Wave Systems Corp. (fka WAVXQ)

[Genz2]

American Megatrends Announces Support for Storage of BIOS Passwords in TPM NVRAM with New Aptio V UEFI Firmware eModule

https://ami.com/en/news/press-releases/american-megatrends-announces-support-for-storage-of-bios-passwords-in-tpm-nvram-with-new-aptio-v-uefi-firmware-emodule/

NORCROSS, GEORGIA: - American Megatrends International LLC (AMI), a global leader in BIOS and UEFI firmware, BMC and server management firmware solutions, backplane control chips and much more, is pleased to announce support for BIOS passwords to be stored in the TPM NVRAM via new Aptio® V UEFI Firmware eModule.

System security is typically considered in terms of layers of security. Most end-users have a password or PIN to gain access into their operating system. This is considered the most basic form of system protection. However, this type of protection does not stop a malicious user from booting the system using another operating system loaded onto an external storage device such as a USB drive.

BIOS passwords offer a stronger layer of system protection; having a BIOS password along with a proper Boot Order setting offers superior protection as it can raise the barrier against a malicious user from booting the system from external storage devices. This does not, however, stop a bad actor from physically opening the system and resetting the BIOS to its default settings. If the BIOS password is disabled by default, then the system can be infiltrated.

As more individuals begin to experiment with defeating BIOS passwords, the traditional method of storing the BIOS password weakens. BIOS passwords are not stored in plain text; they are hashed and stored in system NVRAM. This method is easy for system manufacturers to implement and offers a good level of security because passwords are not saved in the clear. Yet anyone can read system NVRAM - and an attacker can easily employ a Dictionary Attack, which is simply attempting to guess the password until a match is found.

AMI raises the bar higher with a drastically different approach not traditionally seen when it comes to BIOS password integrity. AMI has invested two years in developing and testing the storage of the BIOS password in the NVRAM of the TPM. The TPM has an inherent characteristic that counters attempts to gain access to its NVRAM, so that a malicious user cannot search NVRAM for the BIOS password hash. Continuous reading of TPM NVRAM with the wrong password will trigger a dictionary attack defense mechanism that will intentionally and steadily slow down an attack.

As an added benefit of storing BIOS passwords in the TPM NVRAM, BIOS passwords are preserved even after a BIOS firmware flash and hardware reset is performed. A USB recovery key can be created during password creation that can be used to recover system if password is lost or forgotten.

AMI will begin offering this method of storing BIOS passwords immediately with the introduction of a new BIOS eModule called TpmPassword. Please contact your AMI sales representative for more information on the prerequisites and how to license it for Intel®, AMD and Arm®-based platforms.

All trademarks and registered trademarks are the property of their respective owners.
==================================================================
American Megatrends has found a great use and layer of security in the TPM!! These TPMs would need to be turned on and preferably managed by the premier TPM solutions company, Wave Systems. Wave is unique in that it can manage all of the different TPMs that are on the market. This could be one of the sparks that lights the TPM turn on fire!! Wave has worked with American Megatrends in the past...
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management

Excerpts:

Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication

Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
==================================================================
Could Wave already have been establishing a chain of trust (ie. BIOS password in the TPM) with its BIOS integrity under Wave Endpoint Monitor?? If not, American Megatrends has covered it now.
==================================================================
https://www.wavesys.com/products/wave-endpoint-monitor

Excerpts:


Be proactive on compliance

No new regulations here—yet. But government agencies recognize malware as a growing threat. In 2011, NIST published guidelines for basic input/output system (BIOS) integrity measurement, the BIOS being what initializes a computer when it boots up. When this critical system is malware’s target, the consequences are big. The guidelines describe what’s needed to establish a chain of trust for the BIOS: Has it been tampered with? NIST actually looked to Wave for feedback on this document (see the acknowledgments). We know what’s needed, because Wave Endpoint Monitor is already doing it.

Key Features:

Easy security compliance
• Comports with NIST guidelines for BIOS integrity
=================================================================
https://www.wavesys.com/