Technical white paper UEFI Secure Boot on HP business notebooks, desktops, and workstations

Secure Boot overview

Secure Boot is a feature to ensure that only authenticated code can start on a platform. The firmware is responsible for preventing launch of an untrusted OS by verifying the publisher of the OS loader based on policy, and is designed to mitigate root kit attacks.

Figure 4. UEFI Secure Boot flow.
NativeVerified OS

 

loaderOS start
UEFI
(e.g. Win8)

 

 

 

Firmware enforces policy and only starts signed OS loaders it trusts.OS loader enforces signature verification of later OS components.Figure 5. Windows 8 Secure Boot flow.

 

 

 

Anti3rd party
UEFIWindows 8Kernelmalware
OS loaderinstallationsoftwaredrivers

 

 

 

 

start

 

All bootable data requires authentication before the BIOS hands off control to that entity.

The UEFI BIOS checks the signature of the OS loader before loading. If the signature is not valid, the UEFI BIOS will stop the platform boot.

Firmware policies

Firmware support of Windows 8 differs between notebooks and desktops/workstations. The following sections describe the differences in policy settings configurable by the user.

Firmware policies for notebooks

There are two firmware policies critical for the support of Windows 8 on notebooks; Secure Boot and Boot Mode.

The Secure Boot policy has the following options:DisableEnable

When Secure Boot is set to “Enable” BIOS will verify the boot loader signature before loading the OS.

The Boot Mode policy (for notebooks only) has the following options:LegacyUEFI Hybrid with compatibility support module (CSM)UEFI Native without CSM

When Boot Mode is set to “Legacy” or the UEFI Hybrid Support setting is “Enable,” the CSM is loaded and Secure Boot is automatically disabled.

After a complete BIOS re-flash the default configuration is as follows:Secure Boot = Disabled

Boot Mode = Legacy (Other modes will be set by Preinstall at the factory according to the OS to be preinstalled.)

8