The United States National Security Agency (NSA) this week published guidance on how the Unified Extensible Firmware Interface (UEFI) Secure Boot feature can be customized to fit an organization’s needs.
A replacement for the legacy Basic Input Output System (BIOS), UEFI is used across multiple architectures and provides broader customization options, higher performance, improved security, and support for more devices.
Over the past couple of years, the number of attacks targeting the firmware for persistency on victim systems has increased, especially with antivirus software running on the operating system being unable to identify and block threats at the firmware level.
This is where Secure Boot comes into play, delivering a validation mechanism to mitigate early-boot vulnerabilities and the risk of firmware exploitation.
According to the NSA, however, incompatibility issues often result in Secure Boot being disabled, which the agency advises against. Furthermore, it strongly encourages customizing Secure Boot to meet the needs of the organization.
“Customization enables administrators to realize the benefits of boot malware defenses, insider threat mitigations, and data-at-rest protections. Administrators should opt to customize Secure Boot rather than disable it for compatibility reasons. Customization may – depending on implementation – require infrastructures to sign their own boot binaries and drivers,” the NSA says.
In a technical report published on Tuesday and titled “UEFI Secure Boot Customization,” the agency recommends that system admins and infrastructure owners migrate their machines to UEFI native mode, that they enable Secure Boot on all endpoints and also customize it, and that all firmware is properly secured and regularly updated.
Secure Boot, the NSA also notes, should be configured “to audit firmware modules, expansion devices, and bootable OS images (sometimes referred to as Thorough Mode),” and that a Trusted Platform Module (TPM) should be employed to ensure the integrity of both firmware and the Secure Boot configuration.
The NSA’s report includes technical information on what UEFI and Secure Boot are all about, while also delivering a broad range of details on how administrators can customize Secure Boot, including information on available advanced customization options that can be applied to meet several use cases.
Related: Microsoft Defender ATP Gets UEFI Scanner
Related: AMD Preparing Patches for UEFI SMM Vulnerability
Related: Companies Respond to ‘BootHole’ Vulnerability

More from Ionut Arghire
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- US, Israel Provide Guidance on Securing Remote Access Software
- Blumira Raises $15 Million for SMB-Tailored XDR Platform
- KeePass Update Patches Vulnerability Exposing Master Password
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Apple Unveils Upcoming Privacy and Security Features
- Dozens of Malicious Extensions Found in Chrome Web Store
Latest News
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Google Patches Third Chrome Zero-Day of 2023
- Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
