Some notes on Secure Boot

[mechBgon]

Maybe this will be helpful to some of you. I shuffled some parts around, and one of my goals was to get Secure Boot enabled on a system.

:hmm: "Hmmm, the old mobo was Intel Z68, the new one's Z77."

So I transplanted the old Windows 8 drive to the new mobo, which is a Gigabyte with a beta BIOS that supports Secure Boot if you enable it. Then I started up Windows, it Discovered New Hardware™ and booted. And naturally I had to talk to the excessively-cheerful Microsoft Activation Robot

Next, I ran the built-in Windows PowerShell as an Administrator and ran the command help secureboot, since I never remember the syntax for the command that verifies SecureBoot is working. Well there it is: Confirm-SecureBootUEFI.

What you want it to say, is simply TRUE. In my case, I got a bunch of red text that boiled down to DUDE, YOU'RE DOING IT WRONG.

So I was all but the previous boot drive on this mobo was SecureBooting fine, so what's different? And the answer is that this instance of Win8 was originally installed with a non-UEFI, non-SecureBootable motherboard.

The solution: reinstall Windows 8. I also made sure the boot options were "UEFI only" in case there was a way for it to fall back on a "legacy" option.

Why would you want Secure Boot? Basically, it prevents bootkits (the infamous TDL aka TDSS family, for example), which get between the hardware and the OS and can effectively rootkit the OS from the outside, and then it's Welcome to The Matrix. The BIOS itself will refuse to boot the system from code that's not whitelisted with the appropriate digital signature. There are downsides, like not being able to boot just any OS, so it may not be for everyone. But it's under your control via a BIOS setting, so hey.

If you're interested in using SecureBoot then you may also be interested in knowing that Intel's Ivy Bridge-core processors all have a new security enhancement that's similar to Data Execution Prevention. It prevents the OS kernel from executing stuff in user memory, which thwarts some types of privilege-escalation exploits. Win8 supports this feature (SMEP) and I believe Linux has begun supporting it as well. So if you're considering a new Intel box, you probably want Ivy Bridge or later.

 

[balloonshark]

Edit: Firstly, does this mean this is a no go? http://www.sapphireforum.com/showthread.php?31151-7970-UEFI-GOP-Bios&highlight=UEFI Or could I go ahead and do the install and disable something in hopes that Sapphire releases a UEFI update?

Edit 2: I have posted on TweakTown's ASRock forum for help but the site is down. I have also wrote Sapphire to ask if my graphics cards is UEFI compatible.

Edit 3: Sapphire replied and said there cards are no UEFI supported. Does this mean I can't install Windows 8 64 bit in UEFI mode to use Secure Boot?

Edit 4: I was able to get a little help here. http://forums.tweaktown.com/asrock/53396-asrock-z87-extreme6-windows-8-pro-64-bit-secure-boot.html
_________________________________________________________________

Is it really worth reinstalling Windows 8 to enable this feature? Would I need to change all of the settings in the pic below to UEFI, turn on secure boot and then reinstall using this method? http://www.eightforums.com/tutorial...e-firmware-interface-install-windows-8-a.html



With their method the disk was formatted with GPT. Is this mandatory? What are the drawbacks? Can I still image the drive?

I found the above link from this link.
http://www.eightforums.com/tutorials/17058-secure-boot-enable-disable-uefi.html

I think this pic shows that my Windows 8 Pro 64 bit dvd is UEFI capable. (Sorry for the blurry pic.)


UEFI Secure Boot option. How do the keys work?

 

[mechBgon]

Sorry I didn't get around to replying sooner

Is it really worth reinstalling Windows 8 to enable this feature?

It was worth it to me. The kind of malware SecureBoot prevents is probably the worst kind in existence. If I can bulletproof my rig against that with a BIOS setting, sign me up!

Assuming someone's hardware is not incompatible, the key aspects appear to be:

1. make sure the BIOS is set up to boot from UEFI before you commence Windows installation.

2. enable Secure Boot. This can be done after the Windows installation.

3. test to confirm SecureBoot is enabled for reals:

(run PowerShell with the Run As Administrator option from a right-click, and run the command confirm-securebootUEFI)


There's the question of whether you should have CSM enabled or not. I happen to have it enabled and my result is the one shown above: SecureBoot is working in Windows.

 

[balloonshark]

Thanks for your reply mechBgon! I was finally able to get Window 8 installed using UEFI. The trick was to disable CSM before installing Windows.

Interesting how our MB's firmware is different. In your first pic my boot option says Windows Boot Manager with CSM disabled.

3. test to confirm SecureBoot is enabled for reals:

There's the question of whether you should have CSM enabled or not. I happen to have it enabled and my result is the one shown above: SecureBoot is working in Windows.

Interesting that you are able to have Secure Boot working with CSM enabled. This would be ideal for me as my graphics card isn't UEFI capable .

In your 2nd pic under CSM support. Would you happen to know why you need the Storage Boot Option Control set to UEFI for the system to work? I noticed I had to set mine the same to boot with CSM enabled.

My other two Option Rom options are Lauch PXE OpRom Policy and Launch Video OpRom Policy. All three can either be set to UEFI option Rom only or Legacy Option Rom only. Could you please briefly explain how they work and what they should be set at with CSM enabled?

 

[mechBgon]

Thanks for your reply mechBgon! I was finally able to get Window 8 installed using UEFI. The trick was to disable CSM before installing Windows.

Interesting how our MB's firmware is different. In your first pic my boot option says Windows Boot Manager with CSM disabled.


Interesting that you are able to have Secure Boot working with CSM enabled. This would be ideal for me as my graphics card isn't UEFI capable .

In your 2nd pic under CSM support. Would you happen to know why you need the Storage Boot Option Control set to UEFI for the system to work? I noticed I had to set mine the same to boot with CSM enabled.

The idea behind SecureBoot is that the motherboard will reject attempts to boot an unauthorized image, so I think the key focus here is the boot devices and perhaps storage controllers. So you would want to rule out legacy options. Maybe a dual-boot setup would be a reason to allow legacy mode as an option for the boot devices. Really, it's as clear as mud

My other two Option Rom options are Lauch PXE OpRom Policy and Launch Video OpRom Policy. All three can either be set to UEFI option Rom only or Legacy Option Rom only. Could you please briefly explain how they work and what they should be set at with CSM enabled?

I don't have deep knowledge of how the CSM works, but out of curiosity, what happens with your video cards if you use Legacy mode for video? Do you still come up with "True" for the confirm-securebootUEFI command?

 

[PrincessFrosty]

Thanks for the info, still new to secureboot, there's needs to be more resources on this.

 

[balloonshark]

I don't have deep knowledge of how the CSM works, but out of curiosity, what happens with your video cards if you use Legacy mode for video? Do you still come up with "True" for the confirm-securebootUEFI command?

The OPRom options are only available if CSM is disabled. With CSM disabled it won't let me boot when using PCIE graphics (my 7970 card).

I did try using CSM enabled with my 7970 card and secure boot but when I checked PowerShell like in your example it came back false. I didn't mess with the keys in the UEFI though like shown in my 3rd pic.

 

[mechBgon]

Well the problem is clearly that 7970. You'd better send that to me so I can dispose of it.*


*disclaimer: disposal process may take several years and involve heavy gaming

Like you said, it's a little weird that such a recent card would have that incompatibility. Heck, I'm on a pair of GTX460s

You might try exploring your BIOS's SecureBoot keys area. In mine, I can opt for the "standard" keys, but I can also say "Custom" and then another option becomes available, a submenu where I can go in and say "yeah, load the usual keys."

 

[balloonshark]

Well the problem is clearly that 7970. You'd better send that to me so I can dispose of it.

Hey, wait a minute... Won't you need my email and password to my Steam account? *

* Disclaimer: I only have one game in my Steam account.

You might try exploring your BIOS's SecureBoot keys area. In mine, I can opt for the "standard" keys, but I can also say "Custom" and then another option becomes available, a submenu where I can go in and say "yeah, load the usual keys."

Mine only gives me the option in install the keys. Once I do that it only gives me the option to clear the keys. I don't see either until I enable Secure Boot. Do the keys have to be installed for Secure Boot to show true?