Firmware security

A Chain of Trust is established by validating each component of hardware and software.

The Hardware Root of Trust (HRoT) is derived from secure hardware components like the TPM.

The Software Root of Trust (SRoT) is derived from cryptography measuring and validating software components.

Verify initial boot block from flash to kick off the Chain of Trust into the BIOS. Propagates Chain of Trust from trusted firmware to BIOS read from flash.

Allow usage of HMAC key to protect against flash swapping. Using the increment and read counter to detect external access to the flash device.

Defend against physical and unauthorized reading of flash to keep internals secure.

Measure software components before execution to allow detection of changed software components. The results are stored in a trusted secure device like the TPM.

Verify software components before execution. If tempering is detected prevent booting/warn to minimize impact on system and local data. Ensuring only trusted code is executed.

Allow fallback options and redundancy for the firmware components. Secures against failure while upgrading BIOS.

Only allow cryptographically signed bootloaders to load the operating system. Propagates Chain of Trust from BIOS payload to operating system.

Secure the platform boot from flash to operating system using Phoenix Technologies® features.

Intel® TME is effective against hardware or physical attacks on system memory, such as a cold boot attack.

Clear BIOS from memory before handing off control to the payload or operating system. Prevents leaking sensitive system information.