Security News > 2020 > September > NSA Publishes Guidance on UEFI Secure Boot Customization
According to the NSA incompatibility issues often result in Secure Boot being disabled, which the agency advises against.
"Customization enables administrators to realize the benefits of boot malware defenses, insider threat mitigations, and data-at-rest protections. Administrators should opt to customize Secure Boot rather than disable it for compatibility reasons. Customization may - depending on implementation - require infrastructures to sign their own boot binaries and drivers," the NSA says.
In a technical report published on Tuesday and titled "UEFI Secure Boot Customization," the agency recommends that system admins and infrastructure owners migrate their machines to UEFI native mode, that they enable Secure Boot on all endpoints and also customize it, and that all firmware is properly secured and regularly updated.
Secure Boot, the NSA also notes, should be configured "To audit firmware modules, expansion devices, and bootable OS images," and that a Trusted Platform Module should be employed to ensure the integrity of both firmware and the Secure Boot configuration.
The NSA's report includes technical information on what UEFI and Secure Boot are all about, while also delivering a broad range of details on how administrators can customize Secure Boot, including information on available advanced customization options that can be applied to meet several use cases.