Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
Mark Minasi

Avatar / Picture

Humble Proprietor
Registered:
Posts: 175
Reply with quote  #1 
Hi all -- probably a dumb question about setting up Secure Boot.

I've had good luck with it but my understanding is that the "Secure" part comes from a chain of certs (which makes perfect sense) but clearly it's all got to start somewhere.

I have HEARD that (1) systems with UEFI BIOSes (incorrect term, yes, but everyone seems to use it) have a root cert in them but that (2) somehow Windows version X won't install unless that in-the-EFI root cert knows of that particular version of Windows.

Thus, if I were to try to a UEFI boot  install on some system built in the Windows 8 days then I could install Secure Boot with 8/8.1/10 but NOT Windows 7.  Also it is reputed that only the hardware manufacturer could install a new root and they're not doing that so you'll have to buy new hardware.

Is any of that true?  Can someone remove my woeful ignorance?  Many thanks.

Mark
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #2 
I've done some Secure Boot research, for different reasons.  The way I understand it, Secure Boot depends on the motherboard & BIOS manufacturers not the computer manufacturer.  Some BIOS allows Secure Boot to be disabled & some don't.

I plan to buy a new desktop.  My first choice was Lenovo but the sales girl couldn't answer my Secure Boot question which was would it block certain VMs?  She told me to contact technical support who told me to contact  sales.  No one could tell me what motherboard or BIOS was in an M73 desktop. Now I plan to have a clone built.

In any event, knowing what motherboard & BIOS are installed & contacting the respective manufacturers is the only way to get a true answer.
0
Mark Minasi

Avatar / Picture

Humble Proprietor
Registered:
Posts: 175
Reply with quote  #3 
Apologies, but that's not what I was asking.  My question was a more meta one, as in "what's up with the firmware root certs and installing different Windows versions?"

And to what you said, with respect it's not true, as far as I can see.  Any hardware I've purchased built after roughly 2012 can do UEFI with Windows 8.1. (I'm sure manufacturers were still figuring it out in the first few years, as the big UEFI "push" came with Windows 8.)
 In my experience you just

1) Boot WinPE and wipe any partitions
2) Turn on UEFI / Secure Boot in the firmware (they're usually either two nested options or two separate ones)
3) Either boot from a DVD (easy) or do that bit of jiggery-pokery needed to create a "UEFI USB Stick" and copy the contents of the install ISO to the USB stick and then boot from the USB stick

Then let Setup run and you're good to go.
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #4 
Where will you see the option to "turn on" or off UEFI after you boot with t boot disc?  AFAIK, it was in the BIOS, if it were accessible at all?
0
DennisMCSE

Senior Member
Registered:
Posts: 174
Reply with quote  #5 
Mark,

Not sure if this explains your question, but here's a link to a Microsoft Answer page on "UEFI Secure Boot in Windows 8.1" that I think covers some of what your asking. The Secure Boot info is near the end:

http://answers.microsoft.com/en-us/windows/forum/windows8_1-security/uefi-secure-boot-in-windows-81/65d74e19-9572-4a91-85aa-57fa783f0759?auth=1

"Windows 8 further extends the secure boot implementation of Windows 7, using trusted keys in Boot Manager to ensure that only properly signed and authenticated components are allowed to execute. In addition, firmware access is limited to user control without any programmatic interface.

The Secure Boot process is owned by vendors who are certified by UEFI to digitally sign their firmware files (images) which forms part of the firmware system. These trusted vendors share their trust key with the principal trust owner of the platform, generally represented by the OEM, who has to authenticate the digital signature on every image with its trust key, before allowing them to execute."


0
Mark Minasi

Avatar / Picture

Humble Proprietor
Registered:
Posts: 175
Reply with quote  #6 
Thanks, Dennis, that fills in a couple of gaps.  I've just realized that I've been wasting time trying to make Secure Boot work on a circa-Win-7 system that had UEFI, but no UEFI good enough to do secure boot.  So it's drive-swapping time on my main laptop, which I KNOW can run Secure Boot. [smile]

Donoli, it's usually in the EFI.  It's NOT visible in places like the Control Panel or Settings.  I'll be doing a writeup on it soon, I promise!
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #7 
I never thought that it was visible anywhere except in the BIOS.  I'm looking forward to your essay.
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.