NORCROSS, GEORGIA: – AMI, a global leader in BIOS and UEFI firmware, BMC and server management firmware solutions, backplane control chips and much more, is pleased to announce support for BIOS passwords to be stored in the TPM NVRAM via new Aptio® V UEFI Firmware eModule.
System security is typically considered in terms of layers of security. Most end-users have a password or PIN to gain access into their operating system. This is considered the most basic form of system protection. However, this type of protection does not stop a malicious user from booting the system using another operating system loaded onto an external storage device such as a USB drive.
BIOS passwords offer a stronger layer of system protection; having a BIOS password along with a proper Boot Order setting offers superior protection as it can raise the barrier against a malicious user from booting the system from external storage devices. This does not, however, stop a bad actor from physically opening the system and resetting the BIOS to its default settings. If the BIOS password is disabled by default, then the system can be infiltrated.
As more individuals begin to experiment with defeating BIOS passwords, the traditional method of storing the BIOS password weakens. BIOS passwords are not stored in plain text; they are hashed and stored in system NVRAM. This method is easy for system manufacturers to implement and offers a good level of security because passwords are not saved in the clear. Yet anyone can read system NVRAM – and an attacker can easily employ a Dictionary Attack, which is simply attempting to guess the password until a match is found.
AMI raises the bar higher with a drastically different approach not traditionally seen when it comes to BIOS password integrity. AMI has invested two years in developing and testing the storage of the BIOS password in the NVRAM of the TPM. The TPM has an inherent characteristic that counters attempts to gain access to its NVRAM, so that a malicious user cannot search NVRAM for the BIOS password hash. Continuous reading of TPM NVRAM with the wrong password will trigger a dictionary attack defense mechanism that will intentionally and steadily slow down an attack.
As an added benefit of storing BIOS passwords in the TPM NVRAM, BIOS passwords are preserved even after a BIOS firmware flash and hardware reset is performed. A USB recovery key can be created during password creation that can be used to recover system if password is lost or forgotten.
AMI will begin offering this method of storing BIOS passwords immediately with the introduction of a new BIOS eModule called TpmPassword. Please contact your AMI sales representative for more information on the prerequisites and how to license it for Intel®, AMD and Arm®-based platforms.
All trademarks and registered trademarks are the property of their respective owners.