Recommendations: The NSA recommends UEFI and Secure Boot

The international intelligence service of the USA National Security Agency (NSA) is very concerned about the security of their own government’s computers: In a recent report they advocate the use of the Secure Boot protection function and give tips on setting up and operating them. Private users also benefit from this.

Secure Boot is part of the Unified Extensible Firmware Interface (UEFI). This forms the direct interface between the hardware and the operating system. Secure Boot starts before Windows starts and checks, for example, whether the boot loader is correctly signed. If an attacker played around with it, Secure Boot recognizes this. The mechanism can then refuse to start the system and thus prevent worse.

If an attacker makes modifications at the UEFI level, this can have disastrous effects. For example, the computer could start a version of Windows prepared with malware (rootkit) without the victim noticing. In many cases, virus scanners are powerless because the code (boot kit) has already wreaked havoc before Windows and thus the scanner was started. A computer attacked in this way is considered compromised according to all the rules of the art.

To contain such attacks, the NSA has now published a 39-page report with tips on Secure Boot usage. In addition to how it works, the authors also explain how to optimally configure Secure Boot and what tips there are for admins to activate the function despite possible incompatibilities with hardware or software. The authors also go in-depth and explain, among other things, the generation of keys and certificates with OpenSSL in order to use them in the secure boot context.

As a basic requirement, BIOS systems must be migrated to UEFI. Otherwise Secure Boot is not even available. If this is the case, it should be ensured that the function is active on all computers in a company. Otherwise there are loopholes. In addition, admins should protect UEFI access with secure passwords and regularly update the firmware. You can get more tips in the report read up.

At the beginning of July 2020, the NSA already gave tips on how to work more securely in the home office.


To home page