arvb.net

BIOS

3 min read

BIOS is the Basic Input/Output System.

This is the software used to start the computer; also sometimes referred to as the firmware. Once the firmware starts it will complete a Power-On Self-Test, which is a set of tests to check if we have the following:

  • CPU
  • Memory
  • Video
  • Input

It will then look for a boot loader.

Legacy BIOS

This is a standard form that has existed for over 25 years. It is text only and cannot be updated or modified.

UEFI BIOS

Unified Extensible Firmware Interface, based on Inte’s EFI, is a modern, standarized BIOS that allows for updates and changes.

This means that many manufacturers can create their own BIOS.

Also allows for the installation of new drivers

BIOS Settings

Accessing BIOS config is often one of Del, F1, F2, Ctrl-S, Ctrl-Alt-S

On Windows we can access the BIOS using Hyper-V (Win 8, 10, 11).

Fast startup (Windows only)

This is a system where the system goes into hibernate, rather than full shutdown. As a result, there is no boot-sequence access to the BIOS. To access it, then, we can hold down shift when clicking restart.

Alternatively, we can go to Settings/Update & Security/ Recovery/Advanced Startup/Restart now or via the System Configuration (msconfig). The boot option screen can also be accessed by interrupting normal boot three times.

Boot options

The BIOS can disable some hardware options, what to boot first, etc.

USB Permissions

In highly-secure environment, we might want to use the BIOS to disable USB access.

Fans

BIOS configs can also manage different fans and their speeds. To be able to do this, however, the fans must be connected to the fan control pins on the motherboard.

Secure Boot

Because UEFI BIOS is extensible and upgradeable, we have to manage the security of the BIOS itself. One way to do this is via Secure Boot.

This uses digital signatures to allow only known-good software and will inhibit software that does not contain the appropriate signatures. This has Windows and Linux support.

To make this work the BIOS must already have the manufacturer’s public key.

It verifies the bootloader with the key.

Note that not all OSes support Secure Boot.

Additionally, we can set up password authentication to manage who can start the operating system. This is the User Password. A Supervisor password can be set to disable changes toi the BIOS itself.

Clearing a boot password

The CMOS (complementary metal-oxide semiconductor) was an old type of memory that we used to use to store BIOS settings (often backup with a battery).

These days the data is stored in flash-memory inside the motherboard. To reset it, then, we have to short two pins on the motherboard using a jumper. The jumper is labelled CLRTC (Clear Real Time Clock). To do this we would make the pins.

On modern systems the CMOS battery is used mainly to maintain date and time and have nothing to do with BIOS configuration

TPM

A TPM is a cryptographic module with its own processor. It has persistent memory and can be used to maintain keys, etc.

It is password protected.

Hardware Security Module

These HSMs work like TPMs but are designed for server racks and the like instead of individual devices. It can be used as a key backup. Can use lightweight versions, such as smart cards, USB, flash memory, etc.

They can also function as cryptographic accelerators to offload server CPU overhead

Graph View

Backlinks