Exam CS0-002 topic 1 question 65 discussion

I think B for me the official Comptia cysa guide states Trusted execution—To initialize security functions, the CPU's security extensions invoke a TPM and secure boot attestation to ensure that a trusted operating system is running. while eFUSE eFUSE is an Intel-designed mechanism to allow a software instruction to blow a transistor in the hardware chip. One use of this is to prevent firmware downgrades, implemented on some games consoles and smartphones. Each time the firmware is upgraded, the updater blows an eFUSE. When there is a firmware update, the updater checks that the number of blown eFUSEs is not less than the firmware version number. Another use of eFUSE is one-time programming (OTP), which is used to seal cryptographic keys and other security information during the firmware development process. OTPs can also use a newer technology called antifuse.

The CySA+ exam outline calls out “trusted firmware updates,” but trusted firmware itself is more commonly described as part of trusted execution environments (TEEs). Trusted firmware is signed by a chip vendor or other trusted party, and then used to access keys to help control access to hardware. TEEs like those used by ARM processors leverage these technologies to protect the hardware by preventing unsigned code from using privileged features.

A System-on-Chip (SoC) implements secure boot or verified boot. It might support a security version number, which prevents downgrading the current firmware to a vulnerable version. Once downgraded to a previous version, an adversary can launch exploits on the SoC and thus compromise the security of the SoC https://cwe.mitre.org/data/definitions/1328.html

Definitely B

Amazon has blown eFuses on Fire TV devices in the past as a way to seemingly prevent newer devices from taking advantage of older software exploits that allowed the device to be rooted or allowed the bootloader to be unlocked. https://www.aftvnews.com/amazon-blows-efuse-on-fire-tv-stick-to-prevent-downgrading-to-old-interface/

Agree with comments on B.

Answer is B - eFuse. This is an excerpt from the CySA Study Guide 2nd Edition, page 457 "Firmware Security Other defensive technologies can also help to secure systems. IBM's eFuse technology has a number of uses that can help with tuning performance or responding to system degradation, but it also has some interesting security applications. For example, an eFuse can be set at the chip level to monitor firmware levels. This is implemented in the Nintendo Switch, which uses eFuse checking to validate whether the firmware that is being installed is older than the currently installed firmware, preventing downgrading of firmware. When newer firmware is installed, eFuses are “burned,” indicating the new firmware level that is installed".

I remember first hearing about eFuse on a lecture about the Xbox 360 security.

Intel Trusted Execution Technology (TXT) uses a TPM and cryptographic techniques to measure software and platform components to prevent malfunctioning or compromised components from running. It protects against software-based attacks that would modify the system configuration. So it would prevent firmware downgrades.

eFUSE is an Intel-designed mechanism to allow a software instruction to blow a transistor in the hardware chip. One use of this is to prevent firmware downgrades, implemented on some games consoles and smartphones. Each time the firmware is upgraded, the updater blows an eFUSE. When there is a firmware update, the updater checks that the number of blown eFUSEs is not less than the firmware version number. Official Comptia Cysa+ Material

I think the answer is B According to McGraw Hill's Comptia CySA+ All in One study guide page(s) 242 - 243: Another security application of eFuses is to store data. For example you could use them to keep track of the latest version of "FIRMWARE" you have loaded on a device. This could ensure that nobody could revert the firmware to an earlier (presumably less secure) version. If you have enough eFuses in the chip you could store cryptographic keys on it, which could be used to verify the integrity of a "FIRMWARE" upgrade by checking its digital signature before installing it.

100% eFuse

"Other defensive technologies can also help to secure systems. IBM's eFuse technology has a number of uses that can help with tuning performance or responding to system degradation, but it also has some interesting security applications. For example, an eFuse can be set at the chip level to monitor firmware levels. This is implemented in the Nintendo Switch, which uses eFuse checking to validate whether the firmware that is being installed is older than the currently installed firmware, preventing downgrading of firmware. When newer firmware is installed, eFuses are “burned,” indicating the new firmware level that is installed." Comptia study guide book

An eFuse allows for the dynamic real-time reprogramming of computer chips. Utilizing a set of eFuses, a chip manufacturer can allow for the circuits on a chip to change while it is in operation. https://learning.oreilly.com/library/view/comptia-cybersecurity-analyst/9780136747000/ch10.xhtml#ch10lev1sec5

The Secure Enclave is a dedicated secure subsystem integrated into Apple systems on chip (SoCs). The Secure Enclave is isolated from the main processor to provide an extra layer of security and is designed to keep sensitive user data secure even when the Application Processor kernel becomes compromised.

B is the only hardware manufacturer implementation i believe.

eFuses are perhaps more commonly used as a one-time programmable ROM. This ranges from writing unique information onto CPUs, or in the case of game consoles and other restricted hardware, preventing downgrades by permanently recording a newer version. https://en.wikipedia.org/wiki/EFuse#:~:text=eFuses%20are%20perhaps%20more%20commonly,permanently%20recording%20a%20newer%20version.