Intel Desktop Board DG41MJ : BIOS Protection Guidelines - Recommendations of the National Institute of Standards and Technology : Page 16

BIOS PROTECTION GUIDELINES

3. Threat Mitigation

BIOS is a critical component of a secure system. As the first code executed during the boot process, the

system BIOS is implicitly trusted by hardware and software components in a system. The previous

section described the system BIOS’s role in the boot process, the system BIOS’s appeal to attackers, and

the potential threats resulting in the unauthorized modification of the BIOS. This section presents

security guidelines for BIOS implementations and recommended practices for managing BIOSs in an

enterprise environment. Section 3.1 provides guidelines for a secure BIOS update process. It is intended

for platform vendors designing, implementing, or selecting a system BIOS implementation. While

products may not be immediately available, organizations can use these guidelines at input to their

procurement processes and begin developing plans to make use of these security features when they are

available. Organizations can use the recommended BIOS management practices in Section 3.2 when

developing these plans. The recommendations are intended to prevent unauthorized modification of the

BIOS.

3.1 Security Guidelines for System BIOS Implementations

This subsection provides guidelines intended to maintain the integrity of the BIOS after it has been

provisioned by securing the mechanisms used for updating the BIOS. In particular, this subsection

defines guidelines for system BIOS implementations for a secure BIOS update mechanism. A secure

BIOS update mechanism includes:

1. a process for verifying the authenticity and integrity of BIOS updates; and

2. a mechanism for ensuring that the BIOS is protected from modification outside of the secure

update process.

Authentication verifies that a BIOS update image was generated by an authentic source and is unaltered.

All updates to the system BIOS shall either go through an authenticated BIOS update mechanism as

described in Section 3.1.1 or use an optional secure local update mechanism compliant with the

guidelines in Section 3.1.2.

These guidelines for a secure BIOS update mechanism do not mitigate all risks associated with the system

BIOS. Some threats to unauthorized modification of the system BIOS remain. For example, these

guidelines do not prevent individuals with physical access to systems from modifying the system BIOS.

Nor do they guarantee the absence of vulnerabilities in the system BIOS implementations. The guidelines

on the system BIOS should be used in conjunction with organizations’ existing security policies and

procedures.

3.1.1 BIOS Update Authentication

The authenticated BIOS update mechanism employs digital signatures to ensure the authenticity of the

BIOS update image. To update the BIOS using the authenticated BIOS update mechanism, there shall be

a Root of Trust for Update (RTU) that contains a signature verification algorithm and a key store that

includes the public key needed to verify the signature on the BIOS update image. The key store and the

signature verification algorithm shall be stored in a protected fashion on the computer system and shall be

modifiable only using an authenticated update mechanism or a secure local update mechanism as outlined

in Section 3.1.2.

The key store in the RTU shall include a public key used to verify the signature on a BIOS update image

or include a hash [FIPS 180-3] of the public key if a copy of the public key is provided with the BIOS

update image. In the latter case, the update mechanism shall hash the public key provided with the BIOS