Currently Being Moderated

Abstract

 

This article applies to Secure Boot with Microsoft Windows 8®. Although these instructions are based on an Ivy Bridge Software Development Platform from Intel Corporation, the process should be similar on 2012 OEM platforms.

 

Introduction

 

This article defines the process for enabling Secure Boot on a 2012 Ivy Bridge system.

 

Overview of the process:

  1. UEFI OS Install
  2. Enable Secure Boot
  3. Installation of  Keys
  4. Verifying Secure boot is enabled

 

UEFI OS install

 

Notes:

  • The "UEFI OS Install" may be performed before or after Secure Boot is enabled.
  • If Windows 8®is already installed using the standard BIOS, it can't be converted to UEFI. A new OS installation will be required.

Required:

  • DVD drive (USB)
  • Windows 8® OS installation disk with EFI setup file
  • Windows 8® activation key

Process:

  1. Attach the DVD drive to the system
  2. In BIOS setup confirm:
      1. Boot -> CSM is Disabled
    1. Insert the Windows 8® installation Disk
    2. Reboot the system
    3. During POST enter “BIOS Boot Selector Menu” by pressing F7
    4. Select “Built in EFI Shell”
    5. At the Shell prompt navigate to the location of the OS setup file on the DVD. Example:
        1. Enter “fs0:” or “Blk1:”
        2. Enter “cd EFI\Boot”
        3. Press enter
    6. Begin the OS installation.
        1. At the prompt type “BOOTX64.EFI”
        2. Press enter
        3. Press “any key to boot from the CD…”
    7. Follow the standard prompts to install the OS.

     

    Enabling Secure Boot

     

    Notes:

    • Secure Boot may be enabled or disabled anytime from BIOS Setup.

     

    Process:

    1. After the OS install is completed remove the installation DVD
    2. Reboot the system and press F2 to enter BIOS setup
    3. Navigate to Security -> Secure Boot
    4. Set the Secure Boot Mode to “Custom”
    5. Select Custom Key Management.
    6. Select “Install Factory Defaults” to load the keys
    7. Confirm the action
    8. Hit escape to go back to the Security menu
    9. Set the Secure Boot Mode back to “Standard”
    10. Verify Boot-> CSM is “Disabled”
    11. Save and Exit
    12. Boot the system to OS and login

     

    Verifying Secure Boot is enabled

     

    Once the OS is installed and Secure Boot is enabled, the next step is to verify that secure boot is operational.

     

    To verify Secure Boot do the following:

    1. Open PowerShell as administrator
    2. Run the command “confirm-SecureBootUEFI”
    3. If secure boot is working, “TRUE” will be displayed on the following line.
    4. Otherwise “FALSE” will be displayed

    IDER (IDE Redirection) with Secure Boot

     

    With Secure Boot enabled, you would not be able to boot from another operating system which would affect IDE Redirection. However, ME FW 8.1 provides the capability to temporarily disable Secure Boot while an IDER session is active. ME 8.1 changes Secure Boot to “Disabled” and CSM is “Enabled” while the IDER session is active. Once the IDER session is closed, secure boot is once again enabled.

     

    References:

     

    http://www.uefi.org  - UEFI specifications

    http://www.uefi.org/learning_center/UEFI_Plugfest_2012Q1_MicrosoftSecureBoot.pdf  - Microsoft* Tools and Tests for Secure Boot

    Comments

    Filter Blog

    By author:
    By date:
    By tag: