29 Oct 18
29 Oct 18
In 2006 the UEFI specification was born which describes a more modern way to boot computers and replaces the traditional BIOS method. As stated by the UEFI Forum: “The UEFI Specification defines a new model for the interface between personal-computer operating systems and platform firmware”. Since April 2011, firmware that meets the UEFI 2.3.1 Errata C specification (or higher) has the ability to support a security feature called Secure Boot.
UEFI currently has the following benefits for Windows computers:
Secure Boot is essentially a feature that stops an Operating System from booting if unsigned drivers or boot loaders are detected during the OS boot process. When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system. Secure Boot is currently supported by many operating systems, including Windows 8, Windows 10, Windows Server 2012, Windows Server 2016, VMware vSphere 6.5, and many Linux distributions.
In the past, only individual manufactures implemented a signature-controlled booting mechanism (TIVO, Microsoft Xbox, Sony Playstation). Since 2012, the industry has widely adopted UEFI and it is now the norm for personal computers and servers. In fact, for manufactures to display the “Windows 10” or “Windows 8” logo on their PCs, they must have UEFI and Secure Boot enabled.
With a traditional BIOS it is possible for an attacker to replace the boot loader using a rootkit which could then load the operating system normally without indication that there has been any tampering. BIOS just boots whatever boot loader it finds. Secure Boot, however, checks the boot loader and driver signatures against a certificate stored in UEFI firmware and will stop the computer from booting if they have been replaced or altered. This prevents your boot process from being hijacked and hiding malware from your operating system.
By default many modern operating system boot loaders and shims are signed with either the Microsoft Windows Production PCA key or the Microsoft UEFI CA key but it is also possible for an organisation to replace the default certificate in the UEFI firmware with their own signing certificate. Computers would then only boot using loaders approved and signed by the organisation. Follow this Microsoft article for guidance on how to create and manage secure boot keys.
There are examples of where attacks against a pre-boot environment have been seen - the most recent being Petya ransomware on June 27th 2017 which attacks a computer’s Master Boot Record (MBR). If a computer with Secure Boot enabled is infected by Petya, upon booting the anomalous boot loader will be detected and the malware prevented from encrypting the hard disk. The computer can be easily recovered using the repair function from the Windows media.
This is the message received when Secure Boot detects an unsigned boot loader:
In a VMware vSphere environment it is quite simple to enable UEFI and Secure Boot for Virtual Machines. Here are the steps to create a new VM with Secure Boot:
If you already have an installed operating system it is more difficult to enable Secure Boot because the UEFI specification requires a GUID partition table (GPT) on the boot disk, not a legacy Master Boot Record (MBR). There are ways to convert MBR to GPT – in Windows 10 or newer, Microsoft includes the MBR2GPT tool to allow customers to convert the disks using a supported method. For existing Linux computers it may be possible to change to a GPT partitioning scheme and create a new /boot/efi partition but it is not a recommended process. A rebuild of the existing Linux computer might be the safest and fastest option.
In addition to enabling Secure Boot on a VM, it is possible and advisable to enable it for the ESXi hypervisor as well. Here are the instructions from VMware.
In conclusion, it is highly recommended to enable Secure Boot on physical and virtual servers and personal computers where supported. With Windows UEFI you also get a number of other security benefits such as Device Guard and Credential Guard which are also worth exploring for your environment.
Executive Director - Engineering