BIOS Protection Guidelines - Recommendations of the National Institute of Standards and Technology
BIOS PROTECTION GUIDELINES
process, or provide additional features. During this phase the UEFI BIOS may execute conventional
option ROMs, which have a similar purpose.
The PEI and DXE phases of the UEFI boot process lay the foundation to load an operating system. The
final tasks necessary to load an operating system are performed in the Boot Device Selection (BDS)
phase. This phase initializes console devices for simple input/output operations on the system. These
console devices include local text or graphical interfaces, as well as remote interfaces, such as Telnet or
remote displays over HTTP. The BDS phase also loads any additional drivers necessary to manage
console or boot devices. Finally, the firmware loads the boot loader from the first MBR or GUID
Partition Table (GPT) formatted boot device, and loads the operating system.
During the boot process the UEFI BIOS loads SMI handlers and initializes ACPI tables and code.
The Run Time phase of the UEFI boot process begins when the operating system is ready to take control
from the UEFI BIOS. UEFI runtime services are available to the operating system during this phase.
2.3 Updating the System BIOS
A system and its supporting management software and firmware may provide several authorized
mechanisms for legitimately updating the system BIOS. These include:
1. User-Initiated Updates: System and motherboard manufacturers typically supply end users with
utilities capable of updating the system BIOS. Historically, end users booted from external media
to perform these updates, but today most manufacturers provide utilities that can update the
system BIOS from the user’s normal operating system. Depending on the security mechanisms
implemented on the system, these utilities might directly update the system BIOS or they may
schedule an update for the next system reboot.
2. Managed Updates: A given computer system may have hardware and software-based agents that
allow a system administrator to remotely update the system BIOS without direct involvement
from the user.
3. Rollback: System BIOS implementations that authenticate updates before applying them may
also check version numbers during the update process. In these cases, the system BIOS may have
a special update process for rolling back the installed firmware to an earlier version. For instance,
the rollback process might require the physical presence of the user. This mechanism guards
against attackers flashing old firmware with known vulnerabilities.
4. Manual Recovery: To recover from a corrupt or malfunctioning system BIOS, many computer
systems provide mechanisms to allow a user with physical presence during the boot process to
replace the current system BIOS with a known good version and configuration.
5. Automatic Recovery: Some computer systems are able to detect when the system BIOS has been
corrupted and recover from a backup firmware image stored in a separate storage location from
the primary system BIOS (e.g., a second flash memory chip, a hidden partition on a hard drive).
2.4 Importance of BIOS Integrity
As the first code that is executed by the main CPU, the system BIOS is a critical security component of a
computer system. While the system BIOS, possibly with the use of a Trusted Platform Module (TPM),
can verify the integrity of firmware and software executed later in the boot process, typically all or part of
the system BIOS is implicitly trusted.
The system BIOS is a potentially attractive target for attack. Malicious code running at the BIOS level
could have a great deal of control over a computer system. It could be used to compromise any
components that are loaded later in the boot process, including the SMM code, boot loader, hypervisor,
2-5