UDB-314 Replacing BIOS with a UEFI Deployment

Download Report

Transcript UDB-314 Replacing BIOS with a UEFI Deployment

UD-B314
WHAT WE WILL COVER IN THE NEXT 75 MINUTES (OR LESS)
The Basic Input/Output System (BIOS)
How does the BIOS Work?
BIOS is now considered Legacy BIOS
2.2 TB Drive
Limit
Limited Option
ROM Space
16-bit Real
Mode
Lack of
networking
support (IPv6)
Aging GUI
OEM x64
Standardization
Firmware (BIOS)
Hardware Device
Device Controller
System Software
Application
Software
Designed to address BIOS Limitations
• Needed for the larger server platforms (Intel-HP Itanium)
• First called Intel Boot Initiative then renamed to EFI
• Specification and Source Code encouraged the UEFI forum
Provides support for newer hardware
• Addresses the need to support x64 bit system
• Streamlines the boot process into the OS
• Simplifies the integration with 3rd party components
Why UEFI?
Compatibility with Earlier Bios
Support for Large Disks
CPU-Independent Architect
Flexible pre-OS Environment
Option ROMs
EFI OS
Loader
LBA 0
LBA z
Application Software
Operating System Software
Firmware
Drivers
Hardware
Hard
Disk
ROM
PC
If a computer is in “Legacy” or “Mixed” mode it is NOT in native
UEFI mode
Legacy Boot
Modern Boot
BIOS
Any OS Loader
OS Start
Native UEFI
Verified OS
Loader Only
OS Start
• Check the hard drive layout
• Check the BCD store for the version of winload.exe
• MSINFO32 will list the value under BIOS mode
• In WinPE 4.0, use the wpeutil updatebootinfo command.
BIOS / UEFI Setup
BIOS
PowerShell Command
Confirm-SecureBootUEFI
Cmdlet not supported on this platform
Get-SecureBootUEFI –Name SetupMode Cmdlet not supported on this platform
Get-SecureBootUEFI –Name SecureBoot Cmdlet not supported on this platform
UEFI native
UEFI with CSM Secure boot enabled
Result
FALSE
1
0
TRUE
0
1
UEFI native
Secure boot
disabled
FALSE
1
0
Boot Performance Secure Boot
CSM Mode
UEFI with CSM
Native UEFI
Default UEFI/GPT drive partitions
Disk 0
MSR
Recommended UEFI/GPT drive partitions
Disk 0
Windows
RE tools
MSR
Recovery
Image
Secure boot is a UEFI specification, not a Microsoft product!
•
•
•
•
•
Only executes signed UEFI binary
images
Includes Option ROMs, pre-boot
utilities and OS loaders.
Benefit: Helps prevent malicious
code before the OS loads
Benefit: Provides Time-authenticated
variables
Benefit: Allows stronger keys for
encryption
Hash of next item(s)
TPM
[PCR Data]
[AIK pub]
[Signature]
Boot Log
Early Launch Anti-Malware (ELAM)
Windows 7
BIOS
OS Loader
(Malware)
3rd Party
Drivers
(Malware)
Anti-Malware
Software
Start
Windows
Logon
• Malware is able to start before Windows and Anti-malware
Windows 8
Native UEFI
Windows 8
OS Loader
Anti-Malware
Software
Start
3rd Party
Drivers
• Trusted Boot starts Anti-Malware early in the boot process
Windows
Logon
Current Windows-Specific UEFI Highlights
• Multicast Deployment
• Fast boot and resume from hibernation
Future UEFI Capabilities
• Rootkit prevention
• Network Authentication
Deployment
Server
GUID Partition Table (GPT) removes the 2TB hard-drive partition limit
Removes the Upper Memory Block limit for Option ROM’s
Unifies the Setup interface for platform firmware and Option ROM’s
Provides a pre-boot execution environment (not an OS)
• Great for diagnostics and manufacturing
• Can host a shell, run applications and scripts
• Direct access to all of memory (64-bit addressing)
• Direct access to bare-metal registers
• Network stack
 Easier, cleaner, more portable booting for the OS
 Extensible using collision-free Globally Unique ID’s




 C language firmware means faster deployments
• Fewer human errors; better tools; stable, re-usable code
• Faster time-to-market, higher quality firmware,
lower system development cost
 Fully documented, testable interface
 Publicly available test suite
• Should help maintain stability and
interoperability across implementations
 Consistent behavior across platforms and architectures
 Abstraction hides underlying architecture
http://www.microsoft.com/whdc/system/platform/firmware/uefireg.mspx
http://www.acpi.info/spec.htm
http://www.uefi.org/specs/
http://www.intel.com/technology/efi/main_specification.htm
http://www.uefi.org/home/
http://msdn.microsoft.com/en-us/library/windows/desktop/hh848050(v=vs.85).aspx