🔧 BIOS & Firmware Audit Checklist

Layer 1-2 verification: Secure Boot, firmware integrity, and trusted build validation

Audit Date
__/__/____
Machine Serial
___________
Auditor ID
___________
Witness ID
___________

Pre-Audit Instructions

  1. Verify machine is powered off and unplugged before beginning hardware inspection
  2. Document all existing seal numbers before breaking any seals
  3. Two-person team required: one auditor, one witness
  4. Photograph any anomalies before proceeding
  5. Reference EAC Trusted Build documentation for expected hash values

1. BIOS/UEFI Verification

6 items
  • Secure Boot Status
    Verify Secure Boot is ENABLED in BIOS settings
    Pending
  • BIOS Version
    Record BIOS version and compare to certified version
    Pending
  • BIOS Date
    Record BIOS build date
    Pending
  • Boot Order Locked
    Confirm boot order cannot be modified without admin access
    Pending
  • Setup Password Active
    Verify BIOS setup requires password to access
    Pending
  • External Boot Disabled
    USB/CD boot options are disabled
    Pending

2. Firmware Hash Validation

4 items
  • Firmware Version
    EVS version as certified by EAC VSTL
    Pending
  • On-Device Validation
    Run firmware validation directly on unit
    Pending
  • VSTL Certificate Reference
    Record VSTL test report number
    Pending
  • No Unauthorized Modifications
    Firmware matches Trusted Build exactly
    Pending

3. Expected Firmware Hashes (SHA-256)

Reference
Component Expected Hash (from VSTL) Observed Hash Match
Main Firmware [Obtain from EAC/VSTL documentation]
Boot Loader [Obtain from EAC/VSTL documentation]
OS Image [Obtain from EAC/VSTL documentation]
Application [Obtain from EAC/VSTL documentation]

Note: Obtain official hash values from EAC certification documents or PA Department of State. Hash values in VSTL test report TR-01-01-ESS-2018-02.01.

4. Operating System Validation

4 items
  • OS Version Match
    Operating system matches certified configuration
    Pending
  • Application Allowlist Active
    Only approved applications can execute
    Pending
  • No Unauthorized Applications
    Verify no software outside certified list
    Pending
  • Security Patches Applied
    Any ES&S-approved security updates installed
    Pending