Intel Desktop Board DG41MJ : BIOS Protection Guidelines - Recommendations of the National Institute of Standards and Technology : Page 10

BIOS PROTECTION GUIDELINES

1. Execute Core Root of Trust: The system BIOS may include a small core block of firmware that

executes first and is capable of verifying the integrity of other firmware components. This has

traditionally been called the BIOS Boot Block. For trusted computing applications, it may also

contain the Core Root of Trust for Measurement (CRTM).

2. Initialize and Test Low-Level Hardware: Very early in the boot process the system BIOS

initializes and tests key pieces of hardware on the computer system, including the motherboard,

chipset, memory and CPU.

3. Load and Execute Additional Firmware Modules: The system BIOS executes additional

pieces of firmware that either extend the capabilities of the system BIOS or initialize other

hardware components necessary for booting the system. These additional modules may be stored

within the same flash memory as the system BIOS or they may be stored in the hardware devices

they initialize (e.g., video card, local area network card).

4. Select Boot Device: After system hardware has been configured, the system BIOS searches for a

boot device (e.g., hard drive, optical drive, USB drive) and executes the boot loader stored on that

device.

5. Load Operating System: While the system BIOS is still in control of the computer, the boot

loader begins to load and initialize the operating system kernel. Once the kernel is functional,

primary control of the computer system transfers from the system BIOS to the operating system.

In addition, the system BIOS loads system management interrupt (SMI) handlers (also known as System

Management Mode (SMM) code) and initializes Advanced Configuration and Power Interface (ACPI)

tables and code. These provide important system management functions for the running computer

system, such as power and thermal management.

This section describes the boot process in conventional BIOS-based systems and the boot process in

UEFI-based systems. While conventional BIOS is used in many desktop and laptop computers deployed

today, the industry has begun transitioning to UEFI BIOS.

2.2.1 Conventional BIOS Boot Process

Figure 1 shows a typical boot process for x86-compatible systems running a conventional BIOS. The

conventional BIOS often executes in 16-bit real mode, although some more recent implementations

execute in protected mode. Some conventional BIOS-based firmware has a small block of BIOS

firmware— known as the BIOS boot block— that is logically separate from the rest of the BIOS. On

these computer systems, the boot block is the first firmware executed during the boot process. The boot

block is responsible for checking the integrity of the remaining BIOS code, and may provide mechanisms

for recovery if the main system BIOS firmware is corrupted. On most trusted computing architectures,

the BIOS boot block serves as the computer system’s CRTM because this firmware is implicitly trusted to

bootstrap the process of building a measurement chain for subsequent attestation of other firmware and

software that is executed on the machine [TCG05].

The boot block executes the part of the conventional BIOS that initializes most hardware components—

the Power-on-Self-Test (POST) code. During POST, key low-level hardware on the computer system is

initialized, including the chipset, CPU, and memory. The system BIOS initializes the video card, which

may load and execute its own BIOS to initialize graphics processors and memory.