Yeah, TPM, for all the possible ill uses has a couple of nice benefits
and that's one. I haven't looked closely at encrypted BIOS in a while.
Restricting bios updates via a bios setting that's not accessible to
the OS is the easiest fix. Want to update your bios? Reboot, go into
bios, disable protection, reboot again. Similar to the old bootsector
protection some BIOS used to have built into them to defend against
The hypervisor rootkits are another bit of fun for the recent intel and
amd chipsets that do hw virtualization. The trick there is basically
just make sure you either disable virt or enable it and install your own
hypervisor right away since only one can exist at a time.
Jordan Wiens, CISSP
UF Network Security Engineer
> Its too bad I am not in Gainesville anymore. It seems like there are
> some good activities going on. Anyway, since we have such renowned
> security expert(s) ;-) on the list I would like to pose a question.
> There has been much talk of lower level rootkits like the Blue Pill that
> subvert the kernel using virtualization and ones that hide in the
> motherboard BIOS or peripheral BIOS. How can one be sure that nothing
> sneaks in the boot phase before control is handed to the OS? I have
> read about secure booting that uses a mostly encrypted, custom BIOS to
> compare hashes of the peripheral firmware and HDD boot sectors (e.g.,
> http://www.cs.umd.edu/~waa/pubs/oakland97.pdf). I am thinking a TPM
> would also be a viable solution?