EFI Preboot Guidelines and Windows 8 UEFI Secure Boot for HP Business Notebooks and Desktops PPS Business Notebook and Desktop Technical white paper
7 
Secure Boot 
This section outlines the design requirements for an UEFI BIOS to meet the Win8 Logo requirements as well as HP 
preinstall and service needs. Secure Boot is a feature to ensure that only authenticated code can get started on a 
platform. The firmware is responsible for preventing launch of an untrusted OS by verifying the publisher of the OS 
loader based on policy. It is designed to mitigate root kit attacks. 
Figure 1: UEFI Secure Boot Flow 
  The firmware enforces policy, only starting signed OS loaders it trusts 
  OS loader enforces signature verification of later OS components 
Figure 2: Win8 Secure Boot Flow 
  All bootable data requires authentication before the BIOS hands off control to that entity. 
  The UEFI BIOS checks the signature of the OS loader before loading. If the signature is not valid, the UEFI BIOS will 
stop the platform boot. 
Firmware Policies  
There are two firmware policies critical for the support of Win8 Secure Boot. These policies vary between notebooks and 
desktops. 
Secure Boot (notebooks and desktops) 
  Disable 
  Enable 
When Secure Boot is set to “Enable,” BIOS will verify the boot loader signature before loading the OS.  
Boot Mode (notebook only) 
  Legacy 
  UEFI Hybrid with compatibility support module (CSM) 
  UEFI Native without CSM 
When Secure Boot is set to “Enable,” BIOS will verify the boot loader signature before loading the OS. 
When Boot Mode on notebooks is set to “Legacy” or the UEFI Hybrid Support setting is “Enable,” the CSM is loaded and 
Secure Boot is automatically disabled.  
UEFI 
Win8 OS 
Loader 
Kernel 
Installation 
Anti Malware 
Software 
Start 
3rd party 
DRivers 
Native UEFI 
Verified OS 
Loader 
(e.g. Win 8) 
OS Start 










