Technical white paper EFI Preboot Guidelines and Windows 8 UEFI Secure Boot for HP Business Notebooks and Desktops PPS Business Notebook and Desktop Table of contents EFI preboot guidelines Supported models HP_TOOLS for HP EFI and preboot applications EFI and custom imaging EFI architecture How BIOS launches EFI applications Creating or restoring an HP_TOOLS partition on the hard drive Errors when launching the preboot applications Preboot Security Requirements 2 2 2 3 3 5 5 5 6 Secure Boot Firmware Pol
EFI preboot guidelines As computer technology has advanced, the BIOS has expanded to handle new components, larger and more complex chipsets, add-in cards, and other enhancements. This expansion has made the BIOS increasingly intricate. Development of the Extensible Firmware Interface (EFI) is the computer industry’s solution to BIOS limitations. EFI is a set of modular interfaces that replaces the set of traditional BIOS interfaces between the OS and platform firmware.
The HP EFI applications and preboot applications provide extensive preboot functions to the system BIOS residing in the flash ROM. You can find information for GUID Partition Table (GPT) formatted disks on page four of this document. NOTE: Do not encrypt the HP_TOOLS partition using software encryption programs such as Windows BitLocker or Full Volume Encryption for HP ProtectTools. When the partition is encrypted, the HP preboot applications cannot function.
The HP_TOOLs partition is not assigned a drive letter. Any application that accesses the partition first mounts the partition. HP CASL provides the interface for mount/un-mount. Directories and descriptions The HP_TOOLS EFI partition file and folder structure are similar to the Windows file and folder structure. The installation of an EFI application proceeds as follows. HP EFI application SoftPaqs unbundle into the C:\swsetup directory.
Starting with 2012 platforms, a preinstall image of UEFI Win8 is available. Several HP components now reside on the ESP instead of the HP_TOOLS partition. The advantage of residing in ESP partition vs. HP_TOOLS is that components are available when you are not using the HP preinstall image. However, the default size of the ESP is 100MB so HP’s overall component size is limited.
Invalid signature: BIOS fails to verify the signature of the preboot application. If there is a backup version of the application in BIOS flash (for example, HP System Diagnostics). BIOS will launch the backup. Otherwise, BIOS displays an error message. Preboot Security Requirements Signed preboot applications When a preboot application is launched, it has as much control of the system resource as the BIOS.
Secure Boot This section outlines the design requirements for an UEFI BIOS to meet the Win8 Logo requirements as well as HP preinstall and service needs. Secure Boot is a feature to ensure that only authenticated code can get started on a platform. The firmware is responsible for preventing launch of an untrusted OS by verifying the publisher of the OS loader based on policy. It is designed to mitigate root kit attacks. Figure 1: UEFI Secure Boot Flow Native UEFI Verified OS Loader (e.g.
For Win7 desktops and earlier, the F10 settings combination of Legacy Support “Enabled” Secure Boot “Disabled”, and Fast Boot “Disabled” results in CSM support. This is the desktop equivalent of the notebook “Legacy” setting (There is an actual “Legacy Support” setting in the desktop BIOS). For Win8 desktops with Secure Boot, the F10 settings combination of Legacy Support “Disabled”, Secure Boot ”Enabled”, and Fast Boot “Enabled” results in no CSM support.
Secure Boot Key management Figure 3: HP Platform Key Management for notebooks Figure 4: HP Platform Key Management for desktops Factory-default HP BIOS will have HP PK, MS KEK, MS db, an empty dbx populated, and the system will be in User Mode. No new PK enrollment is allowed. Here the HP Platform Key is different from the HP firmware-signing key. For the first implementation (starting with 2012), the HP PK is a certificate named “Hewlett-Packard UEFI Secure Boot Platform Key” and is issued by HP IT.
Simply disabling Secure Boot will not change the mode. While still in User Mode, the keys currently enrolled in the system are preserved. The remainder of the section is grayed out. The user then has to then select “Clear Secure Boot Keys.” Then the BIOS goes to “Setup UserMode” (Figure 4). And the mode section becomes available. Figure 5: BIOS Setup User Mode selection for notebooks Now that the system is in Setup Mode, the user can choose HP Factory keys vs. Customer Keys.
TPM and Measure Boot For systems with the Trusted Platform Module (TPM) hardware chip, Win8 will perform a comprehensive chain of measurements, called measured boot, during the boot process. These measurements can be used to authenticate the boot process to make sure that the operating system is not compromised by root kits and other malware. Each component is measured, from firmware up through the boot start drivers. These measurements are stored in the TPM on the machine.
POST POST includes these tools and information: Drivers and firmware versions of installed software Information about disk drives directly attached to the chipset (not to a Smart Array Controller) POST logo requirements POST in native resolution Design your logo : – Centered horizontally – 38.
The legacy Boot Order, as it exists when Legacy Support is enabled A UEFI Boot Order list when Legacy Support is disabled For the UEFI F10 Static Boot Order, the BIOS assigns certain Boot numbers for the fixed devices in the system. For example, Boot0000 can be OS Boot Manager for a hard drive, Boot0001 can be PXE IPV4, and Boot0002 can be for a built-in DVD. Certain HP-supported UEFI apps should also be listed, such as HP UEFI diagnostics.
Windows Vista, Windows 7, and Linux systems don’t support UEFI Secure Boot. For these systems, enable Legacy Support and disable Secure Boot. With Secure Boot disabled and Legacy Support enabled, note that both UEFI and legacy boot sources are available for boot. This configuration allows for the most flexibility in booting from various devices, but at the cost of not having Secure Boot. The BIOS will base the boot sequence from the boot order list.
OA3 Win8 features a new version of the OEM activation mechanism, the OEM Activation 3.0 (OA 3.0). Microsoft Digital Marker Key injection A standard HP method to inject the Microsoft Digital Marker (MSDM) key into ACPI will be supported by the BIOS for usage by the factory and service using the HP BIOS Configuration interface available in both Windows (Public WMI) and UEFI. The following processes are supported by the implementation.
HP BIOS configuration (REPSET) functionality The HP BIOS Configuration utility supports the following functions for Windows key insertion: English MS Digital Marker “Value” The Values are: Unlock – used to unlock the key for writing. – Requires reboot with Physical Presence Check – Not required in MPM mode or first write after re-flash Key – Text string representation of Windows key – Use all FFh to clear the key in the ACPI MSDM table.
For more details, see Windows Platform Binary Table (WPBT) by Microsoft.
Tab Option Default Restored? Require acknowledgment of battery errors Yes Fast Boot Yes CD-ROM boot Yes SD card boot Yes Floppy boot Yes PXE Internal NIC boot Yes USB device boot Yes Upgrade Bay Hard Drive boot Yes eSATA boot Yes Boot Mode No UEFI Boot Order Yes Legacy Boot Order Yes Device Configurations USB Legacy support Yes Parallel port mode Yes Fan Always on while AC Power Yes Data Execution Prevention Yes Max SATA Speed Yes SATA Device Mode No Wake on USB Yes
Tab Option Default Restored? Wake on LAN on DC mode Yes Notebook Upgrade Bay Yes Power Monitor Circuit Yes Audio Device Yes Microphone Yes Speakers and Headphones Yes Wake unit from sleep when lid is opened Yes Power on unit when lid opened Yes Boost Converter Yes Port Options Serial Port Yes Parallel Port Yes Flash media reader Yes USB Port Yes 1394 Port Yes Express Card Slot Yes eSATA Port Yes AMT Options USB Key Provisioning Support Yes Unconfigure AMT on next boot Y
Appendix Table A1: PCR measurement PCR BNB expected BNB actual PCR 0 S-CRTM’s version identifier using the event type EV_S_CRTM_VERSION S-CRTM’s version identifier using the event type EV_S_CRTM_VERSION All Host Platform firmware using the event type EV_POST_CODE All Host Platform firmware using the event type EV_POST_CODE ACPI data using event type EV_EFI_HANDOFF_TABLES PCR 1 Not used PCR 2 Not used Currently measuring FV(??) Non manufacturer controlled options/UEFI drivers PCR 3 Not used PC
For more information Visit the websites listed below if you need additional information. Resource description Web address UEFI Specification Version 2.3.1 http://www.uefi.org/specs/download Windows Compatibility Support Module OptOut Mechanism for Legacy Free OSes v1.1 by Microsoft Windows Authenticated Portable Executable Signature Format specification HP OA3 service script file by CMIT BIOS team.
