How Does Windows 8’s Secure Boot Feature Work?
- Author Rossy Gaydarska
- Published September 16, 2014
- Word count 823
What is that feature?
Secure boot is a feature of Windows 8 that helps to prevent malicious software applications and "unauthorized" operating systems from loading during the system start-up process. While it is a great security feature, it effectively prevented you from dual booting your PC. Any other OS without the proper signing key will be deemed as "unauthorized" and won’t be able to boot up. The way to go about it is either install an OS that comes with the appropriate signing key or disable the secure boot feature altogether.
Secure Boot Configuration is a new feature of the Unified Extensible Firmware Interface (UEFI) in BIOS 8 that helps a computer resist attacks and infection from malware. When your computer was manufactured, UEFI created a list of keys that identify trusted hardware, firmware, and operating system loader code. It also created a list of keys to identify known malware.
Secure Boot is supported for UEFI Class 2 and Class 3 PCs. For UEFI Class 2 PCs, when Secure Boot is enabled, the compatibility support module (CSM) must be disabled so that the PC can only boot authorized, UEFI-based operating systems. Secure Boot isn’t a required feature for x86 and x64 versions of Windows.
Security Advantages
The traditional BIOS will boot any software. Normally, your BIOS boots the Windows boot loader or maybe a Linux boot loader, like GRUB. However, it’s possible for malware, such as a rootkit, to replace your boot loader. The rootkit could load your normal operating system with no indication that anything was wrong, staying completely invisible and undetectable on your system. The BIOS doesn’t know the different between malware and a trusted boot loader, so it allows either to boot.
Windows 8 PCs will ship with Microsoft’s certificate stored in UEFI. UEFI will check the boot loader before launching it and ensure it’s signed by Microsoft – if a rootkit or another malware program does replace your boot loader, UEFI won’t allow it to boot. This prevents malware from hijacking your boot process and concealing itself from your operating system.
What You Can Control
If that was all Secure Boot did, you wouldn’t be able to run any non-Microsoft operating system on your PC. Luckily, you can control secure boot in UEFI. You can disable secure boot entirely or add additional certificates. You should even be able to remove Microsoft’s certificate – remove Microsoft’s certificate, add your own, and your computer will only launch boot loaders that you’ve signed yourself.
How does it work?
When Secure Boot is activated on a PC, the PC checks each piece of software, including the Option ROMs and the operating system, against databases of known-good signatures maintained in the firmware. If each piece of software is valid, the firmware runs the software and the operating system.
Signature Databases and Keys
The signature database (db) and the revoked signatures database (dbx) list the signers or image hashes of UEFI applications, operating system loaders, and UEFI drivers that can be loaded on the individual PC, and the revoked images for items that are no longer trusted and may not be loaded.
The Key Enrollment Key database (KEK) is a separate database of signing keys that can be used to update the signature database and revoked signatures database. Microsoft requires a specified key to be included in the KEK database so that in the future Microsoft can add new operating systems to the signature database or add known bad images to the revoked signatures database.
When a computer is started, Secure Boot checks the integrity of the UEFI firmware by using the PK. If this check fails, you will need to restore the firmware to a trusted firmware. Next, UEFI will check the integrity of the Windows Boot Loader files by decrypting them and validating them against the key databases. If this check fails, a backup of the Windows Boot Manager will be used. Below, however, is the full list of hardware and software requirements you’ll need to meet to enjoy the added layer of security that Secure Boot offers:
o A computer with UEFI 2.3.1 Errata B. inside UEFI, the Secure Boot option should be enabled and a present Compatibility Support Module (CSM) should be disabled.
o A Windows 8, Windows 8 Pro, Windows 8 Enterprise, Windows RT, Windows Server 2012 Standard, and/or Windows Server 2012 Datacenter UEFI-based installation.
Checking if Secure Boot is enabled or disabled
Since it’s not easy to see if the system is capable of Secure Boot or if Secure Boot is enabled, Microsoft has included a handy little PowerShell cmdlet to check this—specifically, Confirm-SecureBootUEFI.
When you run this command, you get one of three results:
True - The computer supports Secure Boot, and Secure Boot is enabled.
False - The computer supports Secure Boot, but Secure Boot is disabled.
Cmdlet not supported on this platform - The computer does not support Secure Boot or is a non-UEFI computer.
For more information, feel free to visit our website: http://www.sysax.com/
Article source: https://articlebiz.comRate article
Article comments
There are no posted comments.
Related articles
- Top 10 Ways Production Scheduling in Business Central Transforms Manufacturing
- Strength Training and it's Incredible Benefits for Fat Burning
- Enhancing Home Security with Aluminum Shutters: A Focus on Weatherwell Elite
- 5 Easy Ways to Make Oral Hygiene Fun for the Whole Family
- Transforming Plastic Extrusion Machines into Recycling Powerhouses
- Unraveling the Potential of Plastic Extrusion Machines
- The Rise of Plastic Recycling Machines: A Step Towards Sustainability
- Strawberry Cheesecake Ice Cream: OMG! Unreal!
- The Advantages of Using Professional Home Cleaners in Ilford
- 8 Compelling Reasons to Hire Professional Home Cleaners
- The 12 Steps Narcotics Anonymous Program To Recovery
- Send Money to Tanzania: Effortless Transfers with SafariRemit
- Stylish Savings: 10 Frugal Ways to Stay Fashionable in 2024
- Fly Cheap With FlightPapa To Any City
- How Collaborating with a Software Development Company Can Propel Your Business Forward
- A Comprehensive Guide to Choosing the Best Hair Transplant Method
- 15 Frugal Tips for a Memorable Wedding Day
- Credit Union vs. Bank
- Explore the Advantages of Renewable Energy: Wind, Solar, Biomass, Hydropower and Geothermal Energy
- Frugal Nutrition: How to Eat Healthy on a Budget
- Fintechzoom Richard Mille
- Who owns the most Bitcoin?
- Fintechzoom IBM Stock: Powerful!
- Building a Professional Website on a Budget: Using Free Tools like WordPress and AI
- Navigating Vietnam's Tourist Immigration: Challenges and Solutions
- Bitcoin FintechZoom
- Cost-Effective Gardening: Tips for Enhancing Your Garden on a Budget
- Steve Wozniak: WOZ
- Keeping Your Garage Door Running Smoothly: A Guide to Drum Replacement with GarageDoorMagnolia
- When Your Garage Door Goes Rogue: Off-Track Repair in Tacoma and Seattle