5
7. Preboot Security Requirements
Signed Preboot Applications
Whenaprebootapplicationislaunched,ithasasmuchcontrolofthesystem
resourceastheBIOS.Sincetheseapplicationsresideonthepublicharddrive
partitionwhichareeasilyaccessibleandthushacked,it’snecessaryforBIOSto
onlylaunchHPsignedprebootapplications.
Additional F10 Policies for Preboot Environment
BIOSF10providesseveralpoliciestocontroltheavailabilityofBootfromEFIFile
optionintheBootManagerwhenF9ispressed(fordetails,seeHowEFILaunches
EFIApplications)
SystemConfiguration‐>DeviceConfigurations
UEFIBootModeEnable/DisableDefault:Disable
ThispolicycontrolswhethertheBIOSallowstoboottoanEFIfile.Forsecurity,
it’srecommendedtobedisabled.
WhenUEFIBootModeisdisabled,the“BootfromEFIFile”optionwillnotshow
upintheBootManagerwhenF9ispressed.Insuchacase,theonlywayto
launchHPEFIapplicationsistousethehotkey.
CustomizedLogo Enable/Disable Default:Disable
TheEFIBIOSprovidesthenicefeaturefortheusertocustomizethelogo
displayingduringtheboot.Thelogoisabitmapfilethatacustomercan
add/changeontheHP_TOOLSpartition.
SinceBIOScan’tcheckthesignatureofthecustomized
logobitmapfiles,itmay
beusedasanattacktooloftheBIOSpostprocess.Thusanoptionisneededto
disablethiscapabilityforthehighlysensitivesecurityenvironment.
HPQuickLookEnable/Disable Default:Enable
TheEFIBIOSprovidesthefollowingpolicytocontroltheavailabilityofthe
QuickLookapplication
option.
HPQuickWebEnable/Disable Default:Enable