NSA publishes guidance on UEFI Secure Boot customization

Pierluigi Paganini September 16, 2020

The US National Security Agency (NSA) published guidance on the Unified Extensible Firmware Interface (UEFI) Secure Boot customization.

The United States National Security Agency (NSA) has published guidance on how the Unified Extensible Firmware Interface (UEFI) Secure Boot feature that can be customized organizations.

The Unified Extensible Firmware Interface (UEFI) is a specification that defines a software interface between an operating system and platform firmware. UEFI replaces the legacy Basic Input/Output System (BIOS) firmware interface originally present in all IBM PC-compatible personal computers, with most UEFI firmware implementations providing support for legacy BIOS services. UEFI can support remote diagnostics and repair of computers, even with no operating system installed.

Over the years, experts observed several attacks employing rootkits that were specifically developed to target the firmware to achieve persistence and bypassing security solutions.

The Secure Boot mechanism allows the execution of only software that is trusted by the Original Equipment Manufacturer (OEM). 

“Secure Boot can be customized to meet the needs of different environments. Customization enables administrators to realize the benefits of boot malware defenses, insider threat mitigations, and data-at-rest protections.”states the NSA technical report. “Administrators should opt to customize Secure Boot rather than disable it for compatibility reasons.”

NSA report revealed that several organizations often disable Secure Boot for incompatibility issues, but the Agency strongly recommends customizing it to meet the needs of the organization.

“Customization enables administrators to realize the benefits of boot malware defenses, insider threat mitigations, and data-at-rest protections. Administrators should opt to customize Secure Boot rather than disable it for compatibility reasons.” continues the report. “Customization may – depending on implementation – require infrastructures to sign their own boot binaries and drivers,”

The NSA pointed out that the Secure Boot can be configured to audit firmware modules, expansion devices, and bootable OS images (sometimes referred to as Thorough Mode). The report states that Trusted Platform Module (TPM) may be used to validate the integrity of UEFI Secure Boot.

The NSA’s report includes details on how administrators can customize Secure Boot, including information on advanced customization options that can be applied by organizations to meet their needs.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, UEFI)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment