Main board firmware for UEFI Secure Boot

Labels: , , ·

With Windows 8, Microsoft wants to replace the outdated PC BIOS: complete systems with factory-installed operating system and Windows-8-logo must meet the hardware certification requirements that prescribe the UEFI mode enabled Secure Boot feature. Without deliberate intervention by the user starts thus excluding the preinstalled Windows 8 no other operating system, unless it brings a Microsoft digitally signed UEFI boot loader.

 Secure Boot is thereby prevent the start of malware blocked but also the first of many boats USB drives or optical media, and therefore the installation of other operating systems. Microsoft also does prescribe that Secure Boot be on normal x86 PCs and laptops can be disabled, but it is probably depending on motherboard firmware, a trip to the BIOS or UEFI setup required.

 Secure boot is a feature of the 2011 adopted UEFI version 2.3.1 and have yet to be found in the wild. That is changing now, because some motherboard manufacturers such as Gigabyte, Asus, Gigabyte and MSI launch first (beta) versions of firmware for certain boards which are to meet the Windows 8 specifications. Unfortunately, the Taiwanese companies usually do not specify exactly which points to the specification for the firmware version exactly fulfilled or not. But with the L1.47 Beta BIOS version for Asrock B75M worked on Windows 8 Secure Boot and allow first experiments.
After the BIOS update is secure boot first off and there are no load digital certificates. Both of you need to independently initiate via the setup option. After a restart Secure Boot is active, the firmware works in "user mode". Only in setup mode is allowed, the key, and databases can be changed, but the Asrock firmware knows but the set-up mode, but offers - unlike the MSI mainboard last Aldi PC - no functions to influence keys (PK, CEC) or databases (db, dbx).

 If Windows is started 8 in secure boot mode or not can be found out by our present knowledge only to a registry key. Under HKLM \ System \ CurrentControlSet \ Control \ Secure Boot \ State is the DWord value "UEFISecureBootEnabled" who is active Secure Boot has the content "1" and "0" if Secure Boot before the launch of Windows 8 via BIOS was switched off setup. Other effects of the Secure Boot fell Asrock B75M not.

 Kernel-mode drivers that are not digitally signed will, but in the secure boot mode can not be installed - but those signatures x64 Windows requires anyway and only the 64-bit version of Windows 8 will support UEFI and hence Secure Boot. Exciting and usually only when the expected Atom Tablets with Intel's Clover Trail chips and Connected Standby: The latter function will require Secure Boot, on the other hand, there is for the PowerVR graphics this atom now only 32-bit drivers. But for the Windows RT tablet with ARM SoCs are otherwise prevented from Microsoft combination of 32-bit code and UEFI is necessary.
When Asrock B75M with beta firmware the startup of other operating systems in secure boot mode by the way do not worry: Even if you activate secure boot can allow using the BIOS setup, loading a Compatibility Support Module (CSM). This CSM is after the actual firmware startup to BIOS compatibility so that any other operating systems run without UEFI boot loader. This is exactly why Microsoft requires hardware in the Certification Requirements for computers with Windows-8-logo that with Secure Boot the CSM is prohibited. But Asrock writes laconically regarding the CSM option: "Please do not set to disable unless runnig WHCK test", which is about: "Please do not turn off unless you check the Windows Hardware Certification". WHCK the test Microsoft describes in a PDF document.

 Until Windows 8 start in little more than six weeks, every motherboard and notebook manufacturers who wants to sell products for computers with Windows-8-Logo, the Secure Boot requirements have been implemented. At least publicly, but offers as Intel does not appropriately updates for its own motherboards. Linux developers hone meanwhile on their equipment for UEFI Secure Boot, upcoming versions of the distributions Fedora, Suse and Ubuntu should be able to handle it. For previous operating system such as Windows 7 x64, but apparently no secure boot-retrofit planned.


No comments:

Post a Comment

Subscribe to: Post Comments (Atom)