Running On-demand Measurements

Running On-demand Measurements

This feature introduces the ability to perform on-demand measurements on the device, run the measurement (verify firmware integrity) of each component, and display the latest logs on the Cloud UI. It also enables a two-step attestation of measurements process by collecting OS data and introduces the concept of OS incidents, such as antivirus updates, BIOS mode switches, and BIOS version updates.

Running On-Demand Measurements from the Cloud

When you click the Run Measurement button in the TSFA Cloud UI, the following steps take place:
  1. Log Retrieval Visibility:
    1. The Cloud application shows the time and status of the most recent log retrieval, providing quick context on the last data collection. Once the measurements are successfully requested, the Report Status displays the corresponding value. 
  2. Measurement Execution:
    1. The Cloud communicates with the Agent, requesting an on-demand measurement for the selected device.
    2. The Agent prompts the Embedded Controller (EC) to run the measurement process.
  3. Data Collection:
    1. The Agent gathers the results of the measurement.
    2. It collects the Trusted Platform Module (TPM) Platform Configuration Registers (PCRs).
    3. The Agent collects the OS-level information to detect any system changes.
  4. Cloud Processing:
    1. The Agent sends the measurements, TPM PCRs, OS data, and the latest BIOS log stored, to the cloud.
    2. The cloud backend compares the newly received data against known, trusted data.
  5. Suspicious Activity Detection:
    1. If discrepancies are found, the system generates an alert or incident for further investigation.
  6. Results Display:
    1. The Cloud UI displays the measurement summary in the device tray.
    2. If changes on the OS level are detected, they are shown in the Incident list or Device Lookup for easy review.
Notes
You can trigger measurements for multiple devices directly from the Cloud interface. Simply go to the Devices page, select the desired devices using the checkboxes, and click the Run Measurement button. If any of the selected devices are in a Pending state, are Unsupported, or already have a measurement request in progress, those devices will be automatically skipped.

Additional Improvements

  1. Clear Event Markers:
    1. Events are now clearly marked with their source, such as BIOS, OS, or EC, making it easier to identify the origin of changes.
  2. Quick Status Updates:
    1. The interface prominently shows the time and status of the last log retrieval, allowing you to assess the recency of your data.
  3. OS Monitoring
    1. The OS events will be generated not only during the data collection and processing for on-demand measurements, but also on a regular basis. The event will be generated in the Cloud as soon as a TSFA agent detects the changes in Windows security. 


Limitations

  1. The measurements can be run only on devices with Active status. Check the Device Status before requesting the measurements.
  2. Make sure the selected devices are online before triggering measurements. If a device is offline when a measurement request is sent, the measurement will automatically be retrieved once the device comes back online.

Running On-Demand Measurements from TSFA Desktop

You can initiate On-demand measurements directly from the ThinkShield Firmware Assurance (TSFA) desktop application.
Click the Run Measurements button to initiate the process of requesting measurements from the embedded controller. The results will appear shortly as an entry in the main table.
Notes
When triggered directly from the desktop, on-demand measurements are not reported to TSFA Cloud. These results remain available locally.


BIOS vs EC Measurements

Both the EC and BIOS perform integrity and security health checks (measurements) for various system components.
BIOS: Automatically performs integrity checks during the boot process, ensuring that all critical firmware components are verified for security and authenticity without requiring user intervention. The result of the BIOS measurement is logged as Subcomponent Code Measurment event that can be found among the events on Device Lookup.
EC: Integrity measurements must be manually initiated by the user through the Cloud or Agent interface. The Run Measurements button enables users to request the EC to verify the integrity of three key components: the BIOS, EC firmware, and Flash Descriptor. The result is logged as On-demand Measurements and can be found among the events in Device Lookup. If any component is detected as corrupted, it will also appear under Incidents.

EC-Measured Components

  1. FD (Flash Descriptor): The Flash Descriptor defines access permissions and controls for various regions of the firmware. It serves as a critical security feature that prevents unauthorized modifications to specific areas of the BIOS.
  2. EC (Embedded Controller): The Embedded Controller firmware manages low-level hardware functions, such as keyboard input, thermal and power management, and sometimes fan control. It operates independently from the CPU and the operating system, remaining functional even in low-power or "off" states.
  3. BIOS (Basic Input/Output System): The BIOS serves as the system’s primary firmware interface between the hardware and the operating system. It initializes hardware components, provides configuration options, and transfers control to the operating system during the boot process.

BIOS-Measured Components

  1. BIOS (Basic Input/Output System)
  2. EC (Embedded Controller)
  3. FD (Flash Descriptor)
  4. Backup
    1. Ensures the integrity of the backup BIOS firmware used for recovery in case of corruption. This measure helps maintain system stability and facilitates the restoration of firmware integrity when needed.
  5. CSME (Converged Security and Management Engine)
    1. Verifies the integrity of the firmware responsible for platform security and remote management functions. CSME handles critical security operations, safeguarding the system against unauthorized access and firmware tampering.
  6. Desc (Descriptor Region)
    1. Ensures the integrity of access permissions and firmware settings within the descriptor region. This measure verifies that sensitive configuration data remains intact and protected from unauthorized modification.
  7. IBB (Initial Boot Block)
    1. Verifies the integrity of the first block of code executed during boot. The IBB ensures the security of the initial boot stages, preventing potential compromises before the operating system loads.

2-layer attestation for EC measurements

When the EC performs the measurement, the TSFA agent collects OS information from the device and generates an incident or event if any changes are detected. This process ensures firmware attestation at both the below-OS and above-OS levels. However, for BIOS-initiated measurements (Subcomponent Code Measurements), OS information is not collected.

Incidents and their Source

Every incident or event displayed on the Incidents page includes the source of information that detected the change. These incidents or events can originate from the BIOS, OS, or EC. BIOS events are generated and logged as a result of the below-OS attestation that BIOS is conducting with the help of EC during the boot.

On the above-OS level, TSFA agent can capture six distinct events:
  1. TPM PCR Change 
  2. BIOS Mode Change
  3. BIOS Version Change
  4. Secure Boot Status Change
  5. Drive Encryption Status Change
  6. Disk Drive Firmware Version Change
With this release, OS events are introduced not only as a result of on-demand measurements but also as a part of routine security monitoring – the changes on the OS level will be reported to Cloud application whenever there is a change on the user's device.

For EC events, TSFA generates only one type of event: on-demand measurements. These events are recorded in the event list to support retrospective analysis, they can be found on the Device Lookup or Incidents page.

The source of an event can be viewed by clicking on the Incident tray.



    • Related Articles

    • About Events and Incidents

      This document provides a structured overview of key security-related incidents logged by ThinkShield Firmware Assurance. Events are categorized based on their nature, severity, and potential impact. Each event includes a brief description, its ...

    • Viewing Incidents Report

      To access this report, navigate to the Incidents section. Here, you'll find a comprehensive list of all recorded incidents, including any issues or errors identified based on criteria set by the IT Admin. Incidents are a specific type of event that ...

    • Strengthening Data Protection Against Advanced Threats

      While the first three layers of data protection provided by Data Defense are robust, they are primarily software-based, which a skilled adversary might attempt to bypass or exploit. For instance, if a threat actor gains administrative control of the ...

    • Using Device Lookup

      The Device Lookup page serves as a comprehensive information source, consolidating all data related to an individual device within the TSFA system. Designed to provide detailed insights, it facilitates the management and troubleshooting of devices. ...

    • Solution Overview

      As defenders focus on traditional software threats, adversaries have shifted to targeting firmware in servers, laptops, and networking equipment—areas where security teams lack visibility and control. By exploiting vulnerabilities, compromising the ...