EFI Preboot Guidelines and Windows 8 UEFI Secure Boot for HP Business Notebooks and Desktops PPS Business Notebook and Desktop Technical white paper

Secure Boot

This section outlines the design requirements for an UEFI BIOS to meet the Win8 Logo requirements as well as HP

preinstall and service needs. Secure Boot is a feature to ensure that only authenticated code can get started on a

platform. The firmware is responsible for preventing launch of an untrusted OS by verifying the publisher of the OS

loader based on policy. It is designed to mitigate root kit attacks.

Figure 1: UEFI Secure Boot Flow

 The firmware enforces policy, only starting signed OS loaders it trusts

 OS loader enforces signature verification of later OS components

Figure 2: Win8 Secure Boot Flow

 All bootable data requires authentication before the BIOS hands off control to that entity.

 The UEFI BIOS checks the signature of the OS loader before loading. If the signature is not valid, the UEFI BIOS will

stop the platform boot.

Firmware Policies

There are two firmware policies critical for the support of Win8 Secure Boot. These policies vary between notebooks and

desktops.

Secure Boot (notebooks and desktops)

 Disable

 Enable

When Secure Boot is set to “Enable,” BIOS will verify the boot loader signature before loading the OS.

Boot Mode (notebook only)

 Legacy

 UEFI Hybrid with compatibility support module (CSM)

 UEFI Native without CSM

When Secure Boot is set to “Enable,” BIOS will verify the boot loader signature before loading the OS.

When Boot Mode on notebooks is set to “Legacy” or the UEFI Hybrid Support setting is “Enable,” the CSM is loaded and

Secure Boot is automatically disabled.

UEFI

Win8 OS

Loader

Kernel

Installation

Anti Malware

Software

Start

3rd party

DRivers

Native UEFI

Verified OS

Loader

(e.g. Win 8)

OS Start