5

I'm attempting to ensure maximum security for my PC. I'm running Windows 10 Pro on a business-class HP notebook.

Unless I'm mistaken, I understand that both a BIOS password and the BitLocker pre-boot PIN can help to prevent DMA attacks. I'm also guessing that these features are distinct

Is either option--using a BIOS password or a BitLocker pre-boot PIN--preferable over the other? Should I be using both? Are there unique (dis)advantages associated with either option?

Thanks.

Daniel
  • 151
  • 1
  • 6
  • Well, one obvious disadvantage of a firmware password without encrypted storage is an attacker with physical access could just steal or clone your storage while the machine is off; no need for DMA. BitLocker causes Windows to restrict DMA specifically because, *without* BitLocker (or similar), an attacker with physical access is assumed to have everything they want already, and BitLocker is supposed to be a mitigation for that. – CBHacking Jul 13 '19 at 00:58

1 Answers1

2

Unless I'm mistaken, I understand that both a BIOS password and the BitLocker pre-boot PIN can help to prevent DMA attacks. I'm also guessing that these features are distinct

The BIOS password does not have any effect on DMA attacks. The BitLocker pre-boot PIN can assist in mitigating a specific type of DMA attack called "early DMA", which is carried out before the IOMMU is initialized and ready to restrict memory access from devices. See here for more detailed information.

Is either option--using a BIOS password or a BitLocker pre-boot PIN--preferable over the other? Should I be using both? Are there unique (dis)advantages associated with either option?

They have totally different purposes. A BIOS password is a very basic protective measure that is only useful against an attacker with limited physical access (specifically, access only to standard input devices like the keyboard and mouse). It is meant to protect from a casual attacker who wishes to boot the system or change firmware settings. An attacker can easily bypass a BIOS password if they have full access to the physical motherboard and firmware chip. Furthermore, a BIOS password does not prevent someone from removing the hard drive and putting it in another computer to read the entire contents.

It's important to note that not all BIOSes behave the same way. Most BIOSes will store the password in plaintext in non-volatile memory and will refuse to boot or allow configuration changes unless it is entered again by the user. This is, obviously, not particularly secure. However, some might use it to augment a feature called SED (Self-Encrypting Drive), where the storage devices themselves perform hardware encryption using the password that is entered. Some other systems will use a rather obscure ATA security feature that offloads the password storage and verification to the storage drive itself, causing the drive to refuse reads until the password is entered. These are all often referred to as "BIOS password".

Glorfindel
  • 2,263
  • 6
  • 19
  • 30
forest
  • 65,613
  • 20
  • 208
  • 262