What is that feature?

Secure boot is a feature of Windows 8 that helps to prevent malicious software applications and "unauthorized" operating systems from loading during the system start-up process. While it is a great security feature, it effectively prevented you from dual booting your PC. Any other OS without the proper signing key will be deemed as "unauthorized" and won’t be able to boot up. The way to go about it is either install an OS that comes with the appropriate signing key or disable the secure boot feature altogether.

Secure Boot Configuration is a new feature of the Unified Extensible Firmware Interface (UEFI) in BIOS 8 that helps a computer resist attacks and infection from malware. When your computer was manufactured, UEFI created a list of keys that identify trusted hardware, firmware, and operating system loader code. It also created a list of keys to identify known malware.

Secure Boot is supported for UEFI Class 2 and Class 3 PCs. For UEFI Class 2 PCs, when Secure Boot is enabled, the compatibility support module (CSM) must be disabled so that the PC can only boot authorized, UEFI-based operating systems. Secure Boot isn’t a required feature for x86 and x64 versions of Windows.

Security Advantages

The traditional BIOS will boot any software. Normally, your BIOS boots the Windows boot loader or maybe a Linux boot loader, like GRUB. However, it’s possible for malware, such as a rootkit, to replace your boot loader. The rootkit could load your normal operating system with no indication that anything was wrong, staying completely invisible and undetectable on your system. The BIOS doesn’t know the different between malware and a trusted boot loader, so it allows either to boot.

Windows 8 PCs will ship with Microsoft’s certificate stored in UEFI. UEFI will check the boot loader before launching it and ensure it’s signed by Microsoft – if a rootkit or another malware program does replace your boot loader, UEFI won’t allow it to boot. This prevents malware from hijacking your boot process and concealing itself from your operating system.

What You Can Control

If that was all Secure Boot did, you wouldn’t be able to run any non-Microsoft operating system on your PC. Luckily, you can control secure boot in UEFI. You can disable secure boot entirely or add additional certificates. You should even be able to remove Microsoft’s certificate – remove Microsoft’s certificate, add your own, and your computer will only launch boot loaders that you’ve signed yourself.

How does it work?

When Secure Boot is activated on a PC, the PC checks each piece of software, including the Option ROMs and the operating system, against databases of known-good signatures maintained in the firmware. If each piece of software is valid, the firmware runs the software and the operating system.

Signature Databases and Keys

The signature database (db) and the revoked signatures database (dbx) list the signers or image hashes of UEFI applications, operating system loaders, and UEFI drivers that can be loaded on the individual PC, and the revoked images for items that are no longer trusted and may not be loaded.

The Key Enrollment Key database (KEK) is a separate database of signing keys that can be used to update the signature database and revoked signatures database. Microsoft requires a specified key to be included in the KEK database so that in the future Microsoft can add new operating systems to the signature database or add known bad images to the revoked signatures database.

When a computer is started, Secure Boot checks the integrity of the UEFI firmware by using the PK. If this check fails, you will need to restore the firmware to a trusted firmware. Next, UEFI will check the integrity of the Windows Boot Loader files by decrypting them and validating them against the key databases. If this check fails, a backup of the Windows Boot Manager will be used. Below, however, is the full list of hardware and software requirements you’ll need to meet to enjoy the added layer of security that Secure Boot offers:

o A computer with UEFI 2.3.1 Errata B. inside UEFI, the Secure Boot option should be enabled and a present Compatibility Support Module (CSM) should be disabled.

o A Windows 8, Windows 8 Pro, Windows 8 Enterprise, Windows RT, Windows Server 2012 Standard, and/or Windows Server 2012 Datacenter UEFI-based installation.

Checking if Secure Boot is enabled or disabled

Since it’s not easy to see if the system is capable of Secure Boot or if Secure Boot is enabled, Microsoft has included a handy little PowerShell cmdlet to check this—specifically, Confirm-SecureBootUEFI.

When you run this command, you get one of three results:

True - The computer supports Secure Boot, and Secure Boot is enabled.

False - The computer supports Secure Boot, but Secure Boot is disabled.

Cmdlet not supported on this platform - The computer does not support Secure Boot or is a non-UEFI computer.