AMI Announces Support for Storage of BIOS Passwords in TPM NVRAM with New Aptio V UEFI Firmware eModule

Jun 3, 2019 | AMI in the News

NORCROSS, GEORGIA: – AMI, a global leader in BIOS and UEFI firmware, BMC and server management firmware solutions, backplane control chips and much more, is pleased to announce support for BIOS passwords to be stored in the TPM NVRAM via new Aptio® V UEFI Firmware eModule.

System security is typically considered in terms of layers of security. Most end-users have a password or PIN to gain access into their operating system. This is considered the most basic form of system protection. However, this type of protection does not stop a malicious user from booting the system using another operating system loaded onto an external storage device such as a USB drive.

BIOS passwords offer a stronger layer of system protection; having a BIOS password along with a proper Boot Order setting offers superior protection as it can raise the barrier against a malicious user from booting the system from external storage devices. This does not, however, stop a bad actor from physically opening the system and resetting the BIOS to its default settings. If the BIOS password is disabled by default, then the system can be infiltrated.

As more individuals begin to experiment with defeating BIOS passwords, the traditional method of storing the BIOS password weakens. BIOS passwords are not stored in plain text; they are hashed and stored in system NVRAM. This method is easy for system manufacturers to implement and offers a good level of security because passwords are not saved in the clear. Yet anyone can read system NVRAM – and an attacker can easily employ a Dictionary Attack, which is simply attempting to guess the password until a match is found.

AMI raises the bar higher with a drastically different approach not traditionally seen when it comes to BIOS password integrity. AMI has invested two years in developing and testing the storage of the BIOS password in the NVRAM of the TPM. The TPM has an inherent characteristic that counters attempts to gain access to its NVRAM, so that a malicious user cannot search NVRAM for the BIOS password hash. Continuous reading of TPM NVRAM with the wrong password will trigger a dictionary attack defense mechanism that will intentionally and steadily slow down an attack.

As an added benefit of storing BIOS passwords in the TPM NVRAM, BIOS passwords are preserved even after a BIOS firmware flash and hardware reset is performed. A USB recovery key can be created during password creation that can be used to recover system if password is lost or forgotten.

AMI will begin offering this method of storing BIOS passwords immediately with the introduction of a new BIOS eModule called TpmPassword. Please contact your AMI sales representative for more information on the prerequisites and how to license it for Intel®, AMD and Arm®-based platforms.

All trademarks and registered trademarks are the property of their respective owners.

About AMI

AMI is Firmware Reimagined for modern computing. As a global leader in Dynamic Firmware for security, orchestration and manageability solutions, AMI enables the world’s compute platforms from on-premises to the cloud to the edge. AMI’s industry-leading foundational technology and unwavering customer support have generated lasting partnerships and spurred innovation for some of the most prominent brands in the high-tech industry. AMI is also a critical provider to the Open Compute ecosystem and is a member of numerous industry associations and standards groups, such as the Unified EFI Forum (UEFI), PICMG, National Institute of Standards and Technology (NIST), National Cybersecurity Excellence Partnership (NCEP), and the Trusted Computing Group (TCG).

You May Also Like…