Manualshelf

EFI Preboot Guidelines and Windows 8 UEFI Secure Boot for HP Business Notebooks and Desktops PPS Business Notebook and Desktop Technical white paper

ManualsBrandsHP ManualsDesktopsHP EliteBook 2570p Notebook PC (ENERGY STAR)
11121314151617181920
11
TPM and Measure Boot
For systems with the Trusted Platform Module (TPM) hardware chip, Win8 will perform a comprehensive chain of
measurements, called measured boot, during the boot process. These measurements can be used to authenticate the
boot process to make sure that the operating system is not compromised by root kits and other malware. Each
component is measured, from firmware up through the boot start drivers. These measurements are stored in the TPM
on the machine. This log is then available remotely so that the boot state of the client can be verified.
Win8 BitLocker PCR Sealing
The Win8 hardware certification requirements require native UEFI boot.
On a native UEFI boot system BitLocker will seal by default to the PCRs[0,2,4,11].
On Connected Standby systems, BitLocker will seal to PCRs[7,11].
NOTE: Conflicting Connected Standby System requirements--The WHQL demands Connected Standby systems are
required to implement measurements of Secure Boot policy information into PCR[7]. The TCG requires Secure Boot
policy information in PCR[6]. To reference the PCR numbers, see the PCR Measurement Table A1 in the Appendix of this
paper.
Physical Presence
There is a new flag in the TCG PPI spec 1.2. It is the NoPPIProvision flag and the recommended default is True by BIOS.
The preinstall team should set this flag to True for Win8 and newer OSes and set it to False for any other OSes.
When NoPPIProvision is True and there is no TPM owner, the BIOS will not prompt for physical presence when the first
Enable/Activate command is received.
When NoPPIProvision is False, the BIOS will prompt for physical presence.
The default for NoPPIProvision Flag
The required default for the NoPPIProvision flag is True for Win8. This default allows Win8 to take ownership of the
TPM without any user confirmation.
Special China requirement with Win8
For China, the legal requirement is that the TPM must be shipped in a disabled state and can only be enabled with the
user's physical presence.
For a physical presence prompt, If the TPM presence is enabled, the BIOS will display the message below. Otherwise, the
physical presence prompt will be the normal (F1, F2) message.
惠普特别提醒:在您在系统中启用TPM功能前,请您务必确认,您将要对TPM的使用遵守相关的当地法律、
规及政策,并已获得所需的一切事先批准及许可(如适用)。若因您未获得相应的操作/使用许可而发生的
规问题,皆由您自行承担全部责任,与惠普无涉。
认启用TPM, “+” 取消, -“.
NoPPIProvision Flag in F10
The default for the NoPPIProvision flag is based on the factory setting.
TPM auto-provisioning
Win8 will automatically take TPM ownership to ease the deployment scenario. On an out of box setup , the OS will
automatically prepare the TPM for use. It does this by making use of the new PPI flag defined in the PPI v1.2 PC client
Specific TPM interface spec. The default scenario for first OS start is TPM is not ready for use and the NoPPIProvision
flag is set to “True” (the user will not be prompted for TPM provisioning). At this point TPM’s state is “Disabled,
Deactivated, and Not Owned.” The OS will then issue the TPM command 10 and after the first boot cycle the TPM will
be “Enabled and Activated.” Finally, after the second OS start, the TPM will be “Owned and Windows will report that the
TPM is ready for use. If users choose not to employ this TPM auto-provisioning option, they can use the Windows Wizard
to manually provision the TPM.