Secure Boot testing/verification

Similar Messages

• Secure boot Software Reset

  Hi All
  Is it posible in any way to allow a system reset when booted in secure boot mode?
  Our setup on Zynq 7020
  1) eFuse AES key set
  2) eFuse AES only set
  3) encrypted FSBL in QSPI flash
  4) Fully encrypted boot.bin including linux ramdisk loaded
  We need a method to reboot the system from linux once running, any attempt made results in a secure lockdown.
  What I would like to happen is basicaly a software triggered Power On Reset.
  Is this posible from within the Zynq?
  I haven't managed to find anything in the Technical Reference Manual
  Regards
  Alex
   

  I want to re-trigger the FSBL on a Zynq7020 after booting into a secure image using only software. Writing a 1 to register (PSS_RST_CTRL) results in a secure lockdown.
  My FSBL is:
  the_ROM_image:
    [aeskeyfile] aes.nky
    [encryption=aes, bootloader]FSBL.elf
  using the efuse AES key
  After booting the FSBL shows this:
  "User not allowed to do any system resets"
  This is from Xilinx's default FSBL
  Now once I have fully booted into linux, I want to reboot the device all the testing I have done results in secure lockdown. Now this may be the intended operation for a secure boot and it is imposible to do what I want without externaly triggering a Power On Reset.
  If anyone knows if this is possible please let me know.

• Help Needed for Internet Security Driving Test!

  Hi I came up with a few basic rules for family and friends
  that I put together in order to try to prevent them from
  continually installing spyware, toolbars, keyloggers and viruses on
  their computers (and as a result, to try to prevent them from
  continually calling me and asking for my help and advice when they
  did this and things went wrong).
  To all intents and purposes the rules worked well - for a
  while. I set it up as a simple RTF document and I added this to the
  start up folder of Windows XP, so that it started every time the PC
  started. However, over time some of them simply learned to ignore
  the rules and to close the RTF document as soon as it opened
  without paying any attention to it at all - and then they went
  about their merry business of installing spyware, keyloggers and
  viruses etc. just as they had in the past.
  So OK, I have to admit I found this deeply frustrating - but
  I also realise that this is the same position that many of us geeks
  are in in that on the whole, most average everyday computer users
  don't have a clue about Internet security.
  Now however things have become a lot more serious for me, as
  I have been asked by a local charity to administer a total of 60
  machines over 2 different sites - and I have also been asked if I
  could provide some form of training with regard to basic personal
  Internet security.
  With this in mind I came up with the idea of an interactive
  CDROM, or Flash based Internet security driving test/tutorial that
  basically covers all of the scenarios I touch on in my rules.
  This tutorial would cover basic things like, if you got an
  email from a representative ex President of an African country
  offering you a share in millions of dollars of stolen money, or if
  you got an email from your bank asking you to verify your security
  details and so on, what would you do? Additionally it would cover
  such things as the abundance of viruses that infest many of the
  porn sites on the net, the way that many games on the Internet that
  are listed as being 'free' (particularly those which are in
  executable file format) are often just vehicles for more spyware
  and viruses also - and about the dangers of chat lines, of spoof
  security warnings on web sites and so on.
  I have included my list of rules below which should hopefully
  give you an idea of what I'm trying to do. Be warned though, the
  wording is deliberately harsh and perhaps a little extreme (and as
  a result maybe not entirely 100% accurate) but you must realize
  that I am, or was trying to give myself the easiest time possible
  and the least possible problems. So you may well find things you
  disagree with in it - but overall if someone followed these rules,
  they probably would be less likely to run into problems than
  someone who did not follow them might.
  The thing is however that (as I said) I would like to
  formalise these rules somewhat in the format of some kind of
  interactive tutorial/web security driving test. Unfortunately I
  have no experience with flash - and little knowledge of HTML or
  anything like that. I also know that the language for these rules
  isn't quite right, in that it probably isn't suitable for a formal
  office type environment.
  I had in mind that the tutorial would show some realtime
  examples of some of the things I have been talking about (which I
  assume would only be possible in Flash?) or perhaps rather like a
  readers digest multiple choice type thing, with screenshots
  depicting the various scenarios in question. (Like a screenshot of
  a flash animation on a web page saying 'You have won a prize!!!'
  What would you do? a) click on the ad, b, ignore it, or c) phone
  all of your family and friends informing them of your good fortune
  before doing anything.' etc.
  So I was wondering, are there any good hearted charitable
  souls out there who might be willing to help out to put a tutorial
  like this together?
  Again I remind you that it really is for a charity
  (specifically the Depaul Trust in the UK, which helps young
  vulnerable people find secure accommodation, provides educational
  opportunities and helps them to find employment). The requirement
  would be that all staff and students pass the Internet security
  test before being granted Internet access.
  I know this might be time consuming - but again all I can do
  is appeal to the sense of kindness and helpfulness of this
  community and hope that someone who does have some experience in
  these maters might be willing to help.
  Alternatively could anyone suggest a simple easy to use
  software package that would allow a relative n00b like me to put
  together a tutorial like this on my own? Or perhaps it is possible
  that some free online tutorial like this already exists?
  In any case, any help at all would be appreciated.
  PS,
  Here are the rules I have that I referred to above.
  http://download305.mediafire.com/b6ndmljht1bg/29bbnnbz2uz/internet+rules.rtf

  Dennis, when I look at the subject three clips (EI 1250, EI 640, and EI 320, respectively, and in that order) as presented in the camera, I see exactly what I have expected all along -- three different-brightness images that are progressively brighter from the EI 1250 exposure to the EI 320 exposure.   So, am mystified why when I open these images (clips), say, in RAW Viewer, wherein I have thought that I would see the same progressive brightness differences allowing me to experiment with reducing brightness to deal with noise reduction, all three of the images present completely alike in brightness.

• T450s downgrade Win 8.1 Pro to Win 7 Pro Secure Boot Process?

  Hi all, New owner of a T450S with 8.1 Pro. I have a Windows 7 Pro OEM disc (no serial number) that I can put on a USB thumb drive. Prior to owning a secure boot machine I would just format the hard and install Win 7. With secure boot and the downgrade I'm not sure how this works. 1. Is the serial number that I have backwards compatable? Can I just format, install and use the 8.1 Pro serial number on my Lenovo? 2. I believe I will have to disable secure boot but I'm not sure. Any help or link to a tutorial would be appreciated. ThanksChrissy  

  @ the OP,
  The article ColonelOneill linked says "You’ll need to activate by phone. Call up the phone number displayed in the activation window and explain that you’re exercising your Windows 8 Pro downgrade rights. Have your Windows 8 Pro key ready; you’ll need it to prove your PC has downgrade rights."
  Here's a link to Microsoft's description of how to activate a downgrade:  Understanding downgrade rights
  Z.

• Windows 8 Installation Disc Won't Load UEFI-only (T420s). Also does T420S support Secure Boot?

  Question 1:
  I am unable to load the Windows 8 Installation DVD in UEFI (only) mode on my T420s. As a result, I can only run the installer in Legacy mode (or both UEFI/Legacy which effectively means the same thing). This in turn means Windows 8 is installed in Legacy BIOS mode.  Any idea how to install it in UEFI mode?
  I am using a DVD burned using the Windows utility from the Windows 8 64-bit ISO and have followed the instructions in HT073269, however I am unable to get to step 1 of the Windows 8 install after updating the BIOS, resetting to defaults, and switching to UEFI-only. On boot, after switching to UEFI-only, I am presented with a bootloader and prompted to select which drive to boot (DVDRAM or SSD). Selecting either makes the screen go blank for a moment and then returns back to the same screen with no result.
  Since then I have searched these forums extensively and Googled Technet, Notebook Review, and other sites to no avail. I've tried several several ideas, including using diskpart > clean to get the SSD in raw status (per HT051844). That did not make a difference. I also tried converting a Legacy-BIOS install of Windows 8 to UEFI using CharlyAR's instructions on TechNet (linked from another thread here). That seemed to get me to a Windows Boot Loader but still errored out and Windows Repair was unable to fix it.
  Any suggestions?
  Also, question 2:  Does anyone know if the T420S support secure boot? If not, any idea if it's slated for a future firmware update?

  nuncio wrote:
  pleon wrote:
  I use Win8 on my T420s in UEFI mode. [...] I do not understand, what do you mean that secure boot does not work? In BIOS there is no special switch for that, but "UEFI only" works without any problems.
  Secure Boot is a certificate-based approach to preventing rootkits, not the same thing as UEFI. Although Secure Boot requires UEFI, having UEFI does not mean having the additional Secure Boot feature. If Secure Boot is available, typically there will be an option to enable it in the firmware configuration. Since the latest firmware for the T420S (ver. 1.35) does not have such an option, I suspect ThorsHammer is correct that Secure Boot is not (yet) supported on the T420S. I'm keeping my fingers crossed that Lenovo will tell us that a firmware update is on its way though.
  My understanding is that it will never support secure boot.  The secure boot support starts at Ivy Bridge and the T430s.

• Upgrading Windows 7 (Legacy BIOS/MBR Disk) to Windows 8 (UEFI/GPT/Secure Boot)

  Hi there,
  I've recently purchased a W530 with Windows 7 pre-installed.  Ultimately, I'd like to replace this with Window 8 + Secure Boot.  I believe I can get Windows 8 via the Microsoft Upgrade offer for a reasonable price, since this was a recent purchase.
  What's the best way to reach my goal?
  The Windows 7 install uses Legacy BIOS to boot with an MBR disk.
  I had a quick look at Acronis, and I can see that it's possible that the "OS will be automatically converted to support UEFI booting" (http://www.acronis.com/support/documentation/ABR11/index.html#14021.html) when using it's tool.
  If I don't use this approach, what can I do?  Can I:
  1. Use Rescue and Recovery in Windows 7 (Legacy BIOS/MBR disk)
  2. Wipe the drive and reformat it with GPT?
  3. Install Windows 7 with UEFI enabled using the Rescue and Recovery made in step 1?
  4. At this point, I would now have UEFI and GPT.
  5. Perform an Upgrade from Windows 7 to Windows 8 and enable Secure Boot?
  Any thoughts as to whether this would work?
  Richard.

  Hi richii,
  The Acronis approach ends up in failure. Didn't give it a second look at the reason, since the tool it's not necessary. I also tried several other "automatic" tools without success.
  The recovery approach will fail because it's tied up to BIOS boot.
  But I've performed the conversion from BIOS to UEFI two times successfully. After some digging, is not SO hard. It's just... "undocumented". Very, very undocumented, hehe. I made a step-by-step guide: http://social.technet.microsoft.com/wiki/contents/articles/14286.converting-windows-bios-installatio...
  Let me know if it helps you...
  Anyway, if you don't have data/software, I would go for the clean install approach.
  Cheers.
  If I helped you, please give me some kudos! ^^

• Windows 8.1 Ent eval enabled Secure Boot I think

  I want to get my laptop back to its original format.
  Currently dual booting Windows7/8.1
  During the installation of Windows 8.1 Enterprise evaluation it paused to say it was going to enable secure boot.  I did'nt think much of it I thought I could change it back from the bios.  Did it flash my firmware?  I checked the system status
  with msinfo32.exe; was legacy mode and with powershell; secure boot not supported.  I don't have any options to disable secure boot in the bios nor from within Windows -"I know how to disable it in windows 8.1".  I can't boot a foreign
  operating system, but I can boot a Microsoft OS which sounds like secure boot to me.  I want to get it back to running Windows 7 dual booting with Linux.  I use both at work and need both.  I made the mistake by loading the Eval on my primary
  laptop.  I read I need to revert back to Windows 7 completely, formating and re-installing the OS.  Will this clear my secure boot simulation issue?  I have not changed the partitions or removed any O/S's.   What's the best way
  to proceed?

  Hi,
  I want to explain that, Secure Boot is indepent with system, you can disable it in UEFI interface.
  To disable Secure Boot, you can follow the steps below:
  1.Before disabling Secure Boot, consider whether it is necessary. From time to time, your manufacturer may update the list of trusted hardware, drivers, and operating systems for your PC. To check for updates, go to Windows Update, or check your manufacturer's
  website.
  2.Open the PC BIOS menu. You can often access this menu by pressing a key during the bootup sequence, such as F1, F2, F12, or Esc.
  Or, from Windows, hold the Shift key while selecting Restart. Go to Troubleshoot > Advanced Options: UEFI Firmware Settings.
  3.Find the Secure Boot setting, and if possible, set it to Disabled. This option is usually in either the Security tab, the Boot tab, or the Authentication tab.
  4.Save changes and exit. The PC reboots.
  I found an aticle that teach how to install dual-boot Windows 7 and Ubuntu 12.04 on a PC with UEFI hardware:
  http://www.linuxbsdos.com/2012/10/11/dual-boot-windows-7-and-ubuntu-12-04-on-a-pc-with-uefi-hardware/
  Hope this helps.
  Roger Lu
  TechNet Community Support

• Dual booting S540 and linux with Secure Boot?

  At some point I intend to install archlinux with dual boot on my Thinkpad S540 which currently runs Windows 8.1.
  All the current advice about dual boot on UEFI machines seems to indicate that the way to go is to disable Secure Boot (and Fastboot) for Windows, and then do the linux install choosing a linux bootloader to allow booting either O/S. I believe I know the steps needed to do that.
  Does anyone have any experience with dual booting Windows 8.1 and ArchLinux on the S540?  I would like to retain Secure Boot for Windows, and in the ideal world have Secure Boot running for ArchLinux also. However Secure Boot is fraught with problems for Linux. There are a few distributions such as Ubuntu which will in principle support Secure Boot but I only use ArchLinux and want to install that particular flavour of linux on my machine. It is of course possible to keep switching Secure Boot on and off in the BIOS before booting either of the two installed operating systems but it would be neater and cleaner to have it all with Secure Boot on, or all with it off.
  This is all very new stuff so there may well be a lot of problems, but it is worth exploring. I use rEFInd as my bootloader on another UEFI desktop computer to boot ArchLinux so I am familiar with that bootloader, but dual boot is another thing, and Secure Boot with the fast moving developments in that area is something that until now very few people have tinkered with.
  Any replies and guidance/suggestions appreciated.

  I'm guessing /boot can run from ntfs, however probably not as efficiently as if it were running on ext3/4. Mine runs on Ext4.
  To add confusion, you only create one Extended partition, all partitions you create within the Extended partition are called Logical partitions. You should be able to create enough Logical partitions for your needs.
  Primary/Extended partitions are normally sda1-4 and Logical partitions will usually start from sda5 on modern Sata HDD systems.
  For /boot I would create a small 100mb Ext4 Logical partition. This partition cannot be inside LVM nor encrypted when using Grub1.  I'm not familiar with Grub2.

• Am currently running Windows 7 (under VMWare Fusion 5.x) on a Macbook Pro. When running Windows 8 Upgrade ***'t, I get a Secure Boot compatibility notification

  The Microsoft Upgrade Assistant identifies several issues related to compatibility of my system with a Windows 8 upgrade which I'm considering on my Macbook Pro (which is runnng OS X 10.8.2).  The message indicates that there is a firmware incompatibility with Microsoft's recently introduced Secure Boot.  Is there a resolution on the Apple side?  If there is not and none can be expected, does this rule out installation of Windows 8 altogether on my system?

  Given that what the MUA is seeing is a virtual computer created by the Fusion environment, the problem lies more in VMWare's realm, rather than Apple's. Which would be the case if you were running on BootCamp instead.
  Am running Fusion 4 and haven't upgraded (long story), so I have no knowledge if the latest update to Fusion 5 already incorporates the Windows 8 profile when creating, updating or running a VM, so as to satisfy MS's paranoid requirements. So, assuming you are running Fusion 5, maybe checking in VMWare's forums may yield more up to date info.
  OTOH, given that MS is betting the whole farm on Win8, would not suprise me in the least that they would shut down virtualization support in all but a special, more expensive, Win8Virtual edition.......
  Edit: BTW, the latest Oracle VirtualBox does incorporate Win8 profiles in both 32 and 64 bit versions, so it would not suprise me that the latest Fusion 5 did as well.

• Can't activate secure boot after upgrading from Win 7 to Win 8 on a Spectre XT

  Hi everybody,
  my first post here, so please forgive me if the topic has already been discussed
  I did search before posting anyway, but I couldn't found anything addressing this specific point.
  My (small, I must admit) problem is as follows:
  I recently purchased a Spectre XT 13-2005tu (i7 processor, 4Gb RAM, 256Gb SSD) with Windows 7 pre-installed.
  After installing my favourite applications and using it for a few weeks without any trouble, I thought to take the opportunity of the $14.99 upgrade to Win 8, so I downloaded Windows 8 Pro and installed it (as an upgrade, rather than a fresh installation, because I didn't want to loose the customizations I already made).
  I also installed all the updates available on HP website (sp59158 for updated BIOS, sp58404 for UEFI support, ecc.)
  The whole upgrade worked nicely, and the PC is now up and running with Win 8.
  Now, I'm trying to use at best all the possibilities Win 8 has to offer, and among them, the UEFI secure boot.
  I found the "legacy support" option in the BIOS settings, which as I understand must be disabled to activate the UEFI secure boot, but if I do that the PC tells that there's no operating system on the disk and doesn't boot anymore.
  Which was a bit scary by the way, but eventually I could re-enable the legacy support in the BIOS and have the PC working again, but of course with no secure boot.
  I suppose there must be some other re-configuration that should be done before changing the BIOS parameter, but I couldn't find any instruction for that anywhere on the web.
  On the other hand, it would be indeed weird if the secure boot could not be configured AFTER the OS upgrade, and a new fresh installation would be necessary.
  I'd rather part with the secure boot than re-install everything, but that would be a shame... :-(
  I hope someone can explain what should be done, many thanks in advance!

  Thanks for your feedback, but I don't think your issue is the same as the one I previously explained.
  The UEFI/secure boot setting is a basic configuration affecting the way the PC boots, regardless of whether it is connected to a network or not.
  By the way, in the meantime I've seen in a shop exactly the same PC model which I'm using, now sold with Win 8 pre-installed, and it was working with the UEFI enabled (= BIOS "legacy support" disabled).
  Therefore, the configuration I'm interested in has to be feasible, one way or another...!

• USB does not boot, Secure Boot Disable

  I need to install Windows 7 x64 Dual mode with Windows 8 in UEFI mode but not boot the usb device and I have secure boot disabled. my question is, windows boot manager (BCD) should have entries for usb boot?. If so, how would the command to add these entries?
  I can only start Windows 8. my ultrabook is acer v5-132

  If you are using a Flash Drive to try to install Windows 7 in UEFI mode, it will not boot that way unless you have completed the extra steps to make it capable.
  Did you create the Boot partition on the drive and add the additional file?
  Being formatted as Fat32, as Christoffer mentions is also necessary.
  If Secure Boot is interfering with the Windows 7 boot, you will probably get to the 4 colors coming together and then get an error message or put back into the bios setup, depending on your system. If that happens, enable the CSM.

• How to Enable Secure Boot on UEFI Systems?

  SymptomsWhen attempting to enable Secure Boot, the system does not allow you to select the option to enable or disable Secure Boot.  This is due to the way Acer's UEFI implementation requires a Supervisor Password be set in order to access this option.
  UEFI is a newer technology that replaces the older standard BIOS.
  DiagnosisCreating a Supervisor Password in UEFI will allow you to access the Secure Boot options. It is important that you remember this password as it will be required to make any changes in the UEFI interface.
  SolutionCreate a Supervisor Password to gain access to the Secure Boot option. 
  Refer to our FAQ for all the steps on how to access Secure Boot on Desktops, Notebooks, and Tablets:
  Enable or Disable Secure Boot in Windows 8

  Das macht man 2-3 mal und dann ist nix mehr mit Bios. Dann kommt Passwort ist falsch und das war's dann. Hab ich schon auf verschiedenen Lappis gehabt. Sprich TOSHIBA... und Aspire E1-571g. Beim Toshi den Baustein ausgelötet neuen gekauft, beschrieben und wieder eingelötet. Kostet schlappe 150,-€. Mal schauen was beim Acer rauskommt.Vielleicht gibt es ja noch einen Jumper um das UEFI BIOS zurückzusetzen

• X220 BIOS/Firmware - does it support "Secure Boot" under Windows 8?

  I am getting ready to install W8x64 Pro.  I have a X220 with the latest BIOS (1.36 if I recall correctly) using Windows 7x64 currently.  I have run the Upgrade Assistant and it says: "Secure Boot isn't compatible with your PC."  "Your firmware doesn't support Secure Boot so you won't be able to use it in Windows 8."
  Assuming when I install W8x64 bit I have "Boot to UEFI First" and "UEFI BIOS Only" set in the BIOS - and the SSD formatted as a GPT SSD - should Secure Boot work?
  The 1.36 BIOS is not listed as Windows 8 compatible.  I see there is a BIOS for the X230 that is W8 compatible but I am not going to install it.
  At any rate - for any of you X220 users - you can click on "System Information" in W8 or type in "msinfo32" in the run script and it will say whether "Secure Boot" is Unsupported or On.
  Here is a Lenovo link for installing W7 using UEFI but it does not mention whether you would be able to be in "Secure Mode" at the end. 
  http://support.lenovo.com/en_US/downloads/detail.page?DocID=HT051844
  Kent

  Latest firmware is supposed to support Windows 8. But I don't know what support is supposed to mean... I'd say that if you've installed under UEFI and still doesn't enable, it doesn't.
  Thou now that I think of... After I installed using UEFI, I had to go back to the BIOS and change some setting. Reset-some-key or something. I can't restart the computer now but whenever I restart it I'll let you know which setting it was. (it can be several days)
  Good luck.
  If I helped you, please give me some kudos! ^^

• [SOLVED] Disable Secure Boot on Asus Zenbook UX32A

  Hi all, I hope I have posted in the right section, please move it otherwise.
  I'm trying to install Arch on an Asus Zenbook, but I cannot boot installation media (an USB stick, in this case), as it requires the EFI binary to be signed, and only simple way out is to disable Secure Boot.
  Unfortunately I'm not able to disable it from UEFI interface, as it is grayed out. Solutions I've found searching the Web suggested to set a password to BIOS, but even this way I wasn't able to enable it.
  Notebook came with Windows 8 built in, and I upgraded BIOS to 214 version.
  Thank you.
  Last edited by juma93 (2013-03-30 01:29:05)

  Details of the user interface vary greatly from one computer to another. I've got some notes on disabling Secure Boot on an ASUS P8H77-I motherboard here, but they may not apply to your notebook, or there may be an extra trick. Along the latter lines, look for "fast boot" and "CSM" options and try fiddling with them to see if the Secure Boot option becomes alterable.

• R7770 PMDIGD5 breaks Secure Boot

  My new AMD Radeon HD R7770 RMDIGD5 breaks my secure boot on the DELL XPS 8500.  It boots up, but without secure boot enabled.  Any recommendations on how to fix this?

  Quote from: Svet on 15-January-15, 09:00:44
  use this one: https://forum-en.msi.com/index.php?topic=178083.msg1286446#msg1286446
  I would like to thank you very much Svet for your help.  It worked!!!!!