Manualshelf

EFI Preboot Guidelines and Windows 8 UEFI Secure Boot for HP Business Notebooks and Desktops PPS Business Notebook and Desktop - Technical White Paper

ManualsBrandsHP ManualsDesktopsHP Compaq Elite 8300 Small Form Factor PC
12345678910
Technical white paper | UEFI Secure Boot on HP business notebooks, desktops, and workstations
6
ESP partition for HP UEFI and Pre-boot applications for GPT formatted disks
When a native UEFI-aware operating system is installed, the ESP partition is automatically created. One of the elements the
ESP contains is the boot loader image for the operating system. The ESP is an enumerable Fat32 partition and does not
have a drive letter assigned. The ESP must follow the format defined in the “UEFI System Partition Subdirectory Registry,”
please refer to http://www.UEFI.org/specs/esp_registry for details.
Starting with 2012 platforms, a preinstall image of UEFI Windows 8 is available. Several HP components now reside on the
ESP instead of the HP_TOOLS partition. The advantage of residing in ESP partition vs. HP_TOOLS is that components are
available when you are not using the HP preinstall image. However, the default size of the ESP is 100MB so HP’s overall
component size is limited.
Installation software for these UEFI components should first enumerate all Fat32 partitions, and copy the firmware
packages to the ESP. The ESP can be located comparing the partition GUID to the ESP GUID definition, see the UEFI
Specification version 2.3.1 for details. If the installation software cannot find the ESP, This indicates that the ESP is a legacy
MBR system, not the GPT system.
How BIOS launches UEFI applications
When an UEFI application is launched, it has as much control of the system resources as the BIOS does. Because UEFI
applications reside on a publicly accessible drive partition, they are not secure. The BIOS launches only UEFI applications that
are considered BIOS extensions such as HP Advanced Diagnostics and the BIOS Recovery utility.
On desktops and workstations, If Secure Boot is disabled, the user may launch any UEFI application from the Run UEFI
Application option of the BIOS Startup Menu.
Note
To reduce security vulnerability, execute only HP-signed UEFI applications.
For HP-signed UEFI applications
All HP UEFI applications contain two files stored under the same subdirectory as the UEFI application: filename.EFI and
filename.sig.
NonHP-signed UEFI applications
For notebooks
Non-HP-signed UEFI applications can be launched by booting to the UEFI Shell or other UEFI Applications by using the Boot
from UEFI File option. Boot from UEFI File is invoked by pressing the F9 Key to launch Boot Manager. All available boot
options are list under the Boot Option Menu. Selecting Boot from UEFI File presents the File Explorer Screen which lists all
available file system mappings. Each entry allows viewing it’s volume structure. Once the desired UEFI Application is found,
highlight the entry followed by pressing the enter key will launch the application. For security reasons, the function can be
disabled by the BIOS administrator.
For desktops/workstations
Non-HP-signed UEFI applications can be launched from the Run UEFI Application option of the BIOS Startup Menu.