Secure Boot is one of UEFI functions which allows dealing with rootkits and bootkits (which use vulnerabilities in BIOS firmware) even at OS-boot entry-level. Secure boot technology is one of many defensive layers in Microsoft Windows 8 and Windows Server 2012. In this article we will discuss theoretical and practical work aspects of Secure Boot in Windows 8 (relevant also for Windows Server 2012).
It is a well-known fact that in modern OS boot is one of the most vulnerable components from the security point of view. An attacker simply pass bootloader function to his own (malicious) loader, and such loader won’t be detected by OS security system and antivirus software.
Secure Boot in Windows 8 allows to organize check of all executable components (drivers, programs) during booting process (before OS start) it guaranties that only trusted programs (with digitally signed) can be executed during Windows boot process. Unsigned code and code without appropriate safety certificates (rootkits, bootkits) are blocked by UEFI (however this system can also be bypassed, remember Flame worm which was signed by false Microsoft certificate). In case of component without digital sign detection Windows recovery service will be started automatically and it will try to change windows by recovery of necessary system files.
You should definitely understand that for secure boot technology usage one should use UEFI system instead of BIOS on his PC (we have already discussed what it is in the article UEFI and Windows 8). Motherboard of firmware must support UEFI v.2.3.1 specification and should have Windows Microsoft CA certificate in its UEFI signature base (or hardware OEM-dealers certified by Microsoft). All new computers with pre-installed Windows 8 64- bits versions which got “Windows 8 ready” label require active secure boot at Microsoft request. Let`s also note that Windows 8 for ARM (Windows RT) can`t be installed on equipment which doesn’t support UEFI or which allows Secure Boot disabling. There is no need in TPM module (trusted platform module) for correct secure boot or ELAM.
Another Windows 8 secure boot component is ELAM (Early-launch Anti-Malware), it provides anti-virus protection even before computer boot compliance. Certified Antivirus supporting ELAM (refers to products of different, not only Microsoft) starts its work even before malware will get a chance to boot and to hide its presence.
Secure Boot setting in Windows 8
Let`s clear up how to organize Windows 8 secure boot on a new PC. It is assumed that you have box version of Win 8 not a pre-installed one. For this experiment Asus P8Z77 motherboard with UEFI support and Windows 8 ready label was selected. It`s worth to remember that specific screenshots and options on the other model of motherboard may differ. The most important is to remember the basic principles of Windows 8 with Secure Boot installation on a new computer.
It is planned to install a new system on SSD disk that`s why we will set AHCI as SATA mode section in BIOS settings (it`s UEFI in fact).
Then we will disable CSM mode (compatibility support mode with BIOS) Launch CSM – Disabled.
Then we will change OS type – Windows 8 EUFI and make sure that Secure Boot Mode – Standard is disabled.
For Windows 8 Installation we will need either DVD boot disc (physical) with Windows 8 installation package or USB flash (formatted in FAT 32) prepared in a special way (preparing of UEFI boot flash drive for Windows 8 installation) because boot flash drive with NTFS in UEFI won’t work. It`s worth mentioning that Windows 8 installation from flash drive to SSD disk took about 7 minutes only!
Shut down your PC insert boot disk (flash drive) and turn on your PC. Boot options priority screen (UEFI Boot menu) will appear, here you should select your boot device (you can see Windows boot manager on a screen shot but in real life it will appear only after system installation in EFI mode).
We will deal with disk partitioning parameters for system in details. EFI and secure boot requires disk to be in GPT (not in MBR) mode. In case when disk is not marked out no other manipulations or actions with disk part are necessary. The system will do everything itself. If disk is partitioned out on partitions – delete them, because to work with UEFI secure boot four special partitions are needed, boot manager will create them automatically.
It is assumed that we won’t use all disk space for Windows 8 so we will just press Next button without creating any partitions. Windows will create four partitions of necessary size and give them names automatically:
- Recovery – 300 Мb
- System – 100 Mb – EFI system partition which contains NTLDR, HAL, Boot.txt and other necessary files for system boot.
- MSR (Reserved) – 128 Мb – Microsoft reserved partition (Microsoft Reserved -MSR) which is created on every disk for operating system later usage.
- Primary – all remained space this is a partition where Windows 8 is actually installed
Then perform Windows 8 installation as usual. After Windows will be installed you can check whether secure boot is used with a help of Poweshell. To do so perform the following in the command line with the administrative privilege:
If Secure Boot is disabled the command will return TRUE (if it will return FALSE or command is not found than secure boot is disabled).
So we installed Windows 8 in secure boot mode with UEFI successfully.