The National Security Agency has released a Cybersecurity Information Sheet titled “Guidance for Managing UEFI Secure Boot” to assist organizations in configuring and validating UEFI Secure Boot settings on computing devices. The guidance outlines how Secure Boot enforces cryptographic policies during the boot process to limit execution to trusted binaries, emphasizes the importance of appropriate configuration for preventing bootkits and other persistent threats, and provides system owners with instructions for querying and comparing Secure Boot settings against expected norms. It also highlights common issues such as confusion about interactions with other security technologies, insufficient acceptance testing on new devices, and the need for ongoing validation as industry signing certificates transition to newer versions.

The document reinforces Secure Boot’s role as part of a broader endpoint security posture and the necessity of regular verification and configuration management to maintain its effectiveness. Misconfigured Secure Boot can elevate risk to enterprise environments, and the guidance positions configuration checks as a key element of supply chain risk management. Administrators are encouraged to verify enforcement of Secure Boot policies, understand certificate and hash stores used to validate boot binaries, and take corrective action when deviations from expected configurations are detected to mitigate exposure to firmware-level attacks.

‍

Source: https://industrialcyber.co/system-design-architecture/nsa-issues-guidance-to-help-organizations-manage-uefi-secure-boot-configuration/