Background
As the edge computing market continues to grow and evolve, there is an even greater need for high-performance processors with IoT-centric features, while at the same time, wireless devices also make managing security across multiple platforms more complicated. External threats are growing in complexity and precision, including firmware attacks, ransomware, identity theft, cyber espionage, and DDoS attacks.
Hardware-based security features would be able to solve some of these legacy security issues by providing a foundational layer of protection that can help detect and prevent cyber threats at the hardware and firmware layers. Delivering performance and security while meeting power and space constraints is key to taking full advantage of network edge usage models for benefits such as low latency and reduced costs for backhaul bandwidth.
Intel® BIOS Guard
Intel® BIOS Guard helps to ensure that malware stays out of the BIOS by blocking all software-based attempts to modify protected BIOS flash without the platform manufacturer’s authorization, in addition to helping defend the platform against low-level DOS (denial of service) attacks, and restores BIOS to a known good state after an attack. It provides a strong update mechanism for the Initial Boot Block (IBB) as well as the rest of BIOS, which Intel® Boot Guard then verifies.
Intel® Boot Guard
Intel® Boot Guard is a hardware-assisted authentication and protection to mitigate unauthorized BIOS boot block modifications. Intel® Boot Guard attempts to protect the system before Secure Boot starts, but authenticating the initial BIOS code and extending the hardware root of trust. The purpose of the Intel® Boot Guard process is to reduce the chance of malware exploiting the hardware or software components on the platform.
Intel® Boot Guard establishes a strong, hardware-based Static Root of Trust for Verification and measurement. Intel® Trusted Platform Module 2.0 (Intel® TPM) is a part of this measured boot. When performing a measured boot, Intel® Boot Guard can first execute measurement from the TPM locality, providing the attester with an un-spoofable measurement policy, helping to detect corruption of the BIOS image in a Flash update or during transfer.
Intel® Platform Trust Technology (Intel® PTT)
Intel® Platform Protection Technology is a platform functionality for credential storage and key management solution to meet Windows OS hardware requirements. PTT with BIOS Guard offers hardware-assisted authentication and protection against BIOS recovery attacks, and Boot Guard uses authenticated code module-based secure boot to verify that the BIOS is known and trusted. PTT is optimized for low power consumption and supports Trusted Computing Group 2.0 standard and FIPS 140-2 certifications.
Intel® Trusted Execution Technology (Intel® TXT)
Intel® Trusted Execution Technology provides hardware-based mechanisms to help protect against software-based attacks and protects the confidentiality and integrity of stored data.
Intel® TXT measures key components executed during the launch of system software called the Measured Launch Environment (MLE), and allows the OS to check the consistency in behaviors and launch time configurations against a verified benchmark sequence. The system can then quickly assess whether any attempts have been made to alter or tamper with the launch time environment.
Intel® TXT supports TPM 2.0 and Intel® PTT to enable attestation of the authenticity of the operating system.
Summary
Malicious attacks and threats on IT infrastructure continue to grow in volume, complexity, and sophistication. Malware can manipulate unsecured firmware and gain access to the operating system and critical data. Now more than ever, organizations and businesses need more protection to help secure critical data and preserve systems infrastructure.
Hardware-based security features below the operating system can help protect all layers in the computing stack and improve the security of the systems and devices. Using these hardware-assist technologies, with a minimum access policy, helps to harden the platform and reduce risk.
Lanner SASE appliances are protected with firmware/BIOS-based security features, offering integrated crypto acceleration, BIOS authentication, and IPMI remote management to enable WAN efficiency without compromising on security.
Related Whitepaper:
Lanner Network Appliances with Intel Xeon