Configure BIOS/UEFI Flashcards
BIOS and UEFI
Firmware is specialized program code stored in flash memory.
PC or system firmware provides low-level code to allow PC components installed on a particular motherboard to be initialized so that they can load the main operating system software.
The system firmware for a PC was a type called the Basic Input/Output System (BIOS) . Newer motherboards may use a different kind of firmware called Unified Extensible Firmware Interface (UEFI) . UEFI provides support for 64-bit CPU operation at boot, a full GUI and mouse operation at boot, networking functionality at boot, and better boot security.
key combination used will vary from system to system; typical examples are Esc , Del , F1 , F2 , F10 , or F12 .
You can Shift-click the Restart button from the Windows logon screen to access UEFI boot options.
Boot and Device Options
One of the most important parameters in system setup is the boot options sequence or boot device priority. This defines the order in which the system firmware searches devices for a boot manager.
Typical choices include:
— Fixed disk (HDD or SSD)
— Optical drive (CD/DVD/Blu-ray)
— USB
— Network/PXE (Preboot Execution Environment) is a network-based technology that allows computers to boot from a network server instead of their local hard drives.
USB Permissions
As well as boot device configuration, there will be options for enabling/disabling and configuring controllers and adapters provided on the motherboard. This provides a way of enforcing USB permissions . On many systems, allowing the connection of USB devices is a security risk.
Fan Considerations
Most cooling fans can be controlled via system settings, typically under a menu such as Cooling, Power, or Advanced.
The setup program will also report the current temperature of the probes located near each fan connector.
Boot Password
A boot password requires the user to authenticate before the operating system is loaded. There are usually at least two passwords, though some systems may allow for more:
— Supervisor/Administrator/Setup—Protect access to the system setup program.
— User/System—Lock access to the whole computer. This is a very secure way of protecting an entire PC as nothing can be done until the firmware has initialized the system.
Secure Boot
Secure boot is a UEFI feature designed to prevent a computer from being hijacked by malware. Under secure boot, the computer firmware is configured with cryptographic keys that can identify trusted code.
The system firmware checks the operating system boot loader using the stored keys to ensure that it has been digitally signed by the OS vendor. This prevents a boot loader that has been modified by malware or an OS installed without authorization from being used.
Keys from vendors such as Microsoft (Windows and Windows Server) and Linux distributions (Fedora, openSUSE, and Ubuntu) will be pre-loaded.
Encryption
Encryption makes data secure by scrambling it in such a way that it can only subsequently be read if the user has the correct decryption key.
Many cryptographic processes also make use of hashing. A secure hash is a unique code that could only have been generated from the input. Hashes can be used to compare two copies of data to verify that they are the same. Unlike encryption, the original data cannot be recovered from the hash code.
Trusted Platform Module
Trusted platform module (TPM) is a specification for hardware-based storage of digital certificates, cryptographic keys, and hashed passwords. The TPM establishes a root of trust.
Each TPM microprocessor is hard coded with a unique, unchangeable key, referred to as the endorsement key. During the boot process, the TPM compares hashes of key system state data (system firmware, boot loader, and OS kernel) to ensure they have not been tampered with.
The TPM chip has a secure storage area that a disk encryption program such as Windows BitLocker can write its keys to.
Hardware Security Module
It is also possible to use a removable USB thumb drive to store keys. This is useful if the computer does not support TPM, as a recovery mechanism in case the TPM is damaged, or if a disk needs to be moved to another computer.
A secure USB key or thumb drive used to store cryptographic material can be referred to as a hardware security module (HSM) .
Secure means that the user must authenticate with a password, personal identification number (PIN), or fingerprint before being able to access the keys stored on the module.
