Search the Community
Showing results for tags 'secure boot'.
Found 2 results
svl7 posted a topic in Alienware. So... Dell/Alienware managed to confuse a lot of users with their latest BIOS updates from last week. Version A08 of the M14x R2 as well as the M17x R4 and also A07 of the M18x R2 made a quick appearance on the Dell support site, only to vanish again shortly after - apparently to be replaced with A09 respectively A08. To make the confusion perfect, Dellienware once more decided not to publish any change log, not even a tiny bit of useful information. (I already bothered some Dell reps with this, but no success so far... they're always telling that my emails will be forwarded to the proper people...). Anyway, even though severe, I don't want to discuss the change log problem at this place. So what's up with those new BIOS? It's hard to miss that some numbers are missing between the last bios update and the current releases. Anyone who's slightly familiar with software updates and naming will realize that this is already and indication that quite some changes have been made - obvious, right? Huge parts of the firmware got revised and new modules were added as well. To keep it short, the bios (or UEFI to be more precise) is now officially Windows 8 ready. You may have already read that Microsoft requires the OEMs to have certain functions in the UEFI available (namely Secure Boot) in order get the systems 'Windows 8 certified'. Just to quickly clarify something, you don't need a 'Windows 8 certified' machine in order to run Windows 8, neither do you require Secure Boot, but the OEMs are pretty keen on this certificate as customers seem to prefer systems with certain stickers on them. What's this Secure Boot stuff? And how does this affect me? Secure boot is a protocol, a part of the UEFI, designed to ensure that a system gets booted in a so-called trusted state. This means a state that is known to be secure, that the firmware code has not been tampered with and is a direct copy which comes from a trusted source (e.g. the manufacturer of the used UEFI variation). Secure boot handles this with a system of different functions and interfaces as well as a key system. It makes sure that all external images have to pass a predefined authentication before they get executed. It is designed to prevent attacks which target the firmware to OS handoff. What secure boot won't do is protecting the firmware from direct attacks, e.g. manipulated bios updates and similar ... and this is where we come to secure firmware updating. Some of you may have noticed or read that coming from an 'old' bios version it is no longer possible aynmore to (easily) downgrade to an earlier version once you have flashed A08/A07 or later. This is because Dellienware decided to implement a way to verify firmware updates, in the case of the Insyde UEFI it is 'secure flash'. The UEFI image, the drivers which are required at boot etc. are all digitally signed. Now if you want to update your BIOS, this is what happens (simplified): - Flash utility checks the firmware image for integrity. - If ok, the image gets sent to the system - System reboots, starts the pre-uefi environment and starts the authentication process on the file which is to be flashed - If this check passes, and only then, the software environment for the flash gets launched, firmware gets updated. I have to admit that secure boot without implementing a method for secure firmware updating makes pretty much no sense at all, so it's obvious that this would come sooner or later, especially with Microsofts requirement for the Win8 certification. The consequence of this is that the user gets locked out of his own system. A (hobbyist like me) is no longer able to tweak the firmware of his system in order to use hardware the way he wants. Same goes for benchers, power users, hardware enthusiasts etc. who like to flash a modified bios in order to get access to disabled settings or activate certain CPU extensions which the system manufacturer locked out. The digital signing which gets used in UEFI is really sophisticated, so don't even ask about creating own signatures or revers engineering it. This is the end of bios modding (and especially easy flashing) as we know it. While I have hope that it will be able to find some workarounds for the current AW systems, I have reasons to believe that it will be much more difficult to achieve this with a system which comes with the secure boot function implemented by stock. One thing is for sure, if you intend to use a modified firmware, secure boot needs to be disabled ...but it is obvious that the issue with the secure firmware update (in our case 'secure flash') persists, even with secure boot turned off (for the reasons mentioned above). I don't want to read all this / To much technical details, what are the conclusions of all this for me? Do you use / want to use a modified bios on a current AW system (M14xR2, M17x R4, M18xR2)? If no - doesn't really matter for you, just go ahead and update to the latest bios which Dell provides for your system. If yes... - If you're still on an 'old' BIOS (pre-A08/A07 when looking at the official releases) then you can for example stay there and flash forth and back between a modified and stock bios, as long as the stuff you flashes predates A08 respectively A07 (again, I'm only talking about public, official releases). If you want to update to the latest version, keep in mind that you won't be able to easily downgrade anymore once you're on one of those new bios. You won't be able to easily flash a modified version either, unless you directly flash a modified when coming from an 'old' bios. In this case the mod will flash fine, but the consequences are the same, you won't be able to downgrade anymore easily, neither will you be able to just flash a newer modified bios. And if you already flashed a unmodified new bios and want to get a modified one... shit happens. Contact me in the corresponding thread of your model and we might be able figure out something. Let me know if you have any questions, some explanations might not be sufficient if you're not a bit familiar with all this stuff.