Iris Classon
Iris Classon - In Love with Code

Stupid Question 235-236: What is UEFI, and what is Secure Boot?

[To celebrate my first year of programming I will ask a ‘stupid’ questions daily on my blog for a year, to make sure I learn at least 365 new things during my second year as a developer]

While eating dinner today I was enjoying a TechEd session on security in Windows 8 and 8.1 and I learned something new- which of course I have to share!
There is this thing called UEFI – it stands for Unified Extensible Firmware Interface.

UEFI

This is an interface that replaces some bits and pieces of the traditional BIOS and its built on top of BIOS. It is architecture independent which means that you could run Linux for example. Once you boot your computer enables devices and operation, and all firmware, applications, drivers and loaders have to be signed/trusted. It stores the trusted and untrusted keys and certificates in a database, has platform related information, as well as contains some boot and runtime services.

The database designs stores the following variables:
PK
The platform master key which most often is set by the manufacturer.
KEK
Database update authorization key – also set by manufacturer. A certificate that allows updates.
db
List of authorized application signers (certificates). Programs that are allowed.
dx
List of revoked application signers(certificates). Signed programs that later on are considered dangerous.

One of the main features of UEFI is Secure Boot. Among some of the things it does to aid a secure boot it makes sure only approved (signed) OS loaders are accepted on boot. Before OS would start any OS loader regardless of that being malware. A malware loader can provide you a fake OS, and as you probably understand that would allow them to basically do whatever they want to do with your computer and the information you provide through the usage.
Keep in mind that UEFI has some hardware requirements that not all PC manufactures have met, and therefore you aren’t guaranteed all the UEFI goodness just because you have Windows 8 installed.

As for how to know if you have UEFI , well…. I thought that was going to be an easy one, but I actually haven’t quite figured that out 100%. You might want to keep an eye on my question on StackOverflow: Does my PC have UEFI support and Secure boot?
I’ll post a new post plus an update once I know :)

Comments

Leave a comment below, or by email.
Sander Berkouwer
9/3/2013 11:28:02 AM
Hi Iris,

My post on this very subject was posted only a few days ago on 4Sysops:
http://4sysops.com/archives/windows-8-secure-boot/

I hope that helps.

Cheers, Sander 
Iris Classon
9/4/2013 8:15:13 AM
Reply to: Sander Berkouwer
Thank you for sharing that, that is a very good blog post!! 


Last modified on 2013-09-03

comments powered by Disqus