Use UEFI to protect the environment before the operating system is loaded

Use UEFI to protect the environment before the operating system is loaded

We are sorry to find that, in some comments, there are misunderstandings about how Microsoft implements secure startup. Therefore, we wrote this blog post specially, further clarify how UEFI can be used for secure start and introduce some options for PC manufacturers. First of all, we should remember that we have introduced relevant functions while ensuring that users can continue to fully control the PC, so as to enable it in a safe way and protect user security. Tony Mangefeste from our ecosystem team wrote this blog. -- Steven

How to disable UEFI on Win8 to install Linux

Install Windows 8 and CentOS on UEFI + GPT

Install CentOS 6.4 in GPT mode on UEFI Motherboard

Windows 8 system updates will delete GRUB2 and set UEFI as a secure Guide

Contents

• UEFI supports firmware security policies
• Secure boot is a UEFI protocol, not a function of Windows 8.
• UEFI secure boot is an integral part of the Windows 8 secure boot architecture.
• Windows 8 ensures that the environment before the operating system is loaded is safe by means of safe start.
• Secure boot does not "Lock" the operating system loader. It is only a policy that supports firmware verification of component reliability.
• OEMs can customize the firmware by customizing the certificate and policy management level on their platforms to meet customers' needs.
• Microsoft does not host or control settings used in PC firmware to control or support secure boot from any operating system outside Windows

Guiding Principles-no accommodation in Security

The UEFI secure startup protocol is the basis for implementing cross-platform and firmware security and has nothing to do with the architecture. Before executing the firmware image, start the verification of the firmware Image Based on the Public Key Infrastructure (PKI) process to help reduce the risk of being attacked by the startup loader. In Windows 8, Microsoft relies on this Protocol to improve your platform security.

Figure 1-platform integrity Architecture

Microsoft works closely with our partners to ensure secure start-up provides users with a good security experience. Microsoft allows OEMs to flexibly decide who manages security certificates, how users can import and manage these certificates, and how to manage secure startup. We believe that it is important to provide OEM with this flexibility and to allow users to decide how to manage their systems on their own.

For Windows customers, Microsoft uses the Windows certification plan to ensure that the secure startup feature is enabled by default for systems that are shipped with Windows 8; firmware cannot be programmed to control secure boot (prevent malware from disabling security policies in the firmware); without authorization, the OEM prohibits firmware update, this may compromise the integrity of the system.

Most policies are not new features of UEFI firmware. Most PCs today have some form of firmware verification. Even the existing legacy firmware verification support (such as the BIOS password) is a secure Boot Mode that has been enabled by OEMs and end users for many years. However, with secure start and UEFI, the entire industry and Microsoft are building a more complete and better system at a higher level, providing users with stronger protection, resist the ever-expanding threats.

What is UEFI?

UEFI (Unified extensible firmware interface) is managed by UEFI Forum. UEFI Forum is an organization jointly established by chipset suppliers, hardware suppliers, system suppliers, firmware suppliers, and operating system vendors. This Forum maintains specifications, test tools, and Reference implementations that can be used across multiple UEFI PCs. Microsoft is a member of the board of directors of the Forum. The Forum is open to all individuals and companies. You do not have to pay any fees to join the Forum.

UEFI defines the next-generation firmware interface for PCs. The firmware of the Basic Input and Output System (BIOS) was originally programmed in assembly language and interrupted to perform input/output operations. At the beginning of the appearance, the basic framework of the PC ecosystem was determined, however, with the development of computing technology, the definition of "modern firmware" came into being to meet the needs of next-generation tablets and devices.

UEFI is designed to define a standard communication mode that regulates the communication between the operating system and the platform firmware during startup. Before the emergence of UEFI, the software interrupt mechanism was used to communicate with the hardware during the startup process. Modern PCs can execute block input/output operations more quickly and efficiently between hardware and software, and use UEFI in design to realize the full potential of hardware.

UEFI supports modular Firmware design. hardware designers and system designers are more flexible in designing firmware for a more demanding modern computing environment. Due to the restrictions of software interruptions on input/output, UEFI proposed the concept of event-based and adopted a coding standard independent of the architecture.

What is secure startup?

UEFI has a firmware verification process (called secure boot), which is defined in Chapter 27th of UEFI 2.3.1 specification. Secure boot defines how the platform firmware manages security certificates, how to perform firmware verification, and how to define interfaces (Protocols) between the firmware and the operating system ).

Microsoft's platform integrity architecture creates a trust Root between UEFI secure boot and the certificates stored in the firmware and platform firmware. With the rapid evolution of malware, malware is making the startup path the preferred attack target. Such attacks are difficult to prevent, because malware can disable anti-malware products and completely block the loading of anti-malware. With the secure startup architecture of Windows 8 and its trusted root, ensure that before the operating system is loaded, only the signed and authenticated "known security" code can be executed and the loader can be started to prevent malicious code execution in the root path.

In most PCs today, the operating system has a vulnerability in the environment before loading, which can be exploited by redirecting the started loader to a possible malicious loader. These loaders cannot be detected by operating system security measures and anti-malware.

Figure 2-old BIOS boot path

Windows 8 resolves this vulnerability with UEFI Security boot. It uses policies in the firmware and together with certificates to ensure that only components with correct signatures and authentication are allowed.

Figure 3-secure boot path for UEFI

Secure startup is only an integral part of the Windows 8 platform integrity assurance system. In combination with UEFI, Microsoft also implements an overall security policy for other available hardware to further enhance the platform's security.

For more details, please continue to read the highlights on the next page:

1 2 Next Page