When it comes to hacking attempts, it’s not just software and hardware attacks that are on the rise, but the firmware too. Bolstered by the growing reliance we have on devices and equipment, the foundational components embedded in devices have become an attractive target for malicious actors attempting to gain access to sensitive systems for malicious purposes.

This reliance has also led to the growth of supply chains, with companies and organisations linked to each other in a number of ways. Any of these entities can find themselves at risk if there’s even one vulnerable element within the chain, it’s essential that everyone can trust that their device firmware hasn’t been compromized or tampered with at any point.

A growing threat landscape
In the last decade, we’ve seen several major attacks relating to firmware. This includes the detrimental LoJax attack in 2018, in which hackers flashed malicious code into a system’s Unified Extensible Firmware Interface (UEFI). These attacks on the UEFI Rootkit had been a long-term concern due to the difficulty in detecting and removing them if successful, as they grant hackers with near-total control of an affected PC – including access to corporate networks and the sensitive data held within. The system’s firmware was modified to load a malicious agent during the boot process, enabling full control of the device before the operating system had even started, creating a nightmare scenario for enterprises affected.

The LoJax attack underscored the need for stronger firmware integrity checks, but the persistent vulnerabilities in the UEFI has led to further attacks. In December 2023, for example, we saw the LogoFAIL attack, which exploited another critical security flaw within the UEFI. Attackers were able to input malicious code into the firmware through the mechanism that enables custom boot logos. Through this, they were able to gain control over the system, bypassing traditional security measures then remaining undetected by operating system-level defenses.

Both of these incidents – alongside a wide array of other attacks – highlight the need for security measures that can attest the health of a device’s firmware, to ensure the protection of all entities within the supply chain. This is where the Reference Integrity Manifest (RIM) comes into play.

What is the Reference Integrity Manifest?
The RIM is a structured, digitally signed data file that is used to describe the trusted state of a device’s firmware, configuration or software components. Embedded within the firmware, storage or servers – depending on the platform and specific requirements – the RIM defines a ‘known-good’ state of firmware and software components, providing the means for system verifiers to assess whether a device has been tampered with.

Essentially, the RIM operates as a blueprint; it lays the groundwork for what a system should look like, defining the expected values of the state of a system through the comparison of ‘assertions’ and ‘verifications’. If the evidence matches the assertions held within the RIM, it means the system is the correct, trusted state. If there are any discrepancies, then it suggests there has been some form of modification  or compromize.

It also serves as a powerful tool for hardware detection and documentation. By capturing structured, signed data about a device’s hardware configuration, RIM enables organizations to validate not only that firmware is untampered, but also underlying that the hardware matches expected specifications. For instance, if a memory module is swapped out, RIM can help detect that change.

This capability supports asset management, compliance, and threat detection by ensuring accurate, verifiable records of a device’s physical components throughout its lifecycle, maintaining optimal security throughout the supply chain. But as attacks grow in complexity, it’s crucial that the RIM evolves to keep pace.

Enhancing the RIM through new specifications
This is why the Trusted Computing Group (TCG) continues to evolve the RIM through new specifications, with two recently launched to ensure further protection of the firmware against emerging threats.

One such specification is the RIM Information Model (IM), which has given manufacturers a structure to better organize attestation verifying statements, while also allowing them to provide known, trusted assertations about the device. This means the Attestation Verifier can better assess whether there have been any modifications or compromises of the device’s firmware.

It also enables a Root of Trust (RoT), such as the Trusted Platform Module (TPM) to attest to the integrity of a device in a cryptographically verifiable way. A verifier, either within the operating system or remote IT infrastructure, can then assess this attestation against the assertions in the RIM. The RIM IM also has a built-in integrity protection, allowing a Verifier to confirm that it was produced by a trusted source.

Additionally, the PC Client RIM specification has been published to provide a special focus on platforms adhering to the PC Client Platform (PCP) firmware profile. The specification sets out the requirements for how RIMs and reference values are provided to customers. This is achieved through the defining of RIM file formats and storage locations within PC client, allowing for inclusion of RIMs from manufacturers of devices with firmware included in the PC Client supply chain.

Building a cybersecure ecosystem
Depending on the network, compromized firmware can pose a direct, significant threat to both commercial and national security. This is why the new RIM specifications are timely, as they will help maintain the technology’s role in ensuring firmware security, acting as the secret reporting element that flags anomalies and allows enterprises to accurately analyze the devices within their networks.

Through this set of key security capabilities, TCG is delivering greater comprehensiveness when it comes to detecting changes in the firmware. While complete device security can never be established, pairing the RIM with other TCG technologies is giving operators and organizations across supply chains to shut the door in the face of malicious actors and keep their data secure.