Microsoft's Windows 8 Security Includes UEFI Secure Boot

Microsoft's Windows 8 security measures include secure boot. As demonstrated at BUILD, this means compromised systems can refuse to boot.

Microsoft is detailing some of its security procedures for Windows 8.

Key to Windows 8's "platform integrity architecture" is its Unified Extensible Firmware Interface (UEFI), a set of specifications for how the operating system communicates with platform firmware during the boot-up process. UEFI features a firmware validation process known as "secure boot," which dictates how that firmware manages security certificates, firmware validation and the like.

"Microsoft's platform integrity architecture creates a root of trust with platform firmware using UEFI secure boot and certificates stored in firmware," Tony Mangefeste, a member of the Windows Ecosystem team, wrote in a Sept. 22 posting on the "Building Windows 8" blog. "With Windows 8's secured boot architecture and its establishment of a root of trust, the customer is protected from malicious code executing in the boot path by ensuring that only signed, certified -known good' code and boot loaders can execute before the operating system itself loads."

In theory, UEFI secure boot will allow machines running Windows 8 to sidestep a current vulnerability in many PCs, namely that the pre-operating system environment is vulnerable to malicious loaders redirecting the boot loader handoff.

"For Windows customers, Microsoft is using the Windows Certification program to ensure that systems shipping with Windows 8 have secure boot enabled by default," Mangefeste said. Windows Certification will also ensure "that firmware not allow programmatic control of secure boot (to prevent malware from disabling security policies in firmware), and that OEMs prevent unauthorized attempts at updating firmware that could compromise system integrity." 

During the BUILD conference earlier in September, Windows and Windows Live division President Steven Sinofsky demonstrated Windows 8's security measures by having a fellow executive plug a USB with a rootkit virus into the port of a tablet running the operating system. The device failed to boot up and compromise the system.

For the past few weeks, Microsoft has unveiled aspects of its Windows 8 operating system, which is being designed to run on both tablets and traditional PCs. It will do so by offering two distinct user environments: the desktop, instantly familiar to anyone who's used Windows, alongside a touch-enabled interface featuring colorful tiles that link to applications.

Microsoft executives have spent considerable time over the past few weeks trumpeting Windows 8's "no compromises" ability to provide both a lightweight mobility experience and the sort of features desired by power users. Security, obviously, is a huge factor in all of that.

Follow Nicholas Kolakowski on Twitter