Related Content

Making a system image on a

Windows 8.1 PC with UEFI Secure
Boot...
UEFI Secure Boot Mode in W8 Pro x64
Can EFI partition be updated to UEFI,
TPM for secure boot, bitlocker...
Secure boot requires firmware that
supports UEFI v2.3.1 Errata B and...
UEFI Secure Boot Error with Windows
8?
Applies to: Windows | Windows 8.1 | Security, Privacy, and Accounts | Security and Privacy
Discussion
UEFI Secure Boot in Windows 8.1
PREFACE:
This article is not an original contribution of my own. Most parts are extracts from various posts on the
internet. On my part, Ihave createdsome bridges to connect these islands of information.
BIOS Vs UEFI
One of the largest underlying changes to Windows 8 is the long-overdue shift from BIOS (Basic Input
Output System) to UEFI (Unified Extensible Firmware Interface).
PlatformFirmware provides the first set of instructions that run when the computer is switched on. After
theplatform firmware finishes detecting hardware and initializes the system, it passes control to the boot
loader in an operating system. Platform Firmware is embedded in non-volatile storage like
programmable read-only memory (PROM) or flash memorythat's directly attached to a motherboard.
Firmware also resides in hardwaredeviceslike video cards and storage controllers as a Device Driver
contained in dedicated memory chips.
BIOS and UEFI are examples ofplatform firmware. PCs use one or the other or both.
BIOS firmware was developed using assembly language for the earliest PCs in the 1970s. Although BIOS
is still the most prevalent firmware type, it is limited because it supports only 16-bit processor mode and
1 megabyte (MB) of addressable memory space.
A BIOS is the very first program that is executed once the system is switched on. After all the hardware
has been initialized and the POST (Power On Self Test) operation has completed, the processor will be
ready to start executing. But, since the system memory is empty, the processor doesn't really have
anything to execute, or even know where to look for it. The processor is therefore pre-programmed to
always look at a particular location in the system, the BIOS ROM, for the small bit of start-up code to
begin the boot process. This is typically located at FFFF0h in the mapped memory location. Since there is
only 16 byte memory available in this location, it actually contains a "Jump" instruction telling the
processor where to go to find the real start-up program. The Jump instruction is an interrupt based
search routine for the boot sector from the boot sequence defined in BIOS. Once the first boot sector is
Recommended this Discussion
Me Too 1
Sushovon Sinha started on November 12, 2013
By using this site you agree to the use of cookies for analytics, personalized content and ads. Learn More
Sign in
Community
Windows
Home Categories Participate Additional Support
Page 1 of 8 UEFI Secure Boot in Windows 8.1 - Microsoft Community
7/19/2014 http://answers.microsoft.com/en-us/windows/forum/windows8_1-security/uefi-secure-boot...
found from one of the boot devices, the BIOS will verify the containing boot info and load it into
memory. If it is a hard disk, it looks for a master boot record (MBR) at cylinder 0, head 0, sector 1, the first
sector on the disk. MBR contains three pieces of information: the master partition table, the disk
signature, and the master boot code.
Once the MBR is loaded into memory, the processor executes the master boot code to start the boot
process. At this point the BIOS interrupt moves control of the computer from the BIOS to the actual
operating system.
The master boot code locates the active boot partition from the master partition table and loads into
memory the bootloader program (NTDLR) located in the boot sector of the OS partition (Windows XP)
OR the bootmanager program located in a separate boot partition (Windows 7, 8). The bootmanager
then chainloads or bootstraps the kernel, drivers and finally complete OS program.
Operating system software acts as an interface between hardware and higher-level software. The
Windows operating system coordinates background activity and manages shared hardware and software
resources among multiple applications.
After device drivers are loaded, Windows no longer interacts directly with platform firmware for hardware
access. The system then relies primarily on high-performance device drivers instead of firmware services.
Although most interaction with the firmware occurs during the boot process, Windows can also interact
with platform firmware at run time as during a BIOS upgrade through the OS.
UEFI was originally EFI, which was developed by Intel as a modern alternative to the PC BIOS. Now it's
supported by an industry consortium. UEFI in essence, is a light-weight operating system, written
primarily in C language, that the computer loads at boot time. Because its an operating system, UEFI has
full access to your hardware, and it can be programmed to do just about anything (thus the Extensible
part of its acronym). UEFI interfaces can be mouse-driven, and can perform complex tasks such as surfing
the web or backing up your hard drives. It has its own built-in boot menu. It operates in 32-bit and 64-bit
modes.
UEFI require hard disks in GPT partition structure, instead of the master boot record (MBR)
partition structure that is used in BIOS.
When you install Windows by using the Windows product DVD, Windows Setup detects whether the
computer was booted in UEFI mode or BIOS-compatibility mode, and it configures Windows based on
this selection.
If Windows 8 is already installed using the standard BIOS, it can't be converted to UEFI OS. A new
OS installation will be required. You will need to enable Secure Boot first, then install Windows 8
in UEFI mode.
Unlike the BIOS, the UEFI can exist on hard disc, just like any other program or in non-volatile memory
on the motherboard or even on a network share.
The only thing the UEFI cant do is perform the POST and initialise the CPU, memory, and other hardware.
PCs that have the UEFI but no BIOS have separate programs for POST and Hardware Initialisation that run
automatically when the PC is powered on.
At this point, its important to note that systems can run either the BIOS or the UEFI or both. When
theyre both used, the BIOS goes first to run POST (Power On Self Test) and then the UEFI takes over.
As we all know, the BIOS initialization process from POST to Boot loader handoff seems to take a
long time. The UEFI, on the other hand, can run quickly.
In contrast to BIOS, UEFI defines a set of boot and runtime services that have standard syntax and
semantics for interfaces and data structures. This renders all UEFI systems to be independent of the
platformhardware, making it possible to test and develop standard drivers and applications irrespective
of the implementation. This greatly improves interoperability, reduces the complexity of supporting new
hardware, and helps computer manufacturers update and maintain firmware more rapidly.
UEFI has a licensed core, which allows vendors to implement proprietarydrivers, support legacy
operating systems, and provide other extensions. During PC boot, the UEFI boot services controls the
system. After the operating system takes over only the runtime services are available.
The UEFI has implemented a Security System during boot, called "Secure Boot" which essentially comes
to securing a boot loader with a digital signature that the platform firmware recognizes as a trusted key.
In most PCs today, the pre-operating system environment is vulnerable to malware attacks during boot,
by redirecting the boot loader handoff to possible malicious loaders. These loaders would remain
undetected to operating system security measures and antimalware software.
In Windows XP, the function of the BIOS is to transfer control of the platform firmware to the bootloader
named Master Boot Record (MBR), which is a small program located in the first sector of the computer
hard disc that tells the computer how the hard drive is partitioned, and how to load the operating system.
The MBR is susceptible to boot sector viruses that can corrupt or remove the MBR, which can leave the
hard drive unusable and prevent the computer from booting up.
Page 2 of 8 UEFI Secure Boot in Windows 8.1 - Microsoft Community
7/19/2014 http://answers.microsoft.com/en-us/windows/forum/windows8_1-security/uefi-secure-boot...
Starting Windows 7, the concept of Secure Boot evolved by confining the Boot Manager in the first
partition of the of the Hard Disc called "System Reserved" - a 100 MB primary active partition
automatically created by system at the time of windows 7 installation. The boot loader files in this system
partition is fully concealed thus eliminating the chances of corruption by malware.
Windows 8 further extends the secure boot implementation of Windows 7, using trusted keys in Boot
Manager to ensure that only properly signed and authenticated components are allowed to execute. UEFI
secure boot works like this: as the boot process executes, each piece of code verifies that the signature
on the next piece of code is valid and if so, passes execution on to it.
As the bootloader loads the Windows Kernel to memory, malware in the kernel can execute for the
system to malfunction. To prevent this, Windows 8 has prioritised the loading sequence of its Anti
Malware program called Windows Defender so that it loads first and before the Windows Kernel. This
process is called Early Launch Anti-Malware (ELAM). The ELAM driver is the first to start in the Windows
Kernel, and evaluates the kernel drivers as Good, Bad or Unknown. The default initialisation policy is to
allow kernel drivers classified as Good or Unknown to initialise. This initialisation policy is managed by the
System Administrator and can be modified to allow only the Good kernel driver to initialise.
By being launched first before any third-party software, ELAM is able to detect malware in the boot
process and prevent it from initializing. Regardless of whether you are using Windows Defender or a
different anti-malware product, Windows 8 has tweaked its load process so that security software runs
first.
Thus Secure Boot prevents rootkits from interfering the Boot Configuration Data in Boot Manager, and
ELAM ensures that the windows kernel will initialise drivers that are returned good by the Antimalware
program.
UEFI is a community effort by many companies in the personal-computer industry to upgrade the pre-OS
environment. The UEFI Forum is a collection of chipset, hardware, system, firmware, and operating system
vendors. The forum is responsible for developing, managing and promoting UEFI specifications. Microsoft
is a board member of this forum, and the forum is open to any individual or company to join free of cost.
Microsoft is using the Windows Certification program to ensure that systems shipping with Windows 8
have secure boot enabled by default, that platform firmware not allow programmatic control of secure
boot (to prevent malware from disabling security policies in firmware), and that OEMs prevent
unauthorized attempts at updating platform firmware that could compromise system integrity.
Page 3 of 8 UEFI Secure Boot in Windows 8.1 - Microsoft Community
7/19/2014 http://answers.microsoft.com/en-us/windows/forum/windows8_1-security/uefi-secure-boot...
According to the UEFI specification, securing a platform means establishing a chain of trust starting with
the platform manufacturer and extending to the operating system vendors (OSV) like Microsoft and even
to Independent Software Vendors (ISV). This chain of trust is instantiated via public key cryptography. The
platform vendor puts a so-called Platform Key (PK) into NVRAM (Non Volatile RAM). This PK represents
the root of trust, i.e. the basis for the trust environment on a UEFI platform. The trust relationship with an
OSV is established by signing their UEFI OS with a key which the PK recognises as valid. Platform security
is enforced by requiring that no code will be executed by the platform firmware unless the UEFI OS has
been signed by a trusted key.
The PK thus provides the anchor point from which the authenticated boot process is built. This is held by
the platform manufacturer, but there is no reason that it could not be held by an enterprise that wishes
to have full control of Secure Boot in their particular organization. Naturally there can be only one PK on
a platform.
In addition to the PK, the UEFI specification mandates two trust anchor databases:
The Key Enrollment Key (KEK) database. Also known as Key Exchange Key.
The Allowed Signature (db) database.
The KEK database contains those trust anchors that are allowed to modify the Allowed Signature (db)
database and Forbidden database (dbx). The KEK however cannot make any change to the PK. The
Allowed Signature (or White List) database in turn contains those trust anchors that are used when
verifying the signature on UEFI images. This database lists the signers or image hashes of UEFI
applications, OS loaders, UEFI drivers, etc. that can be loaded on the the platform. The Forbidden (dbx)
database is also known as the Revoked Signature or Black List database. This database identifies keys that
have been revoked and hashes of images that are no longer trusted and may not be loaded. PK and KEKs
can be used to modify db and dbx.
The trust keys are in the form of digital certificates and/or hashes.
A digital certificate consists ofa key pair private and public. The private key is confidential and is used
to sign/encrypt (lock)a piece of software. The public key is provisioned openly to decrypt (unlock)the
signed software. A digital certificate therefore confirms the identity of a software source.
A hash is a complex function that basically reduces a software document or program to a condensed
series of bits. An encrypted software containing its hash is an additional security measureto assure the
sanctity of the software.
The authenticity validation of the UEFI OS is controlled by the platform manufacturer or the owner of the
PC. This is achievedby encrypting the UEFI OS with a digital certificate during installation, whose Public
Key is assigned to the Platform Key PK to decrypt the same at runtime. The sanctity validation ofdevice
driversand software components executing within the UEFI OS is controlled by the OS Vendor, by
defining the hash of these components in the signature database db.
As far as the current version (2.3.1) of the UEFI Specification is concerned, the chain of trust terminates
when the platform firmware (UEFI) hands control over to an operating system.
Essentially it means that the Platform Key (PK) initiates the authenticity validation of the platform
firmware (UEFI OS) by decrypting it, thereby making it possible to execute. Next the UEFI OS goes to
validate the sanctityof the Hardware drivers and the OS bootloader by generating their hash and then
comparing it with the one in the Authorised database (db), before allowing them to execute. At the
instance when the bootloader is executed, the OS takes over and the task of malware identification is
passed on to the Windows Defender security system.
There lies a catch however. In a PC with dual OS requirement, of which one is to be Windows 8 and
another non-Windows, there can exist only a single UEFI OSas the platform firmware. If Windows 8 is to
be the primary OS, then obviously Microsoft UEFIwill assume the role ofplatform firmware. The extent to
which Microsoft UEFI will support the booting of other operating systems from within its own UEFI, is a
policymatter that is ongoing evolution amongst OS vendors as part of the UEFI committee. One thing is
clear though; PCs manufactured by OEMs under the Windows 8 logo program, will not permit dual OS.
If Dual OS is a pre-requisitefor a PC, then the safest choice as of now, is to install the operating systems
in Legacy BIOS mode. With some time to invest, it canbe a worthwhile effort to study and investigate the
compatibility of the other operating system in UEFI environment with Microsoft UEFI in particular, at least
after disabling Secure Boot.
UEFI implementation in Windows
Page 4 of 8 UEFI Secure Boot in Windows 8.1 - Microsoft Community
7/19/2014 http://answers.microsoft.com/en-us/windows/forum/windows8_1-security/uefi-secure-boot...
Many computers built prior to Windows 8 took advantage of UEFI architecture to standardize firmware
stacks, but were used in BIOS mode to remain compatible with prevailing factory processes, tools, legacy
operating systems, drivers, option ROMs, and some applications. These UEFI computers are called "Class
2" UEFI as defined by Intel. This means that they have the capability to boot into native UEFI mode, but in
practice most computers boot into legacy BIOS mode using a Compatibility Support Module (CSM). The
above figure demonstrates the boot flow path for Class 2 systems.
The gold elements in the diagram indicate legacy BIOS-style startup. The green arrows show native UEFI
mode boot. The blue arrow indicates a system that attempts to boot into UEFI mode to an OS that does
not support it. UEFI configured with CSM enabled reverts the boot process to BIOS mode via the CSM.
This is called progressive boot.
While Windows has had support for the Unified Extensible Firmware Interface (UEFI) prior to Windows 8,
the standard method for bootingremainedwith the BIOS firmware. This changes with Windows 8,with
UEFIbeing the new standard for Platform Firmwareand is mandatedas part of Windows 8 certification
requirement for OEM PCs manufactured under Windows 8 Logo program. BIOS firmware continues to be
supported in Windows 8 for maintaining compatibility with older hardware.
Howeverthe newermotherboardsfor retail aredesigned fordualcompatibility with both BIOS and UEFI,
since legacy BIOS may still be the preferred implementation for POST and Hardware Initialisation (as UEFI
cannot perform these functions). Also POST requires hand off to the Platform Firmware which can either
be the BIOS itself or UEFI OS. With UEFI Boot enabled within BIOS, the PC will first attempt to boot via
UEFI OS, failing which it will use the legacy BIOS boot sequence. This new type of BIOS is called UEFI
BIOS.
Remember that, while BIOS is supplied by the Motherboard manufacturer, the UEFI OS is supplied by the
primary operating system vendor which is Microsoft for Windows 8 computer.
The UEFI OS can be installed "only" during Windows 8 installation. If UEFI is not installed, the computer
cannot boot into UEFI mode and cannot have the Secure Boot feature.
To install UEFI OS, first enable UEFI Boot and Secure Boot in BIOS. While enabling Secure Boot, ensure to
choose the command which loads Secure Boot database with the trust keys (PK, KEK, db, dbx). Next you
need to have your Hard Disks in GPT structure. You can do this during Windows 8 installation, or before
the installation through Windows Disk Management- if your system is already running a previous version
of Windows.
Insert the Windows 8 installation disc and boot the PC. Press the appropriate key to enter the BIOS setup
and verify that the Secure Boot Key Databases are installed. Re-boot and press the appropriate key to
enter the BIOS Boot Selector Menu. Select the option for UEFI OS installation. The exact procedure varies
according to the motherboard manufacturer. You must read the documentation carefullyand follow the
steps mentioned for UEFI installation.
With Windows 8, the BIOS with CSM is replaced by UEFI BIOS provided by the motherboard
manufacturer. Enable/Disable switches for "UEFI Boot", "Legacy Boot" and "Secure Boot" in the UEFI BIOS
boot menu settings, helps an user to choose a configuration that best meet his requirement.
So in an assembledWindows 8UEFI computer, the UEFI BIOS can be user configured for the following
possible Boot scenarios:
(i)UEFI Boot = Enabled, Secure Boot = Enabled. Legacy Boot will get automatically Disabled if Secure
Boot is enabled.
Page 5 of 8 UEFI Secure Boot in Windows 8.1 - Microsoft Community
7/19/2014 http://answers.microsoft.com/en-us/windows/forum/windows8_1-security/uefi-secure-boot...
Here the computer will boot in pure UEFI environment without any Legacy BIOS Support as in
computers built under Windows 8 certification program.
Only Firmware supporting the UEFI standard can be used.
(ii)UEFI Boot = Enabled, Legacy Boot = Enabled. Secure Boot will get automatically Disabled if Legacy
Boot is enabled.
Here the computer will first attempt to boot in UEFI mode, failing which it will use the Legacy BIOS
support for booting UEFI-incompatible OS.
Meant for computers with Dual OS of which one is UEFI incompatible. Secure Boot will not be available.
(iii)UEFI Boot = Disabled, Legacy Boot = Enabled. Secure Boot will automatically get disabled as Secure
Boot is supported only via UEFI Boot.
Here the computer will boot via BIOS without any UEFI support.
Meant for OS without UEFI support. Secure Boot will not be available.
You can enable / disable Secure Boot in an assembledWindows 8 UEFI computer. In a Windows 8 BIOS
computer, simply enabling UEFI Boot (with or without Secure boot) in BIOS will notrender it to a UEFI
system. In fact, the computer will not boot unless Legacy BIOS boot is also enabled, in which case the
UEFI and Secure Boot switchesessentially remaindummy.
Finally one word of caution ! In an assembled Windows 8 UEFI computer, some of the hardware devices
may not work, as the device trust key (hash)may not be acknowledgedby the UEFI signature database. In
such a situation,the only alternative to get the PC working,isto disable the Secure Boot in the UEFI
BIOS.Disabling the Secure Boot followed byre-enabling it, regenerates the trust keys in the signature
database. This offers a possibility to add the trust key of a newly connected hardware device.
The Future of UEFI: Microsoft is actively pursuing UEFI and Secure Boot as it holds the future of Laptops
and Tablets as a thin client with the Windows operating system being stationed in the cloud (Server).
Windows 8.1 has already taken a step in this direction by facilitating document storage on SkyDrive and
integrating this onto the File explorer.
I hope you had the patience to read through a very detailed write-up.
Regards,
Sushovon Sinha
Reply | Reply with quote | Report abuse | Subscribe to updates
All Replies (7)
You. Are. Amazing.
Thank you. This was brilliantly written, and I appreciate the time it must have taken to put this together. :)
Reply | Reply with quote |
0 Like | Report abuse
Muhammad KhawarNadeem replied on December 1, 2013
Very helpful article, but I am looking for something quite practical. Where do I get the KEK and DB
certificates for Win 8.1? I'm building my own PC using a Gigabyte board with UEFI and Win 8.1. I'm following
the instructions from Intel that point to keys that don't exist on the MS site:
http://uefidk.intel.com/content/tutorial-practical-uefi-secure-boot-part-1-3
Seems I need these if I'm starting from scratch. Where can I get them? Thanks.
Reply | Reply with quote |
0 Like | Report abuse
JohnTeichman replied on February 15, 2014
Sushovon Sinha replied on February 15, 2014
Page 6 of 8 UEFI Secure Boot in Windows 8.1 - Microsoft Community
7/19/2014 http://answers.microsoft.com/en-us/windows/forum/windows8_1-security/uefi-secure-boot...
In reply to JohnTeichman's post on February 15, 2014
Dear John,
When you install Win 8.1 OS, you have the choice to install it underBIOSor UEFIOS environment.
The choice must be set in BIOS > Boot Configuration prior to Win 8.1 installation. The available options
generally are:
Legacy Boot - Enable / Disable
UEFI Boot - Enable / Disable
Secure Boot - Enable / Disable
For UEFI Boot, it is essential thatthe OS hard drive must be in GPT partition structure.
The motherboard documentation will specify the exact steps and commands necessary for Windows 8.1
installation under UEFI OS.
The Secure Boot option is applicableonlywhen you have UEFI Boot installed. It is here that KEK and DB keys
are required.
Intel Desktop Boards embed the default secure boot keys for Microsoft Windows 8. These boards, and
required BIOS versions, have been tested and passed the Windows Hardware Certification Kit (WHCK) for
Microsoft Windows 8.
The securekeys can be loaded into the database by enabling Secure Boot in BIOSand then applying a
command under the Secure Boot Menu typically as "Force / Load Secure Boot Defaults".
Iadvise that you enable Secure Boot after installation of Win 8.1 in UEFI mode.
If the system is unable to generate the secure keys for any of the hardware drivers, thenthat hardwarewill not
function.ManuallygeneratingSecure keys require specialised guidance from the motherboard and OS
vendor. In such a case, the easiestworkaround is to disable Secure Boot.
Secure Boot as of now is actuallyintended for OEM computers manufactured under Windows 8 logo
program.
The followinglink offers some information on Gigabyte motherboards for Windows 8:
http://www.gigabyte.in/MicroSite/314/windows8.html
The following link outlines the procedure for installing Win 8 UEFI and enabling Secure Boot on Intel
platform:
https://communities.intel.com/community/itpeernetwork/vproexpert/blog/2012/06/26/microsoft-windows-8-
-enabling-secure-boot
Regards,
Sushovon Sinha
Reply | Reply with quote |
0 Like | Report abuse
In reply to Sushovon Sinha's post on February 15, 2014
Thanks Sushovan! I checked my UEFI bios and don't see the secure boot option. It's a Gigabyte GA-Q87m-
d2h so I'll contact their support. Windows 8.1 is complaining that SecureBoot is not enabled so I must not
have got it. Thanks.
Reply | Reply with quote |
0 Like | Report abuse
JohnTeichman replied on February 17, 2014
In reply to JohnTeichman's post on February 17, 2014
Sushovon Sinha replied on February 18, 2014
Page 7 of 8 UEFI Secure Boot in Windows 8.1 - Microsoft Community
7/19/2014 http://answers.microsoft.com/en-us/windows/forum/windows8_1-security/uefi-secure-boot...
English
Microsoft Community Code of Conduct Community Participation Center
Trademarks Privacy & Cookies Terms of Use 2014 Microsoft
Hello John,
I think the UEFI BIOS is that of Gigabyte and not of Microsoft. The Secure Boot option is a Win 8
proprietarysecurity feature applicable only on Microsoft Windows UEFI OS.
Windows UEFI OS canonly be installed at the time of Windows 8 installation.
The othermeaning of proprietary is "My way or the highway" when it comes to taking control of the
Platform :)
Regards,
Sushovon Sinha
Reply | Reply with quote |
0 Like | Report abuse
In reply to Sushovon Sinha's post on February 15, 2014
Hi,
Can you suggest any IBM servers which are compatible with uEFI 2.3.1
Reply | Reply with quote |
0 Like | Report abuse
balakrishna3283 replied on March 17, 2014
In reply to balakrishna3283's post on March 17, 2014
Dear Balakrishna,
This is a question that would be best answered by the IBM server support team. Request you to contact them
to get all the necessary clarifications.
Regards,
Sushovon Sinha
Reply | Reply with quote |
0 Like | Report abuse
Sushovon Sinha replied on March 17, 2014
Page 8 of 8 UEFI Secure Boot in Windows 8.1 - Microsoft Community
7/19/2014 http://answers.microsoft.com/en-us/windows/forum/windows8_1-security/uefi-secure-boot...