Notification

  Latest launch: DarkMatter Cyber Security Report. Click here to read more

29 Oct 18

Secure Boot

In 2006 the UEFI specification was born which describes a more modern way to boot computers and replaces the traditional BIOS method. As stated by the UEFI Forum: “The UEFI Specification defines a new model for the interface between personal-computer operating systems and platform firmware”. Since April 2011, firmware that meets the UEFI 2.3.1 Errata C specification (or higher) has the ability to support a security feature called Secure Boot.

UEFI currently has the following benefits for Windows computers:

  • Ability to support Windows 10 security features like Secure Boot, Windows Defender Device Guard, Windows Defender Credential Guard, and Windows Defender Exploit Guard. All require UEFI firmware.
  • Faster boot and resume times.
  • Ability to more easily support large hard drives (more than 2 terabytes) and drives with more than four partitions.
  • Support for multicast deployment, which allows PC manufacturers to broadcast a PC image that can be received by multiple PCs without overwhelming the network or image server.
  • Support for UEFI firmware drivers, applications, and option ROMs.

Secure Boot is essentially a feature that stops an Operating System from booting if unsigned drivers or boot loaders are detected during the OS boot process. When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system. Secure Boot is currently supported by many operating systems, including Windows 8, Windows 10, Windows Server 2012, Windows Server 2016, VMware vSphere 6.5, and many Linux distributions.

In the past, only individual manufactures implemented a signature-controlled booting mechanism (TIVO, Microsoft Xbox, Sony Playstation). Since 2012, the industry has widely adopted UEFI and it is now the norm for personal computers and servers. In fact, for manufactures to display the “Windows 10” or “Windows 8” logo on their PCs, they must have UEFI and Secure Boot enabled.

With a traditional BIOS it is possible for an attacker to replace the boot loader using a rootkit which could then load the operating system normally without indication that there has been any tampering. BIOS just boots whatever boot loader it finds. Secure Boot, however, checks the boot loader and driver signatures against a certificate stored in UEFI firmware and will stop the computer from booting if they have been replaced or altered. This prevents your boot process from being hijacked and hiding malware from your operating system.

By default many modern operating system boot loaders and shims are signed with either the Microsoft Windows Production PCA key or the Microsoft UEFI CA key but it is also possible for an organisation to replace the default certificate in the UEFI firmware with their own signing certificate. Computers would then only boot using loaders approved and signed by the organisation. Follow this Microsoft article for guidance on how to create and manage secure boot keys.

There are examples of where attacks against a pre-boot environment have been seen - the most recent being Petya ransomware on June 27th 2017 which attacks a computer’s Master Boot Record (MBR). If a computer with Secure Boot enabled is infected by Petya, upon booting the anomalous boot loader will be detected and the malware prevented from encrypting the hard disk. The computer can be easily recovered using the repair function from the Windows media.

This is the message received when Secure Boot detects an unsigned boot loader:

 

 

In a VMware vSphere environment it is quite simple to enable UEFI and Secure Boot for Virtual Machines. Here are the steps to create a new VM with Secure Boot:

Pre-requisites:

  • The VM must be running on vSphere 6.5 or above
  • The virtual hardware version is version 13 or above
  • The OS supports Secure Boot

Process:

  1. Create the VM hardware shell
  2. Edit the VM and select VM Options
  3. Expand Boot Options and change the Firmware to EFI
  4. Check the Secure Boot box
  5. Mount your ISO, power on the VM and install your OS as normal

 

 

If you already have an installed operating system it is more difficult to enable Secure Boot because the UEFI specification requires a GUID partition table (GPT) on the boot disk, not a legacy Master Boot Record (MBR). There are ways to convert MBR to GPT – in Windows 10 or newer, Microsoft includes the MBR2GPT tool to allow customers to convert the disks using a supported method. For existing Linux computers it may be possible to change to a GPT partitioning scheme and create a new /boot/efi partition but it is not a recommended process. A rebuild of the existing Linux computer might be the safest and fastest option.

In addition to enabling Secure Boot on a VM, it is possible and advisable to enable it for the ESXi hypervisor as well. Here are the instructions from VMware.

 

 

In conclusion, it is highly recommended to enable Secure Boot on physical and virtual servers and personal computers where supported. With Windows UEFI you also get a number of other security benefits such as Device Guard and Credential Guard which are also worth exploring for your environment.

 

Author:

Dennis Gerolymatos

Executive Director - Engineering