EFI Preboot Guidelines and Windows 8 UEFI Secure Boot for HP Business Notebooks and Desktops PPS Business Notebook and Desktop - Technical White Paper

Technical white paper | UEFI Secure Boot on HP business notebooks, desktops, and workstations

Secure Boot overview

Secure Boot is a feature to ensure that only authenticated code can start on a platform. The firmware is responsible for

preventing launch of an untrusted OS by verifying the publisher of the OS loader based on policy, and is designed to mitigate

root kit attacks.

Figure 4. UEFI Secure Boot flow.

• Firmware enforces policy and only starts signed OS loaders it trusts.

• OS loader enforces signature verification of later OS components.

Figure 5. Windows 8 Secure Boot flow.

• All bootable data requires authentication before the BIOS hands off control to that entity.

• The UEFI BIOS checks the signature of the OS loader before loading. If the signature is not valid, the UEFI BIOS will stop

the platform boot.

Firmware policies

Firmware support of Windows 8 differs between notebooks and desktops/workstations. The following sections describe the

differences in policy settings configurable by the user.

Firmware policies for notebooks

There are two firmware policies critical for the support of Windows 8 on notebooks; Secure Boot and Boot Mode.

The Secure Boot policy has the following options:

• Disable

• Enable

When Secure Boot is set to “Enable” BIOS will verify the boot loader signature before loading the OS.

The Boot Mode policy (for notebooks only) has the following options:

• Legacy

• UEFI Hybrid with compatibility support module (CSM)

• UEFI Native without CSM

When Boot Mode is set to “Legacy” or the UEFI Hybrid Support setting is “Enable,” the CSM is loaded and Secure Boot is

automatically disabled.

After a complete BIOS re-flash the default configuration is as follows:

• Secure Boot = Disabled

• Boot Mode = Legacy (Other modes will be set by Preinstall at the factory according to the OS to be preinstalled.)

Windows 8

OS loader

UEFI

Kernel

installation

Anti

malware

software

start

party

drivers

Verified OS

loader

(e.g. Win8)

Native

UEFI

OS start