Windows 8 to include secure boot using UEFI 2.3.1
When it is released in 2012, Windows 8 – though possibly only versions aimed at professional and enterprise use – will be able to use the UEFI secure boot function which was added to the specification in version 2.3.1. Firmware specialists American Megatrends (AMI), Insyde Software and Phoenix have already announced the impending release of suitable UEFI implementations, though no-one has yet released a UEFI 2.3.1 enabled laptop or desktop.
Secure boot is designed to protect computers from attacks which take place before the operating system has even booted. It uses cryptographic techniques so that UEFI 2.3.1 firmware in secure boot mode will only execute digitally signed EFI bootloaders and will only load digitally signed device drivers. The concept is detailed in a presentation by Insyde Software. It can be based on a software-based key management service (KMS), a network-accessible key server or a hardware security module (HSM) – presumably a Trusted Platform Module (TPM 1.2). The EFI bootloader will, for example, be able to unlock TCG-OPAL compatible self-encrypting drives (SEDs). Secure boot only works in UEFI mode, thus preventing legacy booting in 16-bit mode. The Linux community has been quick to point out that generating signed bootloaders may be problematic for open source operating systems.
Intel is planning to reveal more about its own activities in the field of UEFI 2.3.1 at its IDF developer forum. It is possible that its series 7, aka Panther Point, chipsets, due for a 2012 release, will offer UEFI 2.3.1 support. However Intel usually activates security features such as Trusted Execution Technology (TXT) only on chipsets aimed at professional/enterprise systems (Q67/QM67).
The idea behind UEFI secure boot has echoes of Intel's 'measured launched environment' (MLE) and the Trusted Computing Group (TCG) concept. It could plug vulnerabilities in the pre-boot environment created by external expansion ports with direct memory access (DMA), such as PCI Express (Thunderbolt) and FireWire. Intel's Virtualization Technology for Directed I/O (VT-d) includes a DMA protection feature also aimed at resolving this problem.