SYS-004T. Designing a secure boot experience with modern firmware. Tony Mangefeste Senior Program Manager Microsoft Corporation . Secure Boot Policies. Secure boot defined in c hapter 27 of UEFI specification Refer to revision 2.3.1 for latest time-based, authenticated variables
Designing a secure boot experience with modern firmware
Senior Program Manager
Key Exchange Keypub
Allow DB “db”
Disallow DB “dbx”
Jeff BobzinVice President
Firmware image is hardware-protected and any firmware updates must be a secure process
Third-party drivers, option ROMs, and boot-loaders can be signed by creator using a CA holding trusted keys
Database of trusted signing keys initialized at factory and updated by the OS
Along with list of any compromised keys
After OS boot:
For questions, please visit me in the
Speakers Connection area following this session.
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.