BIOS Protection Guidelines - Recommendations of the National Institute of Standards and Technology
BIOS PROTECTION GUIDELINES 
2.2.2  UEFI Boot Process 
At a high level, the UEFI boot process, shown in Figure 2, follows a similar flow to the conventional 
BIOS boot process.  One difference is that UEFI code runs in 32- or 64-bit protected mode on the CPU, 
not in 16-bit real mode as is often the case with conventional BIOS.  Most UEFI-based platforms start 
with a small core block of code that has the primary responsibility of authenticating subsequent code 
executed on the computer system. This is very similar to the role of the boot block in conventional BIOS. 
This part of the boot process is known as the Security (SEC) phase, and it serves as the core root of trust 
in the computer system. 
Figure 2: UEFI BIOS Boot Process 
The next phase of the UEFI boot process is the Pre-EFI Initialization (PEI) Phase. The PEI phase is 
intended to initialize key system components, such as the processor, chipset and motherboard.  In some 
cases, the code in the Security Phase and the PEI Phase comprise the core root of trust in a UEFI system. 
The purpose of the PEI Phase is to prepare the system for the Driver Execution Environment (DXE) 
phase.  The DXE phase is where most system initialization is performed.  The firmware executed in this 
phase is responsible for searching for and executing drivers that provide device support during the boot 
2-4 










