BIOS Protection Guidelines - Recommendations of the National Institute of Standards and Technology
BIOS PROTECTION GUIDELINES
3.1.4 Non-Bypassability
The authenticated BIOS update mechanism shall be the exclusive mechanism for modifying the system
BIOS absent physical intervention through the secure local update mechanism. The design of the system
and accompanying system components and firmware shall ensure that there are no mechanisms that allow
the system processor or any other system component to bypass the authenticated update mechanism,
except for the secure local update mechanism. Any such mechanisms capable of bypassing the
authenticated update mechanism could create a vulnerability allowing malicious software to modify the
system BIOS or overwrite the system flash with a BIOS image from an illegitimate source.
A modern platform includes design features that give system components direct access to the system
BIOS for performance improvements, such as shadowing the BIOS in RAM or for system management
mode operations. System components may have read access to BIOS flash memory, but they shall not be
able to directly modify the system BIOS except through the authenticated update mechanism or by an
authorized mechanism requiring physical intervention. For example, bus mastering that bypasses the
main processor (e.g., Direct Memory Access to the system flash) shall not be capable of directly
modifying the firmware. Also, microcontrollers on the system shall not be capable of directly modifying
the firmware, unless the hardware and firmware components of the microcontroller are protected with
equivalent mechanisms at the RTU. These non-bypassability guidelines do not apply to configuration
data used by the system BIOS that is stored in non-volatile memory.
3.2 Recommended Practices for BIOS Management
This section introduces considerations for managing system BIOS in an enterprise operational
environment leveraging the existing policy, process, and operations practices. It focuses on key activities
revolving around provisioning, deploying, managing, and decommissioning the system BIOS as part of
its overall platform life cycle. Activities performed in a recovery phase are also specified to handle
exceptional conditions.
Provisioning Phase: It is crucial that the organization institute a mechanism for identifying,
inventorying, and tracking the different computer systems across the enterprise throughout their life
cycle. Identifying and monitoring the BIOS image characteristics such as manufacturer name, version, or
time stamp allows the organization to perform update, rollback, and recovery. The organization should
maintain a “golden master image” for each approved system BIOS, including superseded versions, in
secure offline storage.
If the platform has a configurable Root of Trust for Update (RTU), the organization needs to maintain a
copy of the key store and signature verification algorithm. If the RTU is integrated into the system BIOS
then this guideline is satisfied by maintaining the golden BIOS image. If the RTU is not integrated into
the system BIOS, the security afforded the RTU should be at least as strong as that for the golden BIOS
image.
Most organizations will rely upon the manufacturer as the source for the authenticated BIOS. In this case,
the organization does not maintain any private keys, and the RTU contains only public keys provided by
the manufacturer. Where the organization prefers to participate actively in the BIOS authentication
process by countersigning some or all approved system BIOS updates, the RTU may contain one or more
public keys associated with the organization. In this case, the organization must securely maintain the
corresponding private key so that the next BIOS update can be signed. Private keys should be maintained
under multi-party control to protect against insider attacks. For organizational keys, the corresponding
public keys must also be maintained securely (to ensure authentication of origin).
3-3