When you start your computer, the BIOS loads. And if you'd like to gain access to the BIOS configuration, then you'll have to press the key associated with the BIOS setup during that startup process. Often this is the delete key or one of the function keys, but occasionally it's a combination of keys that get you access to the BIOS configuration.
If you're in Windows and using some virtualization software like Hyper-V, you can gain access to the BIOS using Hyper-V. instead of changing the BIOS of your actual computer. You can do the same thing with VMware's Workstation Player in Windows. But if you're using VirtualBox, there's no access to the BIOS in that virtualization software. So you may have to look around for some other options.
For example, online you might want to search for UEFI BIOS simulator, and you'll find a number of options out there for offline BIOS simulation. One problem you might run into if you're running Windows 8, Windows 10, or Windows 11 is when you start your computer, there's no option to press a key to start the BIOS. Instead, Windows simply starts immediately. That's because in these versions of Windows, there's a feature called Fast Startup that's turned on by default. And when you power down your system, you're actually putting your system into a hibernated state where Windows is not completely shut down.
So when you start your system up, It's not starting from the beginning of a boot process. Instead, it's simply waking up from where it left off. There are a number of different ways to bypass this fast startup process.
One is that you could hold down the Shift key when clicking Restart in the Windows desktop. Or you can enable and disable this capability from Settings, Update and Security, Recovery, Advanced Startup, and then Restart Now. There's also a system configuration setting for restarting your system, and you'll find that under MS Config. But if you don't have access to the desktop or you're not able to use any of these other options, you can simply interrupt the normal boot process three times.
After that third interruption, Windows realizes that you would really like to start this system from the very beginning. It disables the fast startup process and allows you access to the normal boot process. It's very possible to make changes to your BIOS that could cause your system to have boot failures or not start at all.
That's why it's very important before you make any changes to the BIOS that you have a backup of all of those BIOS settings. Some BIOS implementations allow you to download a copy of the configuration, but you could also make notes of what you're changing so you know exactly what to change it back to if there's any problems. And of course, you probably have your phone with you, so you can always take a picture of the screen to make sure you know what the settings are.
There are a lot of settings inside of the BIOS, and it's very easy to make a change that could cause the system to have a problem. So you want to be sure if you're making any modifications to the BIOS that you know exactly what those changes will do. And if you end up making a change and there's a problem, you've got a backup and you have pictures of what it was originally.
So you can always go back to your BIOS configuration, change the configuration back to the original settings, and restart your system. When we power on our system, the BIOS the BIOS is in control. It has a lot of different configuration settings that determine what the BIOS should do next.
Inside of the BIOS, there are some settings that can disable some of the hardware of your computer. So if you'd like to prevent your operating system from having access to any of your system's hardware, you can disable that hardware in the BIOS, and it will be invisible to the operating system. You can also configure where the BIOS should go to boot your system.
You could tell the BIOS to look for a bootable USB drive, If it doesn't find a bootable USB drive, then go to the SSD. If the SSD is not available, then try booting from the hard drive. You can determine which boot devices are available to your system and in which order these boot devices should be checked.
Here are some of these boot options from a Lenovo UEFI BIOS. This is the startup option. And you can see there is an option for a primary boot sequence.
And it will be used when the system is powered up normally. If we click on the primary boot sequence, it brings us to a number of options. And you can see exactly which order the storage drives use. It starts with the SATA 2 drive.
It then moves to the M.2 drive and then the SATA 1 drive. There are other options in here as well, such as the network, USB, CD-ROM, and others. You can enable or disable any of these boot up options or modify the order in which they're used.
I mentioned earlier that you can use this BIOS configuration to enable or disable certain hardware that's on your system. A good example of this is the configuration you have for USB connections. This can be especially important in environments that are highly secure because the USB drive allows you to connect external storage drives, flash drives, and other storage devices so that if somebody wanted to take that data out of your facility, they could do it very easily from that USB interface. Imagine having top secret information that is stored in very large databases and being able to transfer all of that information in a matter of seconds and simply walk out the door.
That USB interface could also be a way for someone to gain access to your systems. In 2008, the United States Department of Defense had to disable all of the USB interfaces on their systems and disallow the use of any type of flash media. That's because someone connected to the USB interface.
a USB drive that was infected with the silly FDC worm, and they plugged it into their Department of Defense computer. From there, the worm was able to gain access and move between systems that were within the Department of Defense network. This resulted in a ban of USB connected storage devices, and the IT team had to disable all of the USB interfaces on the Department of Defense computers.
To disable these USB interfaces in the BIOS, you would find the Devices section of your BIOS. And in this BIOS, you can disable USB access completely, or you can modify exactly which USB interface you would like to enable or disable. Our computing systems create a lot of heat, and there's usually fans inside of our computers that help keep everything cool.
You can usually control what those fans are doing through a number of different BIOS configurations. There may be many fans inside of your system. You might have a fan dedicated for cooling the CPU, and other fans that help cool everything else in the chassis.
Many motherboards have an integrated fan controller that's able to look at the temperature inside of your system and either increase or decrease how much airflow may be going through your computer. So as you use your system more, this fan controller can help compensate by pulling more cool air through your computer. To be able to use this controller, you need to connect directly to the fan connections on the motherboard.
Those are usually well marked, and you can plug directly in with your existing fans. In the BIOS, you may have an option for configuring this particular setting. In this Lenovo, it's under the power option under intelligent cooling.
And you can decide whether you would like better performance or whether you would like to have a quieter system and have the best experience. We spend a lot of time managing malware and making sure that we have antivirus software running in our operating system. But we also have to think about protecting the BIOS before your system boots.
to make sure that it does not become corrupted with any type of malware. One way that we can monitor for this is through secure boot. This is part of the UEFI specification. So every system running a UEFI BIOS has the ability to run secure boot. This uses digital signatures to be able to verify that the boot process it's going through has not been modified by a third party.
This can keep malware from making any changes to your system. And if changes are identified, it can stop the boot process. the boot process and limit the scope of that malware.
This is supported with most operating systems. So if you're running Windows or Linux or other operating systems, there's probably an option there to use that operating system with Secure Boot. To be able to use Secure Boot, your operating system has to have a digital signature associated with it that is checked during the startup process. This means that the public key for the manufacturer of that operating system already has to be available in the BIOS itself. The BIOS also has fail safes built in to prevent anyone from making changes to this important information.
Secure boot verifies the digital signature associated with the bootloader with the public key that's already embedded within the BIOS. And if that verifies, the system has not been modified and it can continue with the boot process. If you're using an operating system that doesn't support secure boot, then you may need to modify that in the BIOS itself. And you can see in this Lenovo BIOS, there is a secure boot option.
under the Security tab, and you have the ability to enable or disable Secure Boot. Your BIOS can also limit who might be able to start your computer and who might be able to make changes to the BIOS. If you add a user password to your BIOS, then the system will not start unless you provide the correct password to be able to gain access to the system.
This would prevent any unauthorized users from starting your operating system. You can also set a supervisor password in your BIOS. That would restrict anyone from changing any of the BIOS settings. This would be especially important if you were disabling certain types of hardware or requiring additional passwords during the startup process.
You want to be sure that no one else can modify those changes, so you might set a supervisor password to gain access to the BIOS config. This password is built into the BIOS. It's not part of your operating system. So if you forget any of these passwords, you'll need to reset the BIOS to regain access to your system. This password information is stored in your BIOS configuration along with all of your other configuration settings.
And this is usually on a flash memory that is on the motherboard itself. You may see some legacy references to this as the CMOS of your system or the complementary metal oxide semiconductor. And indeed, that was a type of memory that we used to use that was associated with your BIOS. But these days, all of your BIOS configurations are stored in flash memory that's connected to the motherboard. Because it's in flash memory, but you're not able to access the system through that flash memory, you have to completely delete your configuration or reset the BIOS config.
This is commonly done with a jumper. You would short two pins on the motherboard, power up your system, and that would clear any of those configuration settings in your BIOS. Let's see how we might do this on a motherboard.
This is an ASUS motherboard. And if we look down at the bottom of the motherboard, we have the BIOS. And we have a jumper that's labeled CLRTC. This stands for clear real time clock.
Here are two pins on the motherboard. You can see they're not touching each other. So currently, those two pins are not jumpered or not shorted.
We would use a jumper to be able to push down onto those pins that would then connect the two pins together. Here's a better picture showing the connection between those two pins. We would push that jumper onto the two pins so that we've created a short. between both of those pins, we would power on our system, and that would reset the BIOS configuration. You may also notice on your motherboard that there is a battery on the motherboard.
This is one of these flat batteries. This one's labeled CR2032. It's a 3-volt lithium-ion battery. On most modern motherboards, this battery is simply there to maintain the date and time configuration when your system is not connected to a power source. If the battery goes bad, you'll notice that the date and time on your system will reset back to the original settings when you start your computer.
On older systems that did not save the BIOS configuration into flash memory, you could reset the BIOS by removing and then reinserting this battery onto the motherboard. These days, this is only keeping the date and time, and removing and reinserting the battery will not have any change to your BIOS configuration. Here's a view of the battery on the motherboard.
It's very easy to find, and it's very simple to replace if the battery happens to become discharged. Your motherboard might also support additional hardware in the form of a trusted platform module or a TPM. This TPM is designed to provide cryptographic functions.
This is especially important if you're using full disk encryption on your system because you'll need a cryptographic key to be able to decrypt all of the data stored on that storage device. You can see that this TPM does have a processor on it that's used for cryptographic functions. So if you need to create cryptographic keys or perform other cryptographic functions, it's commonly done through the TPM that's on your motherboard.
This also has persistent memory on it so that certain keys can be burned into the TPM and never be changed as long as they're connected to your computer. This allows us to verify keys that might be on our system already, or we can use this to be able to digitally sign data and send it to a third party. party and verify that that information originated on that TPM.
You might think that you'd be able to hack into the TPM and gain access to this data, but this is a secure environment, and it's already designed to prevent attacks such as a brute force from gaining access to that data. And back in the BIOS configuration, you can make changes to the TPM configuration. For example, you can enable or disable all of the TPM features that are running on your motherboard. In many organizations, you may find there are many cryptographic keys that need to be managed.
To be able to provide this management, you might want to use a hardware security module or an HSM. This is very often a standalone device or purpose-built appliance that's able to provide this cryptographic function. This HSM could also be an adapter card that you install into a server that provides this HSM functionality. This HSM might be used as a key backup.
for all of the servers you might have in your environment. All of those keys are stored securely on this HSM, and no one has direct access to those keys. You might also find lightweight HSMs that are in the form of a smart card or a USB drive.
Those are commonly used to store personal keys that you would be able to take with you. And another nice feature of an HSM, especially one that is a purpose-built appliance, is the ability to have cryptographic accelerators built into the hardware of this system. This means that you could offload some of the cryptographic functions used by your servers onto the HSM, which would increase the overall throughput of your applications.