Secure Boot

Secure Boot

Secure Boot is an option in UEFI that allows you to make sure that your PC boots using only software that is trusted by the PC manufacturer.

Allow me to explain. A while back we wrote about the limitations of the MBR. A very limited number of primary partitions and most of all the maximum partition-size of 2 TB (for Windows XP and Server 2003 that is also the maximum disk-size).

The development of a next generation method of storing the partitioning information was done mostly (for Windows operating systems) in association with UEFI as a replacement for the BIOS. UEFI supports the GPT standard, which stands for GUID Partitioning Table and is called that because it assigns a GUID (Globally Unique Identifier) to each partition.

For now, this system is so flexible that the limitations in disk size and number of partitions now lie with the Operating System. For example, Windows allows up to 128 partitions on a GPT driver without having to use extended partitions. As a bonus, GPT uses a redundancy check so it can notice a problem and attempt to recover any lost data.

The aforementioned redundancy check and Secure boot are the most prominent security features that came with the GPT/UEFI setup. It should put an end to the revival of boot-kits that became prevalent in recent years.

A boot-kit is malware that loads before the Operating System (OS) so that it can hide itself from the OS and it can survive even if the Operating System is replaced. This does not mean that UEFI can’t be compromised. But it should make it a lot harder to infect, and easier to find and clean.

The Secure Boot option has been regarded by some with distrust because it could be used to give Windows a monopoly on certain systems. If there is no way to disable Secure Boot,  Microsoft could enforce that the systems only runs Windows 8 (or later).

Thankfully, however, physically present users can still disable the Secure Boot option.

Finally, it should be noted that programmatic disabling of Secure Boot either during Boot Services or after exiting EFI Boot Services MUST NOT be possible. Otherwise, malware could still change the settings, and this would make the whole effort pointless.

SBchoices

As mentioned before, Secure Boot stops “unauthorized” Operating Systems from booting.

For example, if you enable Secure Boot on a computer that has Windows 7 as an OS, you will get an error during boot. The error code is usually 0xc0000428 and is sometimes accompanied by a message about an unsigned EFI file in the system32 folder of the Windows 7 partition.

Secure Boot can also stop the system from booting if unauthorized firmware or changed Operating System loaders are found.

booterror

Summing up:

  • Secure Boot is not a Windows function, but an UEFI protocol. It was not even invented by Microsoft.
  • It is however a (major) part of Windows 8 secured boot.
  • Windows 8 uses Secure Boot to secure the pre-Windows environment.
  • Secure Boot is not designed to block other operating systems, but to validate components authenticity by checking a list of keys that identify trusted hardware, firmware, and operating system loader code and a list of keys to identify known malware.
  • Secure Boot does however block the use of some other types of Operating Systems because of this design.
  • Microsoft does not control the settings, that are present in the firmware of a system, to disable or enable Secure Boot. It does however force hardware vendors to enable UEFI with Secure Boot to get the Certified for Windows 8 stickers

Conclusion: Secure Boot is part of the options that UEFI has to offer for the newest Windows versions. It does offer security, but some who prefer other Operating Systems regard this security feature as somewhat controversial.

 

Resources:

Windows and GPT FAQ

A simple note on how to repair bootstructures

A Tale Of One Software Bypass Of Windows 8 Secure Boot

4SYSOPS on Secure Boot

UEFI, SecureBoot, and dual booting Windows 8 and Linux

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.