Go Back   AnandTech Forums > Software > Security

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals
· Free Stuff
· Contests and Sweepstakes
· Black Friday 2013
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 02-21-2013, 08:13 PM   #1
mechBgon
Super Moderator
Elite Member
 
mechBgon's Avatar
 
Join Date: Oct 1999
Posts: 30,698
Default Some notes on Secure Boot

Maybe this will be helpful to some of you. I shuffled some parts around, and one of my goals was to get Secure Boot enabled on a system.

"Hmmm, the old mobo was Intel Z68, the new one's Z77."



So I transplanted the old Windows 8 drive to the new mobo, which is a Gigabyte with a beta BIOS that supports Secure Boot if you enable it. Then I started up Windows, it Discovered New Hardware™ and booted. And naturally I had to talk to the excessively-cheerful Microsoft Activation Robot

Next, I ran the built-in Windows PowerShell as an Administrator and ran the command help secureboot, since I never remember the syntax for the command that verifies SecureBoot is working. Well there it is: Confirm-SecureBootUEFI.

What you want it to say, is simply TRUE. In my case, I got a bunch of red text that boiled down to DUDE, YOU'RE DOING IT WRONG.

So I was all but the previous boot drive on this mobo was SecureBooting fine, so what's different? And the answer is that this instance of Win8 was originally installed with a non-UEFI, non-SecureBootable motherboard.

The solution: reinstall Windows 8. I also made sure the boot options were "UEFI only" in case there was a way for it to fall back on a "legacy" option.

Why would you want Secure Boot? Basically, it prevents bootkits (the infamous TDL aka TDSS family, for example), which get between the hardware and the OS and can effectively rootkit the OS from the outside, and then it's Welcome to The Matrix. The BIOS itself will refuse to boot the system from code that's not whitelisted with the appropriate digital signature. There are downsides, like not being able to boot just any OS, so it may not be for everyone. But it's under your control via a BIOS setting, so hey.

If you're interested in using SecureBoot then you may also be interested in knowing that Intel's Ivy Bridge-core processors all have a new security enhancement that's similar to Data Execution Prevention. It prevents the OS kernel from executing stuff in user memory, which thwarts some types of privilege-escalation exploits. Win8 supports this feature (SMEP) and I believe Linux has begun supporting it as well. So if you're considering a new Intel box, you probably want Ivy Bridge or later.

Last edited by mechBgon; 02-21-2013 at 10:27 PM.
mechBgon is offline   Reply With Quote
Old 07-11-2013, 05:15 AM   #2
balloonshark
Senior Member
 
Join Date: Jun 2008
Posts: 738
Default

Edit: Firstly, does this mean this is a no go? http://www.sapphireforum.com/showthr...highlight=UEFI Or could I go ahead and do the install and disable something in hopes that Sapphire releases a UEFI update?

Edit 2: I have posted on TweakTown's ASRock forum for help but the site is down. I have also wrote Sapphire to ask if my graphics cards is UEFI compatible.

Edit 3: Sapphire replied and said there cards are no UEFI supported. Does this mean I can't install Windows 8 64 bit in UEFI mode to use Secure Boot?

Edit 4: I was able to get a little help here. http://forums.tweaktown.com/asrock/5...cure-boot.html
__________________________________________________ _______________

Is it really worth reinstalling Windows 8 to enable this feature? Would I need to change all of the settings in the pic below to UEFI, turn on secure boot and then reinstall using this method? http://www.eightforums.com/tutorials...ndows-8-a.html



With their method the disk was formatted with GPT. Is this mandatory? What are the drawbacks? Can I still image the drive?

I found the above link from this link.
http://www.eightforums.com/tutorials...able-uefi.html

I think this pic shows that my Windows 8 Pro 64 bit dvd is UEFI capable. (Sorry for the blurry pic.)


UEFI Secure Boot option. How do the keys work?
__________________
i5-4670K, Hyper 212 Evo, ASRock Z87 Extreme6, Sapphire Vapor-X Radeon HD 7970 Ghz Edition 3GB, 120GB Samsung 840 Series SSD, 1TB WD Blue HDD, Team Vulcan DDR3 1600 4x4GB, Corsair CX600 PSU, Asus 24x DVD Burner, Corsair Carbide 500R, Windows 8 Pro 64 bit.

Old Rig: Q6600@3.0, Xigmatek HDT-S1283, MSI P35 Neo2-FR, G.Skill 2x2GB DDR2-1000,
Radeon HD 7750 Double D Black Ed. 900MHz 1GB DDR5, Seagate 250GB, Corsair 400, Antec P182, SyncMaster 2232BW Plus, XP Home SP3.

Last edited by balloonshark; 07-13-2013 at 01:03 AM.
balloonshark is offline   Reply With Quote
Old 07-13-2013, 11:16 PM   #3
mechBgon
Super Moderator
Elite Member
 
mechBgon's Avatar
 
Join Date: Oct 1999
Posts: 30,698
Default

Sorry I didn't get around to replying sooner

Quote:
Is it really worth reinstalling Windows 8 to enable this feature?
It was worth it to me. The kind of malware SecureBoot prevents is probably the worst kind in existence. If I can bulletproof my rig against that with a BIOS setting, sign me up!

Assuming someone's hardware is not incompatible, the key aspects appear to be:

1. make sure the BIOS is set up to boot from UEFI before you commence Windows installation.



2. enable Secure Boot. This can be done after the Windows installation.



3. test to confirm SecureBoot is enabled for reals:


(run PowerShell with the Run As Administrator option from a right-click, and run the command confirm-securebootUEFI)


There's the question of whether you should have CSM enabled or not. I happen to have it enabled and my result is the one shown above: SecureBoot is working in Windows.

Last edited by mechBgon; 07-13-2013 at 11:21 PM.
mechBgon is offline   Reply With Quote
Old 07-14-2013, 08:02 AM   #4
balloonshark
Senior Member
 
Join Date: Jun 2008
Posts: 738
Default

Thanks for your reply mechBgon! I was finally able to get Window 8 installed using UEFI. The trick was to disable CSM before installing Windows.

Interesting how our MB's firmware is different. In your first pic my boot option says Windows Boot Manager with CSM disabled.

Quote:
Originally Posted by mechBgon View Post
3. test to confirm SecureBoot is enabled for reals:

There's the question of whether you should have CSM enabled or not. I happen to have it enabled and my result is the one shown above: SecureBoot is working in Windows.
Interesting that you are able to have Secure Boot working with CSM enabled. This would be ideal for me as my graphics card isn't UEFI capable .

In your 2nd pic under CSM support. Would you happen to know why you need the Storage Boot Option Control set to UEFI for the system to work? I noticed I had to set mine the same to boot with CSM enabled.

My other two Option Rom options are Lauch PXE OpRom Policy and Launch Video OpRom Policy. All three can either be set to UEFI option Rom only or Legacy Option Rom only. Could you please briefly explain how they work and what they should be set at with CSM enabled?
__________________
i5-4670K, Hyper 212 Evo, ASRock Z87 Extreme6, Sapphire Vapor-X Radeon HD 7970 Ghz Edition 3GB, 120GB Samsung 840 Series SSD, 1TB WD Blue HDD, Team Vulcan DDR3 1600 4x4GB, Corsair CX600 PSU, Asus 24x DVD Burner, Corsair Carbide 500R, Windows 8 Pro 64 bit.

Old Rig: Q6600@3.0, Xigmatek HDT-S1283, MSI P35 Neo2-FR, G.Skill 2x2GB DDR2-1000,
Radeon HD 7750 Double D Black Ed. 900MHz 1GB DDR5, Seagate 250GB, Corsair 400, Antec P182, SyncMaster 2232BW Plus, XP Home SP3.
balloonshark is offline   Reply With Quote
Old 07-14-2013, 12:22 PM   #5
mechBgon
Super Moderator
Elite Member
 
mechBgon's Avatar
 
Join Date: Oct 1999
Posts: 30,698
Default

Quote:
Originally Posted by balloonshark View Post
Thanks for your reply mechBgon! I was finally able to get Window 8 installed using UEFI. The trick was to disable CSM before installing Windows.

Interesting how our MB's firmware is different. In your first pic my boot option says Windows Boot Manager with CSM disabled.


Interesting that you are able to have Secure Boot working with CSM enabled. This would be ideal for me as my graphics card isn't UEFI capable .

In your 2nd pic under CSM support. Would you happen to know why you need the Storage Boot Option Control set to UEFI for the system to work? I noticed I had to set mine the same to boot with CSM enabled.
The idea behind SecureBoot is that the motherboard will reject attempts to boot an unauthorized image, so I think the key focus here is the boot devices and perhaps storage controllers. So you would want to rule out legacy options. Maybe a dual-boot setup would be a reason to allow legacy mode as an option for the boot devices. Really, it's as clear as mud


Quote:
My other two Option Rom options are Lauch PXE OpRom Policy and Launch Video OpRom Policy. All three can either be set to UEFI option Rom only or Legacy Option Rom only. Could you please briefly explain how they work and what they should be set at with CSM enabled?
I don't have deep knowledge of how the CSM works, but out of curiosity, what happens with your video cards if you use Legacy mode for video? Do you still come up with "True" for the confirm-securebootUEFI command?
mechBgon is offline   Reply With Quote
Old 07-14-2013, 03:53 PM   #6
PrincessFrosty
Golden Member
 
Join Date: Feb 2008
Location: UK
Posts: 1,291
Default

Thanks for the info, still new to secureboot, there's needs to be more resources on this.
__________________
Intel 2600k @ 4.7Ghz || ThermalRight TRUE Spirit 140
16Gb PC3-12800 || MSI GTX580 Twin Frozr II
Dell 3007 WFP-HC 30" || BenQ XL2420T 24" 120hz

http://www.pcgamingstandards.com - PC Game fixes database.
PrincessFrosty is offline   Reply With Quote
Old 07-17-2013, 06:36 AM   #7
balloonshark
Senior Member
 
Join Date: Jun 2008
Posts: 738
Default

Quote:
Originally Posted by mechBgon View Post
I don't have deep knowledge of how the CSM works, but out of curiosity, what happens with your video cards if you use Legacy mode for video? Do you still come up with "True" for the confirm-securebootUEFI command?
The OPRom options are only available if CSM is disabled. With CSM disabled it won't let me boot when using PCIE graphics (my 7970 card).

I did try using CSM enabled with my 7970 card and secure boot but when I checked PowerShell like in your example it came back false. I didn't mess with the keys in the UEFI though like shown in my 3rd pic.
__________________
i5-4670K, Hyper 212 Evo, ASRock Z87 Extreme6, Sapphire Vapor-X Radeon HD 7970 Ghz Edition 3GB, 120GB Samsung 840 Series SSD, 1TB WD Blue HDD, Team Vulcan DDR3 1600 4x4GB, Corsair CX600 PSU, Asus 24x DVD Burner, Corsair Carbide 500R, Windows 8 Pro 64 bit.

Old Rig: Q6600@3.0, Xigmatek HDT-S1283, MSI P35 Neo2-FR, G.Skill 2x2GB DDR2-1000,
Radeon HD 7750 Double D Black Ed. 900MHz 1GB DDR5, Seagate 250GB, Corsair 400, Antec P182, SyncMaster 2232BW Plus, XP Home SP3.
balloonshark is offline   Reply With Quote
Old 07-17-2013, 11:26 PM   #8
mechBgon
Super Moderator
Elite Member
 
mechBgon's Avatar
 
Join Date: Oct 1999
Posts: 30,698
Default

Well the problem is clearly that 7970. You'd better send that to me so I can dispose of it.*


*disclaimer: disposal process may take several years and involve heavy gaming

Like you said, it's a little weird that such a recent card would have that incompatibility. Heck, I'm on a pair of GTX460s

You might try exploring your BIOS's SecureBoot keys area. In mine, I can opt for the "standard" keys, but I can also say "Custom" and then another option becomes available, a submenu where I can go in and say "yeah, load the usual keys."
mechBgon is offline   Reply With Quote
Old 07-19-2013, 07:02 AM   #9
balloonshark
Senior Member
 
Join Date: Jun 2008
Posts: 738
Default

Quote:
Originally Posted by mechBgon View Post
Well the problem is clearly that 7970. You'd better send that to me so I can dispose of it.
Hey, wait a minute... Won't you need my email and password to my Steam account? *

* Disclaimer: I only have one game in my Steam account.


Quote:
You might try exploring your BIOS's SecureBoot keys area. In mine, I can opt for the "standard" keys, but I can also say "Custom" and then another option becomes available, a submenu where I can go in and say "yeah, load the usual keys."
Mine only gives me the option in install the keys. Once I do that it only gives me the option to clear the keys. I don't see either until I enable Secure Boot. Do the keys have to be installed for Secure Boot to show true?
__________________
i5-4670K, Hyper 212 Evo, ASRock Z87 Extreme6, Sapphire Vapor-X Radeon HD 7970 Ghz Edition 3GB, 120GB Samsung 840 Series SSD, 1TB WD Blue HDD, Team Vulcan DDR3 1600 4x4GB, Corsair CX600 PSU, Asus 24x DVD Burner, Corsair Carbide 500R, Windows 8 Pro 64 bit.

Old Rig: Q6600@3.0, Xigmatek HDT-S1283, MSI P35 Neo2-FR, G.Skill 2x2GB DDR2-1000,
Radeon HD 7750 Double D Black Ed. 900MHz 1GB DDR5, Seagate 250GB, Corsair 400, Antec P182, SyncMaster 2232BW Plus, XP Home SP3.
balloonshark is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 11:45 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.