BIOS/UEFI Flashcards
BIOS (Basic Input Output System):
A program stored in ROM that initializes hardware and manages data flow between the operating system (OS) and hardware.
Performs the Power-On Self-Test (POST) to check hardware functionality.
Stored settings are saved in CMOS (Complementary Metal Oxide Semiconductor).
Can be updated via a process called flashing.
UEFI (Unified Extensible Firmware Interface):
Modern replacement for traditional BIOS with enhanced features.
Supports graphical interfaces and mouse input.
Advantages over BIOS:
- 64-bit support.
-Larger storage support (up to 9.4 zettabytes).
- Faster boot times.
- Supports GPT (GUID Partition Table) for larger drives.
- Better diagnostic tools and functionality.
POST (Power-On Self-Test):
A diagnostic sequence verifying essential hardware like RAM, disk drives, and input/output devices.
Errors can halt the boot process and may produce beep codes indicating the issue.
Boot Process and Order:
BIOS/UEFI reads the configured boot order to locate an OS.
Boot devices include:
Hard disk drives (HDDs) and solid-state drives (SSDs).
Optical drives (CD/DVD/Blu-ray).
USB drives.
Network adapters (via PXE).
Flashing:
Process to update BIOS/UEFI firmware for security patches and feature enhancements.
BIOS and UEFI Security Features:
Passwords for BIOS/UEFI:
Secure Boot:
USB Port Restrictions:
Comparison of BIOS and UEFI:
Passwords for BIOS/UEFI:
Supervisor/Administrator/Setup Password: Protects access to BIOS/UEFI configuration settings. Common in corporate environments.
User/System Password: Locks access to the entire computer during boot. Typically used for personal computers.
Storage/Hard Drive Password: Secures access to specific drives. Less common due to TPM and HSM integration.
Secure Boot:
- Supported only by UEFI, not BIOS.
- Verifies the integrity of UEFI executables, OS loader, and boot-critical drivers during the boot process.
- Prevents loading of malicious code, such as rootkits.
Comparison of BIOS and UEFI:
BIOS: Legacy firmware, uses MBR for boot information.
UEFI: Modern firmware with advanced security features, supports GPT for larger drives.
Hardware Root of Trust (ROT):
- Foundation for secure computing operations.
- Embedded cryptographic module ensures boot settings and metrics are trusted.
- Includes keys for cryptographic functions to support a secure boot process.
Trusted Platform Module (TPM):
A hardware root of trust integrated into a system’s firmware.
Functions:
Ensures bootloader and OS kernel are not tampered with.
Stores encryption keys, digital certificates, password hashes.
Includes cryptographic capabilities:
- Random number generator.
- RSA key generator.
- SHA-1 hash generator.
- Encryption and decryption engine.
Used for full disk encryption (e.g., BitLocker).
Components:
- Endorsement Key (EK): Unique, hard-coded key.
- Storage Root Key (SRK): Secures stored data.
- Platform Configuration Registers (PCRs):Records system state.
- Attestation Identity Keys (AIKs): Used for trusted reporting.
Manageable via UEFI settings or OS tools (e.g., tpm.msc in Windows).
Hardware Security Module (HSM):
Appliance for securely generating and storing cryptographic keys.
Reduces risk of tampering and insider threats.
Form factors:
- Internal cards.
- Rack-mounted systems.
- IoT devices.
- USB-like devices with embedded keys.
Applications:
- Encryption/decryption of data.
- Secure access to storage devices.
Comparison of TPM and HSM:
TPM
- Purpose: Secure boot, disk encryption
- Integration: Embedded in firmware
- Form Factor: Chip on motherboard
- Key Management: Endorsement Key, SRK, A
HSM
- Purpose: Key generation and storage
- Integration: External or internal appliance
- Form Factor: Rack-mounted, USB-like, etc.
- Key Management: Encrypted storage keys
BIOS/UEFI Cooling Configuration:
The process of controlling and customizing fan behavior through the BIOS/UEFI interface.
BIOS Configuration
- Language Selection:
- System Summary:
- Setup Modes:
- Devices Configuration:
- Advanced Settings:
- Power Settings:
- Security Settings:
- Boot Options:
- Save or Reset Settings:
Language Selection:
Option to select the BIOS language (e.g., English, French).
System Summary:
Displays system details:
CPU type, speed, and cores.
Installed memory size and bus speed.
Enabled/disabled devices (e.g., SATA drives, optical drives).
Setup Modes:
Text Mode: Minimal visual interface.
Graphic Mode: For systems that support graphical BIOS.
Devices Configuration:
Manage audio, video, network, USB, SATA, and Thunderbolt settings.
USB-specific configurations:
Disable all USB ports for maximum security.
Disable USB mass storage devices while allowing peripherals like keyboards and mice.
Advanced Settings:
ACPI Settings:
Configure hibernation and sleep modes.
Adjust power button behavior (e.g., suspend to RAM).
CPU Configuration:
Enable/disable specific CPU cores.
Configure hyper-threading to improve performance.
Memory Configuration:
Support for ECC (Error-Correcting Code) memory.
Configure memory types (UDIMM vs. RDIMM).
Adjust memory channel modes (single, dual, triple, quad).
Power Settings:
Adjust fan speeds:
Quiet Mode: Lower fan speed, higher temperatures.
Cool Mode: Higher fan speed, lower temperatures.
Balanced Mode: Moderate fan speed and temperature control.
Security Settings:
Administrator Password: Restricts access to BIOS settings.
Power-On Password: Prevents unauthorized system boot.
Hard Disk Password: Secures specific drives.
Boot Options:
Configure boot mode (Legacy or UEFI).
Adjust boot device priority (e.g., USB drives, SATA devices, network boot).
Disable boot options to secure the system.
Save or Reset Settings:
- Use F10 to save changes and reboot.
- Use F9 to reset to factory defaults.
