difference between tboot and UEFI Secure Boot

difference between tboot and UEFI Secure Boot


what are the security guarantee differences between tboot and UEFI's Secure Boot (used with TPM)?

I don't really see the difference:

tboot uses TXT to create a MLE to load a kernel (or a hypervisor). It uses a DRTM to bind the integrity of the boot to the HW.

UEFI's Secure Boot used with a TPM uses a signed chain to the kernel that is loaded. Each executable can be measured and verified via the TPM, and so we bind the integrity or the root of trust of the boot to the HW.

Thanks for your help.


2 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

Intel® Trusted Execution Technology and Secure Boot have similarities and differences:

  • Intel® TXT uses a processor-based root of trust to measure the bootpath and check that the processor and chipset are properly configured for security.
  • UEFI Secure boot uses signature verification to authenticate the bootpath with an option to measure the bootpath.

Secure Boot works regardless of which OS you are running so it is a boot method you can use if you are running a non-Windows OS.  It is improbable that there would be any claims made made to "guarantee" that your system will be completely secure, however we can make our systems highly resistant to being affected by rootkits and bootkits by implementing these boot methods.

Here is an article from MSDN that does a really nice job in describing the boot methods:

The following is from the technet link referenced above:

When a PC starts, it first finds the operating system bootloader. PCs without Secure Boot simply run whatever bootloader is on the PC’s hard drive. There’s no way for the PC to tell whether it’s a trusted operating system or a rootkit.

When a PC equipped with UEFI starts, the PC first verifies that the firmware is digitally signed, reducing the risk of firmware rootkits. If Secure Boot is enabled, the firmware examines the bootloader’s digital signature to verify that it hasn’t been modified. If the bootloader is intact, the firmware starts the bootloader only if one of the following conditions is true:

  • The bootloader was signed using a trusted certificate. In the case of PCs certified for Windows 8, Microsoft’s certificate is trusted.
  • The user has manually approved the bootloader’s digital signature. This allows the user to load non-Microsoft operating systems.

Trusted Boot takes over where Secure Boot leaves off. The bootloader verifies the digital signature of the Windows 8 kernel before loading it. The Windows 8 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows 8 can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.

Because Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel, the next opportunity for malware to start is by infecting a non-Microsoft boot driver. Traditional antimalware apps don’t start until after the boot drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work.

ELAM can load a Microsoft or non-Microsoft antimalware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: Examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not trusted, Windows won’t load it.

An ELAM driver isn’t a full-featured antimalware solution; that loads later in the boot process. Windows Defender (included with Windows 8) supports ELAM, as does Microsoft System Center 2012 Endpoint Protection and several non-Microsoft antimalware apps.

Measured Boot:  Measured Boot uses the power of UEFI, TPM, and Windows 8 to give you a way to confidently assess the trustworthiness of a client PC across the network.

Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits.

Follow me on Twitter: @GaelHof
Facebook: https://www.facebook.com/GaelHof

Leave a Comment

Please sign in to add a comment. Not a member? Join today