adapter could load the Preboot Execution Environment (PXE), which allows a computer to boot over the network.
BIOS PROTECTION GUIDELINES 2.2.2 UEFI Boot Process At a high level, the UEFI boot process, shown in Figure 2, follows a similar flow to the conventional BIOS boot process. One difference is that UEFI code runs in 32- or 64-bit protected mode on the CPU, not in 16-bit real mode as is often the case with conventional BIOS. Most UEFI-based platforms start with a small core block of code that has the primary responsibility of authenticating subsequent code executed on the computer system.
BIOS PROTECTION GUIDELINES process, or provide additional features. During this phase the UEFI BIOS may execute conventional option ROMs, which have a similar purpose. The PEI and DXE phases of the UEFI boot process lay the foundation to load an operating system. The final tasks necessary to load an operating system are performed in the Boot Device Selection (BDS) phase. This phase initializes console devices for simple input/output operations on the system.
BIOS PROTECTION GUIDELINES and operating system. The BIOS is stored on non-volatile memory that persists between power cycles. Malware written into a BIOS could be used to re-infect machines even after new operating systems have been installed or hard drives replaced. Because the system BIOS runs early in the boot process with very high privileges on the machine, malware running at the BIOS level may be very difficult to detect.
BIOS PROTECTION GUIDELINES • One of the most difficult threats to prevent is a user-initiated installation of a malicious system BIOS. User-initiated BIOS update utilities are often the primary method for updating the system BIOS. The guidelines included in this document will not prevent users from installing unapproved BIOS images if they have physical access to the computer system.
BIOS PROTECTION GUIDELINES 3. Threat Mitigation BIOS is a critical component of a secure system. As the first code executed during the boot process, the system BIOS is implicitly trusted by hardware and software components in a system. The previous section described the system BIOS’s role in the boot process, the system BIOS’s appeal to attackers, and the potential threats resulting in the unauthorized modification of the BIOS.
BIOS PROTECTION GUIDELINES update image and ensure that it matches a hash which appears in the key store before using the provided public key to verify the signature on the BIOS update image.
BIOS PROTECTION GUIDELINES 3.1.4 Non-Bypassability The authenticated BIOS update mechanism shall be the exclusive mechanism for modifying the system BIOS absent physical intervention through the secure local update mechanism. The design of the system and accompanying system components and firmware shall ensure that there are no mechanisms that allow the system processor or any other system component to bypass the authenticated update mechanism, except for the secure local update mechanism.
BIOS PROTECTION GUIDELINES In addition, a common configuration baseline for each platform must be created to conform to the organization’s policy. The baseline should ensure that the integrity protection and non-bypassability features are enabled (if they are configurable), and organization policies for password policy and device boot order are enforced. Finally, the BIOS image information and associated baseline of settings for each platform should be documented in the configuration management plan.
BIOS PROTECTION GUIDELINES the configuration of the BIOS against the organization’s defined policy after BIOS rollback or reinstallation. Disposition Phase: Before the computer system is disposed and leaves the organization, the organization should remove or destroy any sensitive data from the system BIOS.
BIOS PROTECTION GUIDELINES Appendix A—Summary of Guidelines for System BIOS Implementations This appendix contains a summary of the secure BIOS update guidelines for system BIOS implementations found in Section 3.1. These guidelines are intended for platform vendors designing, implementing, or selecting a system BIOS implementation. Readers should consult the relevant sections in the main body of this document for additional informative text that further describes the intent and context of the guidelines.
BIOS PROTECTION GUIDELINES 4. Integrity Protection 4-A The RTU and the BIOS (excluding configuration data used by the BIOS that is stored in nonvolatile memory) shall be protected from unintended or malicious modification using a mechanism that cannot be overridden outside of an authenticated BIOS update. 4-B The protection mechanism shall be protected from unauthorized modification.
BIOS PROTECTION GUIDELINES Appendix B—Glossary Selected terms used in the publication are defined below. Basic Input/Output System (BIOS): In this publication, refers collectively to boot firmware based on the conventional BIOS, Extensible Firmware Interface (EFI), and the Unified Extensible Firmware Interface (UEFI). Conventional BIOS: Legacy boot firmware used in many x86-compatible computer systems. Also known as the legacy BIOS.
BIOS PROTECTION GUIDELINES Appendix C—Acronyms and Abbreviations This appendix contains a list of selected acronyms and abbreviations used in the guide.
BIOS PROTECTION GUIDELINES Appendix D—References The list below provides references for this publication. [Duarte08] G. Duarte. “How Computers Boot Up.” 5 June 2008. http://www.duartes.org/gustavo/blog/post/how-computers-boot-up [EFI] EFI 1.10 Specification. Intel. 1 November 2003. http://www.intel.com/technology/efi/ [EmSp08] Shawn Embleton, Sherri Sparks, and Cliff C. Zou.
BIOS PROTECTION GUIDELINES [SP800-128] Draft NIST SP 800-128, Guide for Security Configuration Management of Information Systems. March 2010. [SP800-131A] NIST SP 800-131A, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths. January 2011. [Sym02] W95.CIH Technical Details. Symantec. 25 April 2002. http://www.symantec.com/security_response/writeup.