With Windows Trusted Boot architecture and its establishment of a root of trust with Secure Boot, the customer is protected from malicious code executing in the boot path by ensuring that only signed, certified "known good" code and boot loaders can execute before the operating system itself loads.
This class of attack has been difficult to guard against, since antimalware products can be disabled by malicious software that prevents them from loading entirely. A growing trend in the evolution of malware exploits is targeting the boot path as a preferred attack vector. Implementation of UEFI Secure Boot is part of Microsoft’s Trusted Boot Architecture, introduced in Windows 8.1.
Boot Critical Driver initialization: The signatures on all Boot-critical drivers are checked as part of Secure Boot verification in WinLoad.įigure 1: Windows Trusted Boot Architecture.Antivirus and Antimalware Software initialization: This software is checked for a special signature issued by Microsoft verifying that it is a trusted boot critical driver, and will launch early in the boot process.Any non-trusted components will not be loaded and instead will trigger Secure Boot remediation. Windows boot components verify the signature on each component. Windows boot components: BootMgr, WinLoad, Windows Kernel Startup.Firmware Boot Components: The firmware verifies the OS loader is trusted (Windows or another trusted operating system.).The Secure Boot process works as follows and as shown in Figure 1:
Secure Boot is required for Windows 8 and above client PCs, and for Windows Server 2016 as defined in the Windows Hardware Compatibility Requirements. Microsoft relies on UEFI Secure Boot in Windows 8 and above as part of its Trusted Boot security architecture to improve platform security for our customers. Through image authentication before execution, Secure Boot reduces the risk of pre-boot malware attacks such as rootkits. These modules can include firmware drivers, option ROMs, UEFI drivers on disk, UEFI applications, or UEFI boot loaders. Secure Boot is based on the Public Key Infrastructure (PKI) process to authenticate modules before they are allowed to execute. As an industry standard, Secure Boot defines how platform firmware manages certificates, authenticates firmware, and how the operating system interfaces with this process. The UEFI (Unified Extensible Firmware Interface) specification defines a firmware execution authentication process called Secure Boot. This document serves as a starting point in developing customer ready PCs, factory deployment tools and key security best practices. Summary and Resources includes appendices, checklists, APIs, and other references. Key Management Solutions is intended to help partners design a key management and design solution that fits their needs. Secure Boot, Windows and Key Management contains information on boot security and PKI architecture as it applies to Windows and Secure Boot. It is not intended as prescriptive guidance and does not include any new requirements. This paper addresses key management as a resource to help guide partners through deployment of the keys used by the firmware. However, these HCK resources do not address creation and management of keys for Windows deployments. Requirements, tests, and tools validating Secure Boot on Windows are available today through the Windows Hardware Certification Kit (HCK). The reader is expected to know the fundamentals of UEFI, basic understanding of Secure Boot (Chapter 27 of the UEFI specification), and PKI security model. This is important because UEFI Secure Boot is based on the usage of Public Key Infrastructure to authenticate code before allowed to execute. It is intended as guidance beyond certification requirements, to assist in building efficient and secure processes for creating and managing Secure Boot Keys. This paper does not introduce new requirements or represent an official Windows program. Windows requirements for UEFI and Secure Boot can be found in the Windows Hardware Certification Requirements. Enterprises and customers can also use these steps to configure their servers to support Secure Boot.