Secure Manageability

The Samsung Galaxy Book with the Knox security platform supports a wide range of remote and local management functionality that can be used by IT administrators to configure their fleet. These include the ability to import and export BIOS configurations, and integration with Microsoft Intune for mass configuration.

Password-less BIOS Management

The traditional usage of BIOS passwords for remote and local management results in several security risks for an organization. Passwords have inherent security weaknesses such as being vulnerable to phishing, keyloggers, and brute-forcing. These risks are amplified if an organization uses the same BIOS password across its fleet.

Storing and managing per-device BIOS passwords securely is also a challenge. Remote BIOS management tools require the administrator to send the BIOS password over the network to the managed machine for authentication, and such passwords are vulnerable to sniffing over the network, or malware on a compromised target machine.

To address these security risks, Samsung Galaxy Book with the Knox security platform supports BIOS authentication using password-less public key cryptography, in addition to traditional password-based BIOS authentication.

In this public key cryptography scheme, the IT administrator first generates a key pair: a private key and a public key. The IT administrator then enrolls the public key with the BIOS of a managed device, as shown in Figure 8(a), and later authenticates themselves to the BIOS of the managed device by performing cryptographic operations using the corresponding private key. Unlike with a traditional password, the private key is not directly exposed, but only used to perform cryptographic operations.

Samsung Galaxy Book with the Knox security platform supports the following workflows for enhanced security using public key authentication:

Log in to the BIOS menu

This feature enables IT administrators that are physically present at the managed device to log into the BIOS menu using a one-time PIN (OTP) instead of a password.

As shown in Figure 8(b), the BIOS menu login screen generates a challenge QR code by encrypting an OTP with the previously enrolled IT administrator public key. The IT administrator uses an app on a mobile device to scan the BIOS challenge QR code. The app decrypts the OTP using the IT administrator’s corresponding private key and displays the decrypted OTP. The IT administrator then types in the displayed OTP, which the BIOS verifies and allows login its BIOS menu.

Remote BIOS configuration through Microsoft Intune

This feature allows IT admins to remotely push BIOS configuration to managed devices through Microsoft Intune using password-less authentication.

As shown in Figure 8(c), The IT administrator creates a digital signature over the BIOS configuration using their private key, and uploads the signed BIOS configuration to Microsoft Intune. Microsoft Intune then pushes the configuration down to the managed devices. The BIOS on the managed devices verifies the digital signature on the configuration using the previously enrolled IT administrator public key and applies the configuration.

Figure 8: Public key BIOS Management Flows

Enhanced Security

Public key-based password-less authentication significantly enhances the security of BIOS management operations as follows:

• Limited Risk of Private Key Exposure: Unlike for passwords, there exist standard and commonly available ways for an IT administrator to securely store and use private keys without exposing them to software, such as Trusted Platform Modules (TPMs) on PCs, and hardware-backed keystores on mobile devices.

• Secure against OS or Network Compromise: Malware on the OS or network cannot forge a valid digital signature for a maliciously generated or modified configuration. Since the BIOS checks the digital signature associated with the configuration before applying it, there is a strong guarantee that the BIOS configuration applied is exactly the configuration that was intended by the IT administrator.