UEFI (replaces BIOS) has a firmware validation process that will operate a hardware detect by Trusted Platform Module(TPM) , called UEFI Secure Boot, which is defined in Chapter 27 of the UEFI 2.3.1 specification.
Secure boot defines how platform firmware manages security certificates, validation of firmware, and a definition of the interface (protocol) between firmware and the operating system. Secure boot prevents “unauthorized” operating systems and software from loading during the startup process.
Secure Boot is a technology where the system firmware checks that the system boot loader is signed with a cryptographic key authorized by a database contained in the firmware.With adequate signature verification in the next-stage boot loader(s), kernel, and, potentially, user space, it is possible to prevent the execution of unsigned code.
Secure Boot is a form of Verified Booting. Boot path validation is also part of other technologies such as Trusted Boot. Boot path validation is indepedent of secure storage of cryptographic keys and remote attestation.it specifies the following:
- a programming interface for cryptographically protected UEFI variables in non-volatile storage,
- how the trusted X.509 root certificates are stored in UEFI variables,
- validation of UEFI applications (boot loaders and drivers) using AuthentiCode signatures embedded in these applications, and
- procedures to revoke known-bad certificates and application hashes.
UEFI Secure Boot does not require specialized hardware, apart from non-volatile (flash) storage which can be switched from read-write mode to read-only mode during system boot. This storage has to be used to store the UEFI implementation itself and some of the protected UEFI variables (including the trusted root certificate store).
From a user point of view, a system which has enabled UEFI Secure Boot and which is confronted with a tampered boot path simply stops working until UEFI Secure Boot is disabled or a signed next-stage boot loader is available on boot media. ( “Typical error message from UEFI Secure Boot” shows a typical error message.) Similarly, operating system installers without a cryptographically valid signature do not run and result in an error message. Users are not offered a way to override the boot loader decision to reject the signature, unlike the similar scenario with web server certificates. No certificate issuer information is provided to the user.
┌---------- Secure Boot Violation ----------┐ │ │ ├-------------------------------------------┤ │ Invalid signature detected. Check Secure │ │ Boot Policy in Setup │ │ │ │ │ │ [OK] │ └-------------------------------------------┘
Typical error message from UEFI Secure Boot
UEFI Secure Boot does not prevent the installation or removal of second-stage boot loaders or require explicit user confirmation of such changes. Signatures are verified during booting, and not when the boot loader is installed or updated. Therefore, UEFI Secure Boot does not stop boot path manipulations. It only prevents the system from executing a modified boot path once such a modification has occurred, and simplifies their detection.