There's no way around that. Hash the MBR with SHA-512 or RIPEMD-160 and store the known good hashes on a CD-R.There is no way to drop malware on that MBR as any attack on the MBR would alter the hash. There are also no collisions with either of those hash algorithms (not even SHA-256 or 128 ). The down side here is that you have to check it every boot, which can be a PITA. I have to do this in my work environment (even though we have other checks such as TPM's and EFI Trusted Boot in place). BIOS/EFI can be (and have been) infected with malware. Is it likely? No. Not in the wild at least. I have seen tons of malware with these capabilities, the issue is that ~75-80% of the time they fail. Why? Because even if the brand of BIOS is the same more times then not there are differences in software/hardware that prevent the malware from infected that other computer. About a year ago I did some research into BIOS malware and did find, surprisingly, that even the sophisticated attacks were hit and miss. One example that comes to mind is Two Acer laptops I tested on with the exact same install (Win 7) and exact same hardware. One had and updates BIOS and the other didn't. The updated one was not infected (failed to write to the BIOS and no changes occured) while the other one was. So unless you are targeted by some one with a lot (and I mean a LOT) of time and money you don't need to worry about BIOS attacks as much. Keeps out all malware from the system and maintain physical control and you are fine. My rule of thumb is: If the devices is MIA and "magically" reappears, Wipe the HDD and Sell the hardware just to be safe. Even if it was just stolen and the police retrieve it for you. Wipe the HDD and sell (or downgrade it to non-sensitive data) it.