NSA Publishes Guidance on UEFI Secure Boot Customization

The United States National Security Agency (NSA) this week published guidance on how the Unified Extensible Firmware Interface (UEFI) Secure Boot feature can be customized to fit an organization’s needs.

A replacement for the legacy Basic Input Output System (BIOS), UEFI is used across multiple architectures and provides broader customization options, higher performance, improved security, and support for more devices.

Over the past couple of years, the number of attacks targeting the firmware for persistency on victim systems has increased, especially with antivirus software running on the operating system being unable to identify and block threats at the firmware level.

This is where Secure Boot comes into play, delivering a validation mechanism to mitigate early-boot vulnerabilities and the risk of firmware exploitation.

According to the NSA, however, incompatibility issues often result in Secure Boot being disabled, which the agency advises against. Furthermore, it strongly encourages customizing Secure Boot to meet the needs of the organization.

“Customization enables administrators to realize the benefits of boot malware defenses, insider threat mitigations, and data-at-rest protections. Administrators should opt to customize Secure Boot rather than disable it for compatibility reasons. Customization may – depending on implementation – require infrastructures to sign their own boot binaries and drivers,” the NSA says.

In a technical report published on Tuesday and titled “UEFI Secure Boot Customization,” the agency recommends that system admins and infrastructure owners migrate their machines to UEFI native mode, that they enable Secure Boot on all endpoints and also customize it, and that all firmware is properly secured and regularly updated.

Secure Boot, the NSA also notes, should be configured “to audit firmware modules, expansion devices, and bootable OS images (sometimes referred to as Thorough Mode),” and that a Trusted Platform Module (TPM) should be employed to ensure the integrity of both firmware and the Secure Boot configuration.

The NSA’s report includes technical information on what UEFI and Secure Boot are all about, while also delivering a broad range of details on how administrators can customize Secure Boot, including information on available advanced customization options that can be applied to meet several use cases.

Related: Microsoft Defender ATP Gets UEFI Scanner

Related: AMD Preparing Patches for UEFI SMM Vulnerability

Related: Companies Respond to ‘BootHole’ Vulnerability