Lock Logical Access

Logical access to sensitive system functions/storage should be restricted as much as possible. Hardware functionality to lock write access to relevant memory regions such as SMRAM should be used. Restrict access via interfaces like SPI, I2C, or JTAG.

Unnecessary boot options/order should be disabled.

Platform functionality (e.g. CSM, SMM_BWP, BLE, BIOSWE, SPI Memory Protection, DENY_EXECUTE_ ON_SECURITY_VIOLATION /QUERY_USER_ ON_SECURITY_VIOLATION) must be correctly configured to not allow unauthorized access. Vendor documentation for the used hardware (such as the Intel handbooks) must be used to determine access restriction options.

The CHIPSEC tool provides functionality to test/verify various platform security mechanisms.

For hardware developers, the use of memory protection units should be evaluated.

https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/future-proofing-the-connected-world.pdf
http://www.intelsecurity.com/advanced-threat-research/content/chipsec.html
http://www.intelsecurity.com/advanced-threat-research/content/AttackingHypervisorsViaFirmware_bhusa15_dc23.pdf
http://www.uefi.org/sites/default/files/resources/2014_UEFI_Plugfest_06_Phoenix.pdf
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-147.pdf
https://www.blackhat.com/presentations/bh-usa-09/WOJTCZUK/BHUSA09-Wojtczuk-AtkIntelBios-SLIDES.pdf

Lock Logical Access

Further Reading: