SC-34(3) — Hardware-based Protection

Use hardware-based mechanisms to enforce protection of non-modifiable executables — not just software policies that could be bypassed.

Example 1: Use TPM-based measured boot to create a hardware-anchored chain of trust. Each boot component is measured into the TPM before execution. If any component has been modified, the TPM measurements change and the system can refuse to boot or alert the administrator.

Example 2: Deploy systems with hardware write-protect jumpers on BIOS/UEFI flash chips. The firmware cannot be modified by software (even by malware with root access) unless someone physically changes the jumper — requiring physical access to the machine.