Which technology ensures that only signed software runs during the boot process?

A.  TPM

B.  UEFI

C.  BIOS

D.  HSM

Answer:  B

Explanation:

A. TPM (Trusted Platform Module)
A TPM is a specialized chip on a local endpoint that stores cryptographic keys, passwords, and digital certificates.

The Role: It provides Measured Boot. It takes "hashes" of the boot components and stores them in Platform Configuration Registers (PCRs).

The Distinction: The TPM is like a scale; it measures the software to see if it has changed (Attestation), but it doesn't necessarily stop it from running. UEFI uses the information provided by the TPM, but UEFI is the interface that actually enforces the "Secure Boot" policy.

B. UEFI (Unified Extensible Firmware Interface)
UEFI is the modern replacement for the legacy BIOS. It acts as the software layer between the operating system and the platform firmware.

Why it's the Answer: UEFI includes a feature called Secure Boot. During the boot process, UEFI checks the digital signature of the OS bootloader, kernel, and drivers against a database of trusted certificates stored in the firmware.

The Enforcement: If the signature is missing or has been altered (meaning the software is "unsigned" or malicious), UEFI will refuse to load the component, effectively protecting the system from boot-level malware.

C. BIOS (Basic Input/Output System)
BIOS is the legacy firmware used to initialize hardware during the booting process.

The Weakness: BIOS is old and lacks modern security features. It does not support digital signature verification.

The Security Risk: Because BIOS doesn't check for signatures, an attacker could replace the bootloader with a malicious version, and the BIOS would run it without question. This is why the industry has moved to UEFI.

D. HSM (Hardware Security Module)
An HSM is a high-performance physical device used to manage, process, and store cryptographic keys.

The Scale: While a TPM is a small chip for a single laptop, an HSM is often a rack-mounted device or a PCIe card used by Servers or Certificate Authorities to handle thousands of "heavy" cryptographic operations per second.

The Scope: HSMs are used for protecting the "root keys" of an entire organization; they are not involved in the local boot process of a workstation.

Key Takeaway for the CISSP Exam
The Boot Security Hierarchy:

• UEFI Secure Boot: Ensures only Signed code runs (Enforcement).
• Measured Boot (TPM): Records the Hashes of what ran (Audit/Verification).
• Chain of Trust: Each step of the boot process verifies the next step before handing over control.