Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

NSA Publishes Guidance on UEFI Secure Boot Customization

The United States National Security Agency (NSA) this week published guidance on how the Unified Extensible Firmware Interface (UEFI) Secure Boot feature can be customized to fit an organization’s needs.

The United States National Security Agency (NSA) this week published guidance on how the Unified Extensible Firmware Interface (UEFI) Secure Boot feature can be customized to fit an organization’s needs.

A replacement for the legacy Basic Input Output System (BIOS), UEFI is used across multiple architectures and provides broader customization options, higher performance, improved security, and support for more devices.

Over the past couple of years, the number of attacks targeting the firmware for persistency on victim systems has increased, especially with antivirus software running on the operating system being unable to identify and block threats at the firmware level.

This is where Secure Boot comes into play, delivering a validation mechanism to mitigate early-boot vulnerabilities and the risk of firmware exploitation.

According to the NSA, however, incompatibility issues often result in Secure Boot being disabled, which the agency advises against. Furthermore, it strongly encourages customizing Secure Boot to meet the needs of the organization.

“Customization enables administrators to realize the benefits of boot malware defenses, insider threat mitigations, and data-at-rest protections. Administrators should opt to customize Secure Boot rather than disable it for compatibility reasons. Customization may – depending on implementation – require infrastructures to sign their own boot binaries and drivers,” the NSA says.

In a technical report published on Tuesday and titled “UEFI Secure Boot Customization,” the agency recommends that system admins and infrastructure owners migrate their machines to UEFI native mode, that they enable Secure Boot on all endpoints and also customize it, and that all firmware is properly secured and regularly updated.

Secure Boot, the NSA also notes, should be configured “to audit firmware modules, expansion devices, and bootable OS images (sometimes referred to as Thorough Mode),” and that a Trusted Platform Module (TPM) should be employed to ensure the integrity of both firmware and the Secure Boot configuration.

The NSA’s report includes technical information on what UEFI and Secure Boot are all about, while also delivering a broad range of details on how administrators can customize Secure Boot, including information on available advanced customization options that can be applied to meet several use cases.

Related: Microsoft Defender ATP Gets UEFI Scanner

Related: AMD Preparing Patches for UEFI SMM Vulnerability

Related: Companies Respond to ‘BootHole’ Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.