To successfully defend the BIOS from malicious rootkit installation or other mal

Question

To successfully defend the BIOS from malicious rootkit installation or other malware that writes itself inside BIOS I wonder if these ideas are possible or even done yet:

- Can you program the BIOS itself in a way that it only accepts data to be written to the BIOS that has been signed with the BIOS-Manufacture's PGP-Key? Basically the same way like normal userland programs get their updates installed.

- Is it possible to encrypt the whole BIOS data to prevent attackers from just 'upgrading' your BIOS with their malicious code?

In both ways it would be sufficient to protect the BIOS only from write-to-BIOS access. While reading from BIOS doesnt require authorization.

Edit: Is there any way to implement this on your own? Like you secure your HHD with Bitlocker or verify a peer with public key cryptography.

Explanation / Answer

Intel has implemented a feature called BIOS guard that protects the BIOS from malicious updates in a manner very similar to the first bullet you mentioned. This feature is available starting from Haswell but I am not aware of which computer manufacturers are taking advantage of it yet.

taken from Intel specs for Haswell (4th gen core): Platform Flash Armoring Technology is an augmentation of existing chipset-based BIOS flash protection capabilities targeted to address the increasing malware threat to BIOS flash storage. It protects the BIOS flash from modification without platform manufacturer authorization, helps defend the platform against low-level DOS (denial of service) attacks, and restores BIOS to a known good state after an attack

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.