Manualshelf

BIOS Protection Guidelines - Recommendations of the National Institute of Standards and Technology

ManualsBrandsIntel ManualsOtherIntel Desktop Board DG41MJ
17181920212223242526
BIOS PROTECTION GUIDELINES
4. Integrity Protection!
4-A The RTU and the BIOS (excluding configuration data used by the BIOS that is stored in non-
volatile memory) shall be protected from unintended or malicious modification using a
mechanism that cannot be overridden outside of an authenticated BIOS update.
4-B The protection mechanism shall be protected from unauthorized modification.
4-C The authenticated BIOS update mechanism shall be protected from unintended or malicious
modification by a mechanism that is at least as strong as that protecting the RTU and the
system BIOS.
4-D The protection mechanism shall protect relevant regions of the system flash memory
containing the system BIOS prior to executing firmware or software that can be modified
without using an authenticated update mechanism or a secure local update mechanism.
4-E Protections should be enforced by hardware mechanisms that are not alterable except by an
authorized mechanism.
!
5. Non-Bypassability
These non-bypassability guidelines do not apply to configuration data used by the system BIOS that
is stored in non-volatile memory.
!
5-A The authenticated BIOS update mechanism shall be the exclusive mechanism for modifying
the system BIOS absent physical intervention through the secure local update mechanism.
!
5-B The design of the system and accompanying system components and firmware shall ensure that
there are no mechanisms that allow the system processor or any other system component to
bypass the authenticated update mechanism, except for the secure local update mechanism.
!
5-C While system components may have read access to BIOS flash memory, they shall not be able
to directly modify the system BIOS except through the authenticated update mechanism or by
an authorized mechanism requiring physical intervention.
!
5-C.i Bus mastering that bypasses the main processor (e.g., Direct Memory Access to the
system flash) shall not be capable of directly modifying the firmware.
!
Microcontrollers on the system shall not be capable of directly modifying the firmware, unless the
hardware and firmware components of the microcontroller are protected with equivalent mechanisms
at the RTU.
A-2