There are various discussions around whether the BIOS should be down-gradable.
Use cases:
Large company managing 1000s of Servers and Laptops.
They would need to be able to remotely upgrade all the servers and laptops if they needed to. So, maybe a physical bios write protect switch on the laptop/server is not desirable.
What if some bug appears in the new BIOS and they wish to downgrade to one that was mostly OK before.
Some people have mentioned that being able to downgrade might be used by an attacker to downgrade it to a BIOS that has a security issue they can exploit.
Some people have mentioned that with any software deployment, one always needs that “rollback” option.
There are lots of security and ease of management trade offs to consider here.
Individual with a laptop.
This person might wish to ensure that BIOS updates only happen when they are physically next to the laptop. In which case having a physical write protect switch is ideal.
If they were trying out a BETA BIOS, it seems reasonable that they should be able to “rollback”, because its BETA.
Summary:
There are multiple different use cases here.
I think the only way to meet them all, is to have the user/large company decide whether the BIOS update is “rollback” capable or not. So, remove that decision from FW and leave it in the hands of the users to decide.
There are various easy ways to implement this approach.
Good question, and I highly doubt that there is a one size fits all correct answer.
For me personally, on the spectrum between convenience and security, I am mostly on the side of “the inconvenience of being locked out of my device is worse than the benefits that tight security can bring”. But I also live in a place where people leave they keys on their (old) truck, just in case their neighbor needs to borrow it, so I’ll wear that bias on my sleeve.
Corporate IT and people who live in high theft rates areas are probably on the complete opposite end of the spectrum and for good reason.
The best balance in my perspective would be downgrade is allowed as an option, but requires Machine Owner Key or BIOS Admin password.
Just thinking of two major IT issues in the last six months. I would not remove the ability to downgrade the BIOS. It would remove the product for corporate consideration. I’m thinking back to how we deal with it. If you have a process to set them, you should require that password to upgrade or downgrade. If you don’t have it set you should be able to set them with a script with the ability to flash and manage going forward.
The fail safe, should be a way to clear the BIOS with a process. Either pulling the battery with a clear button… If I have the device all bets are off, as I can connect to the device and the laptop is written off. If the laptop is important the drive is encrypted with corporate standards and want to be able to manage the device. Protection of the data is via encryption.
Hope this helps… If something needs follow-up please let me know as I’ve marked the thread for notifications.