Go Back   AnandTech Forums > Software > Security
Reload this Page Some notes on Secure Boot
Register FAQ Calendar Mark Forums Read

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals
· Free Stuff
· Contests and Sweepstakes
· Black Friday 2012
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 02-21-2013, 08:13 PM   #1
mechBgon
Super Moderator
Elite Member
 
mechBgon's Avatar
 
Join Date: Oct 1999
Posts: 30,565
Default Some notes on Secure Boot
Maybe this will be helpful to some of you. I shuffled some parts around, and one of my goals was to get Secure Boot enabled on a system.

"Hmmm, the old mobo was Intel Z68, the new one's Z77."



So I transplanted the old Windows 8 drive to the new mobo, which is a Gigabyte with a beta BIOS that supports Secure Boot if you enable it. Then I started up Windows, it Discovered New Hardware™ and booted. And naturally I had to talk to the excessively-cheerful Microsoft Activation Robot

Next, I ran the built-in Windows PowerShell as an Administrator and ran the command help secureboot, since I never remember the syntax for the command that verifies SecureBoot is working. Well there it is: Confirm-SecureBootUEFI.

What you want it to say, is simply TRUE. In my case, I got a bunch of red text that boiled down to DUDE, YOU'RE DOING IT WRONG.

So I was all but the previous boot drive on this mobo was SecureBooting fine, so what's different? And the answer is that this instance of Win8 was originally installed with a non-UEFI, non-SecureBootable motherboard.

The solution: reinstall Windows 8. I also made sure the boot options were "UEFI only" in case there was a way for it to fall back on a "legacy" option.

Why would you want Secure Boot? Basically, it prevents bootkits (the infamous TDL aka TDSS family, for example), which get between the hardware and the OS and can effectively rootkit the OS from the outside, and then it's Welcome to The Matrix. The BIOS itself will refuse to boot the system from code that's not whitelisted with the appropriate digital signature. There are downsides, like not being able to boot just any OS, so it may not be for everyone. But it's under your control via a BIOS setting, so hey.

If you're interested in using SecureBoot then you may also be interested in knowing that Intel's Ivy Bridge-core processors all have a new security enhancement that's similar to Data Execution Prevention. It prevents the OS kernel from executing stuff in user memory, which thwarts some types of privilege-escalation exploits. Win8 supports this feature (SMEP) and I believe Linux has begun supporting it as well. So if you're considering a new Intel box, you probably want Ivy Bridge or later.
Last edited by mechBgon; 02-21-2013 at 10:27 PM.
mechBgon is offline   Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -5. The time now is 01:16 PM.
Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.