EFI Preboot Guidelines and Windows 8 UEFI Secure Boot for HP Business Notebooks and Desktops PPS Business Notebook and Desktop Technical white paper
6
Invalid signature: BIOS fails to verify the signature of the preboot application.
If there is a backup version of the application in BIOS flash (for example, HP System Diagnostics). BIOS will launch the
backup. Otherwise, BIOS displays an error message.
Preboot Security Requirements
Signed preboot applications
When a preboot application is launched, it has as much control of the system resource as the BIOS. Since these
applications reside on the public hard drive partition which are easily accessible and thus hacked, it’s necessary for BIOS
to only launch HP signed preboot applications.
Additional F10 Policies for Preboot Environment in notebooks only
BIOS F10 provides several policies to control the availability of “Boot from EFI File” option in the Boot Manager when F9
is pressed (for details, see How EFI Launches EFI Applications).
Follow this path to access polices.
System Configuration Device Configurations
These are the policies presented to users by the Boot Manager.
UEFI Boot Mode
“Disable (for legacy OS)”
“Hybrid (with CSM) (for Win7 64 UEFI)”
“Native (without CSM) (for WIN8 64)”
This policy controls (settings) whether the BIOS allows to boot to an EFI file.
Customized Logo
“Enable/Disable” (Default: Disable)
When UEFI Boot Mode is disabled, the “Boot from EFI File” option will not show up in the Boot Manager when F9 is
pressed. In such a case, the only way to launch HP EFI applications is to use the hot key.
The EFI BIOS provides the nice feature for the user to customize the logo displaying during the boot. The logo is a
bitmap file that a customer can add/change on the HP_TOOLS partition.
Since BIOS can’t check the signature of the customized logo bitmap files, it may be used as an attack tool of the BIOS
post process. Thus an option is needed to disable this capability for the highly sensitive security environment.