Replies to post #219057 on Wave Systems Corp. (fka WAVXQ)

[rwk]

dig,

there are a lot of SHALLs. Point 3 below in particular can be done via WEM. It may be possible to do it in a different manner, but probably not as elegantly or efficiently as through ERA and WEM.

3.2.1.2 Security Guidelines for RoT Attributes
1. Endpoint vendors SHALL provide the attributes defined in Section 3.2.1.1.
2. Endpoint vendors SHALL provide reference measurements of executable BIOS boot code at the
lowest level of granularity for which they provide update and maintenance and that can be used to
verify measurements returned from the RTR.
3. Endpoint vendors SHALL provide a mechanism for measuring and reporting a baseline of measurements for BIOS configuration data.
4. Endpoint vendors SHOULD deploy BIOS measurement and reporting mechanisms that do not
preclude extension to option ROMs external to the system BIOS.
5. Endpoint vendors SHOULD provide attributes in a standardized format.
6. Endpoint vendors MAY provide an indication of compliance with [NIST-SP800-147].

[New Wave]

dig, Points 4 through 6 of Section 3.2, with their use of should and may, are likely intended to provide wiggle room, not for the rate of adoption, but more for flexibility in satisfying comliance. Points 1 through 3, as you and rwk noted, provide no wiggle room for the important task of implementing a system for BIOS integrity measurements.

4. Endpoint vendors SHOULD deploy BIOS measurement and reporting mechanisms that do not preclude extension to option ROMs external to the system BIOS.
5. Endpoint vendors SHOULD provide attributes in a standardized format.
6. Endpoint vendors MAY provide an indication of compliance with [NIST-SP800-147].