You also get the same effect when you boot off of a USB key or a mounted ISO or VHD or any other way that your BIOS found and loaded (unmodified) boot code from media you control independently of the existing OS. The key piece of trust is the BIOS loading the code unmodified. After that, it is too late to change the signed code that check its own signature
Depending on the system, the BIOS may be stored in a way is modifiable from software, or it may not. Ironically, high-end systems with enterprise features like upgradeable firmware and inelegant platform management are more susceptible to this kind of attack.
As far as I am aware, no malware bothers about attempting this as both requires intimate knowledge of the BIOS update mechanism, the underlying HW platform, and limits the scope of the attack to a specific line of HW - something that might be fine if you want to attack centrifuges used for dubious purposes in an unstable dictatorship, but a limiting factor for general purpose malware
Sent from Surface Pro
From: Maxim S. Shatskih
Sent: Monday, October 20, 2014 5:53 PM
To: Windows System Software Devs Interest List
And I suppose the formatter and the entire software path that executes it
(BIOS, media loader etc) needs to reside on an unalterable certified medium
too. How often does that happen?
Windows setup CD is enough, it cannot be altered and everything is digitally signed on it.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer