Manualshelf

EFI Preboot Guidelines and Windows 8 UEFI Secure Boot for HP Business Notebooks and Desktops PPS Business Notebook and Desktop - Technical White Paper

ManualsBrandsHP ManualsDesktopsHP Compaq Elite 8300 Small Form Factor PC
12345678910
Technical white paper | UEFI Secure Boot on HP business notebooks, desktops, and workstations
8
Secure Boot overview
Secure Boot is a feature to ensure that only authenticated code can start on a platform. The firmware is responsible for
preventing launch of an untrusted OS by verifying the publisher of the OS loader based on policy, and is designed to mitigate
root kit attacks.
Figure 4. UEFI Secure Boot flow.
Firmware enforces policy and only starts signed OS loaders it trusts.
OS loader enforces signature verification of later OS components.
Figure 5. Windows 8 Secure Boot flow.
All bootable data requires authentication before the BIOS hands off control to that entity.
The UEFI BIOS checks the signature of the OS loader before loading. If the signature is not valid, the UEFI BIOS will stop
the platform boot.
Firmware policies
Firmware support of Windows 8 differs between notebooks and desktops/workstations. The following sections describe the
differences in policy settings configurable by the user.
Firmware policies for notebooks
There are two firmware policies critical for the support of Windows 8 on notebooks; Secure Boot and Boot Mode.
The Secure Boot policy has the following options:
Disable
Enable
When Secure Boot is set to “Enable” BIOS will verify the boot loader signature before loading the OS.
The Boot Mode policy (for notebooks only) has the following options:
Legacy
UEFI Hybrid with compatibility support module (CSM)
UEFI Native without CSM
When Boot Mode is set toLegacyor the UEFI Hybrid Support setting is “Enable,” the CSM is loaded and Secure Boot is
automatically disabled.
After a complete BIOS re-flash the default configuration is as follows:
Secure Boot = Disabled
Boot Mode = Legacy (Other modes will be set by Preinstall at the factory according to the OS to be preinstalled.)
Windows 8
OS loader
UEFI
Kernel
installation
Anti
malware
software
start
3
rd
party
drivers
Verified OS
loader
(e.g. Win8)
Native
UEFI
OS start