BIOS Protection Guidelines - Recommendations of the National Institute of Standards and Technology
BIOS PROTECTION GUIDELINES
2. Background
Modern computers such as desktop and laptop computers contain program code that facilitates the
hardware initialization process. The code is stored in non-volatile memory and is commonly referred to as
boot firmware. The primary firmware used to initialize the system is called the Basic Input/Output
System (BIOS) or the system BIOS. This section provides background information on the system BIOS
and its role in the boot process using the conventional BIOS and Unified Extensible Firmware Interface
(UEFI) BIOS as examples. It identifies the primary methods used for updating the system BIOS, and
security issues and threats to the system BIOS.
2.1 System BIOS
The system BIOS is the first piece of software executed on the main central processing unit (CPU) when a
computer is powered on. While the system BIOS was originally responsible for providing operating
systems access to hardware, its primary role on modern machines is to initialize and test hardware
components and load the operating system. In addition, the BIOS loads and initializes important system
management functions, such as power and thermal management. The system BIOS may also load CPU
microcode patches during the boot process.
There are several different types of BIOS firmware. Some computers use a16-bit conventional BIOS,
while many newer systems use boot firmware based on the UEFI specifications [UEFI]. In this document
we refer to all types of boot firmware as BIOS firmware, the system BIOS, or simply BIOS. When
necessary, we differentiate conventional BIOS firmware from UEFI firmware by calling them the
conventional BIOS and UEFI BIOS, respectively.
System BIOS is typically developed by both original equipment manufacturers (OEMs) and independent
BIOS vendors, and is distributed to end users with computer hardware. Manufacturers frequently update
system firmware to fix bugs, patch vulnerabilities, and support new hardware. The system BIOS is
typically stored on electrically erasable programmable read-only memory (EEPROM) or other forms of
flash memory, and is modifiable by end users. Typically, system BIOS firmware is updated using a
utility or tool that has special knowledge of the non-volatile storage components in which the BIOS is
stored.
A given computer system can have BIOS in several different locations. In addition to the motherboard,
BIOS can be found on hard drive controllers, video cards, network cards and other add-in cards. This
additional firmware generally takes the form of Option ROMs (containing conventional BIOS and/or
UEFI drivers). These are loaded and executed by the system firmware during the boot process. Other
system devices, such as hard drives and optical drives, may have their own microcontrollers and other
types of firmware.
As noted in Section 1.2, the guidelines in this document apply BIOS firmware stored in the system flash.
This includes Option ROMs and UEFI drivers that are stored with the system BIOS firmware and are
updated by the same mechanism. It does not apply to Option ROMs, UEFI drivers, and firmware stored
elsewhere in a computer system.
2.2 Role of System BIOS in the Boot Process
The primary function of the system BIOS is to initialize important hardware components and to load the
operating system. This process is known as booting. The boot process of the system BIOS typically
executes in the following stages:
2-1