There are different types of BIOS out there, though mostly in computing we encounter 16-bit conventional BIOS, or BIOS firmware based on UEFI specifications. Despite their differences, in many cases the two terms are both referred to as BIOS, though there is an important distinction when it comes to security settings like Secure Boot, or mitigating vulnerabilities like BootHole.
There have been a few well-known BIOS vulnerabilities in recent years, to include the BootHole vulnerability, which could allow for the injection of insecure code in to the bootloader. Normally, with a Secure Boot system, there are two databases, Allow (db) and Disallow (dbx), with access secured by platform encryption keys.
The db and dbx databases are used to verify the signatures of executables called during the startup process, checked against central databases like the Microsoft 3rd party UEFI CA.
Because of the many components involved in the Secure Boot process, vulnerabilities can be found in both the software, like an attacker replacing the bootloader with a vulnerable version of the bootloader still signed by the CA. In order to keep systems secure, admins have to keep on top of the dbx database and ensure the latest secure versions are distributed to physical systems (doesn’t really apply to VMs, though it would apply to the hardware they run on).
There were also vulnerabilities discovered last year in intel processors, where input validation could be bypassed, or vulnerabilities in the flow control processes exploited. It can be challenging to mitigate these sorts of vulnerabilites right away since manufacturers don’t push out updates to BIOS as often as operating systems and applications.
NIST has a document (https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-147.pdf (Links to an external site.)) covering the protection of the BIOS, which points out the following threats to the BIOS:
Supply-chain attack
User-initiated BIOS updates
Network-based system compromise
Focusing on how those threats could lead to the rolling back of a system BIOS with security vulnerabilities, possibly without the user even noticing.
NIST’s first recommendation for authenticated BIOS security is “the authenticated BIOS update mechanism employs digital signatures to ensure the authenticity of the BIOS update image. To update the BIOS using the authenticated BIOS update mechanism, there shall be a Root of Trust for Update (RTU) that contains a signature verification algorithm and a key store that includes the public key needed to verify the signature on the BIOS update image. The key store and the signature verification algorithm shall be stored in a protected fashion on the computer system and shall be modifiable only using an authenticated update mechanism or a secure local update mechanism.” Using a process that mirrors public key encryption can give organizations greater control over BIOS updates. They also provide recommendations for securing local updates to BIOS and ensuring system integrity during and after the update process takes place.
Additionally, outside of using things like UEFI and Secure Boot, there are security products, like Dell enterprise security suite, and Intel Boot Guard, though many are geared towards the enterprise, not the individual home user.
Josh Lambert 