Hardware and Firmware Security

UEFI/BIOS
1. Basic Input/Output System (BIOS)
  1. A lightweight OS located on the hardware (firmware) that loads the full OS.
  2. BIOS is the first thing to load when the computer powers on.
2. Unified Extensible Firmware Interface (UEFI)
  1. Because of the lack of security controls available for BIOS, computer manufacturers have replaced BIOS with UEFI, which provides a more flexible framework for booting an OS, with more capabilities than were offered by BIOS.
  2. UEFI Features:
    1. Secure Boot
      1. Ensures that the OS being loaded by UEFI is from a trusted manufacturer, and has not been modified by an attacker.
      2. Secure Boot Operation:
      3. Secure Boot works by giving UEFI access to a public key belonging to the OS vendor.
      4. UEFI reads the first piece of the OS (called the boot loader) from disk.
      5. UEFI computes a hash function from the boot loader information.
      6. UEFI decrypts the boot loader's digital signature using the vendor's public key.
      7. UEFI compares the hash function that UEFI computed from the boot loader with the value from the decrypted digital signature.
      8. If the hash value matches the digital signature value, the boot loader is authentic and the boot process continues in a secure manner.
      9. If they don't match, the user sees an error message.
    2. Remote Attestation
      1. With remote attestation in place, after a system completes the Secure Boot process, it sends a report to a remote server.
      2. This report confirms (attests) or denies that the two compared hash values matched.
    3. Hardware Root of Trust
      1. The Root of Trust stores the keys used to validate the UEFI firmware and hardware and verifies that the UEFI is intact and unaltered before the boot process begins.
      2. Hardware Security Module (HSM)
      3. Hardware used to perform encryption and decryption operations and safely store encryption keys.
      4. Trusted Platform Module (TPM)
      5. A unique type of HSM integrated into the motherboard of a computer and used to generate and store authentication keys, and perform encryption and decryption operations.
      6. TPMs allow the use of full disk encryption (FDE) with minimal impact on overall system performance.
      7. TPMs prevent unauthorized access of encryption keys. Because the chip is built into the computer, it can only be accessed from the device on which the keys were generated. Even if the chip is removed somehow, the chip will not recognize other hardware as legitimate.
3. Supply Chain
  1. The security goal of these devices is to combine elements from different parts of the supply chain:
    1. Hardware
    2. OS
    3. Software
    4. Ensure their security by combining:
      1. UEFI
      2. Secure Boot
      3. TPM
      4. Hardware Root of Trust
FDE/SED
1. Full Disk Encryption (FDE)
  1. Encryption is applied to an entire disk.
  2. Authentication is required to decrypt the contents of the disk.
  3. Encryption may be hardware-based or software-based.
  4. Self-Encrypting Drive (SED)
    1. A type of Hardware-Based FDE
    2. Software-based encryption is computationally expensive - The preferred method of full-disk encryption is hardware-based FDE.
EMI/EMP
1. Electromagnetic Interference (EMI)
  1. EMI is more likely to occur to systems that operate in the military defense sector.
  2. EMI can disrupt normal device operation or cause components to fail.
  3. EMI may be given off intentionally or result from other nearby electromagnetic devices.
  4. Copper shielding may be used to minimize EMI.
2. Electromagnetic Pulse (EMP)
  1. An extreme case of EMI
  2. EMPs are associated with military attacks
    1. EMPs are generated by nuclear weapons.
    2. EMPs may be created intentionally by an adversary seeking to disrupt electronic systems.