Running On-demand Measurements

Running On-demand Measurements

This feature introduces the ability to perform on-demand measurements on the device, run the measurement (verify firmware integrity) of each component, and display the latest logs on the Cloud UI. It also enables a two-step attestation of measurements process by collecting OS data and introduces the concept of OS incidents, such as antivirus updates, BIOS mode switches, and BIOS version updates.

Running On-Demand Measurements from the Cloud

When you click the Run Measurement button in the TSFA Cloud UI, the following steps take place:

Log Retrieval Visibility:

  1. The Cloud application shows the time and status of the most recent log retrieval, providing quick context on the last data collection. Once the measurements are successfully requested, the Report Status displays the corresponding value. 

Measurement Execution:

  1. The Cloud communicates with the Agent, requesting an on-demand measurement for the selected device.
  2. The Agent prompts the Embedded Controller (EC) to run the measurement process.

Data Collection:

  1. The Agent gathers the results of the measurement.
  2. It collects the Trusted Platform Module (TPM) Platform Configuration Registers (PCRs).
  3. The Agent collects the OS-level information to detect any system changes.

Cloud Processing:

  1. The Agent sends the measurements, TPM PCRs, OS data, and the latest BIOS log stored, to the cloud.
  2. The cloud backend compares the newly received data against known, trusted data.

Suspicious Activity Detection:

  1. If discrepancies are found, the system generates an alert or incident for further investigation.

Results Display:

  1. The Cloud UI displays the measurement summary in the device tray.
  2. If changes on the OS level are detected, they are shown in the Incident list or Device Lookup for easy review.
To run measurements for multiple devices from the Cloud page:
  1. Open the Devices page.
  2. Select one or more devices.
  3. Click Run Measurement.
Devices in a Pending state, unsupported devices, or devices with a measurement already in progress will be automatically skipped.

Additional Improvements

Clear Event Markers:

  1. Events are now clearly marked with their source, such as BIOS, OS, or EC, making it easier to identify the origin of changes.

Quick Status Updates:

  1. The interface prominently shows the time and status of the last log retrieval, allowing you to assess the recency of your data.

OS Monitoring

  1. The OS events will be generated not only during the data collection and processing for on-demand measurements, but also on a regular basis. The event will be generated in the Cloud as soon as a TSFA agent detects the changes in Windows security. 

Limitations

  1. The measurements can be run only on devices with Active status. Check the Device Status before requesting the measurements.
  2. Make sure the selected devices are online before triggering measurements. If a device is offline when a measurement request is sent, the measurement will automatically be retrieved once the device comes back online.

BIOS vs EC Measurements

Both the EC and BIOS perform integrity and security health checks (measurements) for various system components.

BIOS: Automatically performs integrity checks during the boot process, ensuring that all critical firmware components are verified for security and authenticity without requiring user intervention. The results of BIOS measurements are logged as Subcomponent Code Measurement events, which can be found in Device Lookup.

EC: Integrity measurements must be manually initiated by the user through the Cloud or Agent interface. The Run Measurements button allows users to request that the EC verify the integrity of three key components: the BIOS, EC firmware, and Flash Descriptor. The results are logged as On-demand Measurements and can be found in Device Lookup. If any component is detected as corrupted, it will also appear under Incidents.

EC-Measured Components

FD (Flash Descriptor):
The Flash Descriptor defines access permissions and controls for different firmware regions. It acts as a critical security layer by preventing unauthorized modifications to specific areas of the BIOS.

EC (Embedded Controller):
The Embedded Controller firmware manages low-level hardware functions such as keyboard input, thermal and power management, and sometimes fan control. It operates independently of the CPU and the operating system, remaining active even in low-power or “off” states.

BIOS (Basic Input/Output System):
The BIOS is the system’s primary firmware interface between hardware and the operating system. It initializes hardware components, provides configuration options, and transfers control to the operating system during startup.

BIOS-Measured Components

  1. BIOS (Basic Input/Output System): The system’s primary firmware interface between hardware and the operating system.
  2. EC (Embedded Controller): Firmware responsible for managing low-level hardware functions.
  3. FD (Flash Descriptor): Defines access permissions and controls for firmware regions.
  4. Backup: Ensures the integrity of the backup BIOS firmware used for recovery in case of corruption. This measurement helps maintain system stability and facilitates the restoration of firmware integrity when needed.
  5. CSME (Converged Security and Management Engine): Verifies the integrity of the firmware responsible for platform security and remote management functions. CSME handles critical security operations, safeguarding the system against unauthorized access and firmware tampering.
  6. Descriptor Region (Desc): Ensures the integrity of access permissions and firmware settings within the descriptor region. This measurement verifies that sensitive configuration data remains intact and protected from unauthorized modification.
  7. IBB (Initial Boot Block): Verifies the integrity of the first block of code executed during boot. The IBB ensures the security of the initial boot stages, preventing potential compromises before the operating system loads.

2-Layer Attestation for EC measurements

When the EC performs a measurement, the TSFA agent collects OS-level information from the device and generates an incident or event if any changes are detected. This process enables firmware attestation at both the below-OS and above-OS levels.
However, for BIOS-initiated measurements (Subcomponent Code Measurements), OS-level information is not collected.

Incidents and their Source

Every incident or event displayed on the Incidents page includes the source that detected the change. These incidents or events can originate from the BIOS, OS, or EC. 

BIOS events: Generated and logged as a result of below-OS attestation performed by the BIOS with the assistance of the EC during the boot process.

At the above-OS level, the TSFA agent can capture six distinct events:
1. TPM PCR Change 
2. BIOS Mode Change
3. BIOS Version Change
4. Secure Boot Status Change
5. Drive Encryption Status Change
6. Disk Drive Firmware Version Change

With this release, OS events are introduced not only as a result of on-demand measurements but also as part of routine security monitoring. Changes at the OS level are reported to the Cloud application whenever they occur on the user’s device.

EC events: TSFA generates only one type of event—On-demand Measurements. These events are recorded in the event list to support retrospective analysis and can be found in Device Lookup or on the Incidents page.

The source of an event can be viewed by clicking on the Incident tray.

    • Related Articles

    • TSFA Security Event Log Reference

      This document provides a structured overview of key security-related incidents logged by ThinkShield Firmware Assurance. Events are categorized based on their nature, severity, and potential impact. Each event includes a brief description, its ...

    • TSFA Incident Overview

      The TSFA Incident Overview provides a centralized view of all TSFA Security incidents detected across your fleet. It enables administrators to monitor and export events efficiently from a single, organized workspace. Prevalence Incidents Tab To ...

    • Remote BIOS Access and Configuration

      This feature enables Org and MSP Admins to remotely change the BIOS password and manage BIOS settings through Device Management. To access a device’s BIOS settings: Go to the Devices menu in the left panel. Select a device to open the device tray. ...

    • Setting Up Prevalence Event Thresholds

      Org Admins can configure Prevalence Event Thresholds to control how prevalent issues are identified. Values must be between 0.01% and 99.99%, with up to two decimal places. If no decimal is provided, the value is treated as a whole number. Trailing ...

    • Remote ThinkBIOS Management

      This feature enables remote changes to BIOS passwords. To access it, go to Policy Management > ThinkBIOS Management. This feature is available only for licensed ThinkPad, ThinkCenter or ThinkStation devices. You can manage passwords by Devices or ...