Clear
Reset to factory default settings, or overwrite all addressable areas with non-sensitive data using default R/W commands, a single pass of zeros minimum.

Purge
Method and technique is media/device-dependent.

• Overwrite data with 3 pseudorandom passes
• Degauss magnetic disks, cassettes, and tapes
• Remove electrical power to DRAM for manufacturer-designated time period
• Initiate manufacturer-described purge for EPROM (EA, EE)
• Execute BLOCK ERASE on Solid State devices
• ATA devices feature the overwrite commands EXT, CRYPTO SCRAMBLE EXT, and SECURE ERASE UNIT
• SCSI devices feature the command SCSI SANITIZE that actions either OVERWRITE or CRYPTOGRAPHIC ERASE
• NVME devices feature the command FORMAT and USER DATA ERASE
• Under TCG Opal and Enterprise Standards, ensure Media Encryption Keys (MEK) are changed

Optical media such as CD, DVD, BD; memory cards such as SD, MMC, CF, MS; embedded flash; and most USB devices cannot be purged so must be destroyed.

Destroy
Media/Device failure warrants the disintegration, pulverisation, or incineration of the media or device.

BIOS updates should be authenticated, validated, and verified through a Root of Trust mechanism that is digitally signed with at least 112-bit encryption.

Safeguards against downgrading must exist, and recovery procedures executed to the same secure standard as update procedures.

Image integrity must persist across installation, update, and execution.

Secure Local Update describes the allowed process by which an operator physically installs or updates a BIOS image.

No means of installing or executing unauthenticated BIOS images must exist in the system architecture, except via Secure Local Update.

The Endpoint Vendor, or manufacturer must

• Ensure that appropriate hardware and mechanisms allow Root of Trust that persists across BIOS integrity measurement, reporting, and storage from boot-time
• Provide reference measurements for verification and comparison
• Measure BIOS configuration and executable components
• Use approved standard cryptographic techniques
• Exclude measurement of sensitive data
• Log BIOS function code and data to separate registers
• Provide measurements via a standard API to the OS
• Ensure integrity reports are provable, with a reference and version

The Endpoint Vendor, or manufacturer should

• Provide secure BIOS update mechanisms to SP 800-147B
• Provide associated attributes in a standardised format
• Make BIOS configuration data available and interpretable
• Provide appropriate hardware for post-boot measurements
• Log BIOS functions to a privacy register

The Endpoint Vendor, or manufacturer may

• Provide a mechanism for submitting integrity reports to a Measurement Assessment Authority (MAA) regarding BIOS port access, configuration or software changes, generated errors, or network connection to an MAA
• Provide measurement reporting via configurable event triggers

Resilience is achieved with three key principles, grounded in Roots of Trust.

Protection
Authenticated, validated, and verified processes ensure firmware and critical data maintain integrity.

Detection
Unauthorised modification or corruption of firmware and critical data is monitored.

Recovery
Automatic or manual restoration of firmware and critical data can be performed in a secure procedure.

Most platforms comprise critical, firmware-mutable hardware that execute code before the host processor, thus important to consider and make secure for complete integrity.

Devices include :

• Embedded Controller / Super IO - serial and parallel ports, keyboard and mouse input, environment sensors, power management, general purpose pins, Legacy PnP / ACPI, PWM, IR, and MIDI


• Serial Peripheral Interface (SPI)


• Trusted Platform Module (TPM)
• Management Engine (ME)
• Baseboard Management Controller (BMC)


• Application Processing Unit (APU)
• Graphic Processing Unit (GPU)
• Complex Programmable Logic Device (CPLD)
• Field Programmable Gate Array (FPGA)


• Network Interface Card (NIC)


• Mass Storage Host Controller (HC)
• Mass Storage Devices (HDD/SSD)
• Flash Storage Devices (eMMC/UFS)


• Power Supply Unit (PSU)

Three versions exist: 140-1, 140-2, 140-3, and four levels of security are defined :

1. • Components must be production-grade
   • Software implementation is permitted
   • Module execution is permitted on an unevaluated OS
   
   
2. • Physical tampering must be evidenced by seals or locks
   • Authentication is role-based
   • Module execution is permitted on an OS that satisfies a Common Criteria Approved Protection Profile
   • Module execution is evaluated to Common Criteria Assurance Level 2


3. • Physical tampering must be resisted by design structure and should be responded with self-wiping mechanisms
   • Authentication is identity-based
   • Plaintext Critical Security Parameter (CSP) I/O must be physically or logically separate from other data paths
   • Encrypted CSPs may be transferred through normal data paths
   • Module execution is permitted on an OS that also satisfies a Trusted Path
   • Module execution is evaluated to Common Criteria Assurance Level 3


4. • Physical tampering must be resisted by design structure and must be responded with self-wiping mechanisms
   • Exceeding normal operating ranges must be accounted for, such as changes in voltage and temperature
   • Module execution is evaluated to Common Criteria Assurance Level 4

Defines :

• Digital Signature Algorithm (DSA)
• RSA Digital Signature Algorithm
• Elliptic Curve Digital Signature Algorithm (ECDSA)

Details :

• Generating, verifying, and validating digital signatures
• Key-Pair Generation
• Recommended elliptic curves

The scale and relevance of the TPM standard is too great to be written in brief.

The scale and relevance of the Opal standard is too great to be written in brief.