"Composter" touched on subtle matters that connect the past with the present. In the computer world, this is called compatibility. The inquisitive mind of the experimenter wants to know: what will happen if you disobey the mother's manual and refuse compatibility? In other words: is the material on the Clear CMOS operation on the motherboard well understood? If this is all right, follow us, dear readers. We start experimenting with the Aptio Setup Utility, which is securely built into the UEFI BIOS by American Megatrends.
Easy and simple with laptops: entering Setup, they cheerfully report which version of the GOP is supported on a given platform. A reminder to those who have just joined us: Graphics Output Protocol- This is a novelty that has replaced the VGA BIOS for the sake of UEFI.
Fig 1.CSM as interoperability technology,
opens additional options UEFI BIOS menu
The situation is more complicated with desktop systems. Almost any suitable video card can be installed in the expansion slot. And if we have a video card that does not have GOP support, and we turn off the CSM mode and exit Setup with recording, then after a reboot we will have a fatal error - a sound signal about the lack of video (1 long and three short beeps). Then a pause and the next reboot, during which the BIOS turned on the CSM on its own and warns us about this with the following message:
The VGA Card is not supported UEFI Driver.
CSM (Compatibility Support Module) settings have been changed for better compatibility.
What happens during the execution of POST procedures? Obviously, if the VGA BIOS does not support UEFI, then the firmware system board cannot interact with video card resources via the GOP protocol. Ignore " inconvenient» Legacy VGA BIOS and work with the video controller directly, the motherboard firmware also cannot, since the operation with the graphics controller requires very specific support and UEFI System BIOS boards are not ready to support all types of graphics controllers in advance.
The only solution acceptable for the compatibility of the old and the new is the Compatibility Support Module technology. Only she is able to create a "bridge" between the UEFI GOP and the Legacy VGA BIOS.
Fig 2.The ban on CSM technology does not allow
editing other CSM menu options
The algorithms of the Aptio Setup utility convince us of this. If CSM mode is enabled, all other options on this page are available. When you turn off Compatibility Mode, other options become unavailable. And if you exit Setup after saving the changes, the platform will not be able to initialize the video and will generate the error described above.
Obviously, the question concerns not only graphics. If we install, for example, a Storage controller whose firmware does not support UEFI, then if the CSM mode is disabled, the disks connected to it will remain inaccessible.
secure boot(secure boot or secure boot) is one of the UEFI features that allows you to deal with rootkits and bootkits (which exploit vulnerabilities in BIOS firmware) at the preliminary stage of loading the OS. Secure Boot technology is one of the echelons of defense in the new Microsoft operating systems - Windows 8 and Windows Server 2012. In this article we will look at practical and theoretical aspects work Secure boot in Windows 8(relevant for Windows Server 2012).
It's no secret that in modern systems OS boot is one of the most vulnerable components in terms of security. It is enough for an attacker to transfer the bootloader functions to his (“malicious”) bootloader, and such a bootloader will not be detected by the OS security system and anti-virus software.
The Secure Boot feature in Windows 8 allows you to organize a check of all startup components (drivers, programs) during the boot process (before the operating system starts), ensuring that only trusted (digitally signed) programs can run while Windows is booting. Unsigned code and code without proper security certificates (rootkits, bootkits) are blocked by UEFI ( however, this protection system can also be bypassed, remember the Flame worm, signed by a fake Microsoft certificate ). If a component is found without digital signature will automatically start windows service Recovery, which will try to make changes to Windows by restoring the necessary system files.
Advice. What should I do if, after upgrading to Windows 8.1, on the desktop in the lower right corner, the inscription “?
It should be clearly understood that in order to use secure boot technology, instead of BIOS on a PC, UEFI system(what it is is described in the article). In addition, the motherboard firmware must support the specification UEFI v2.3.1 and have a CA certificate in its UEFI signature database Microsoft Windows(or OEM dealer certificates hardware, certified by Microsoft). All new computers pre-installed with Windows 8 (64-bit) that received the " Windows 8 ready”, at the request of Microsoft, Necessarily require an active Secure Boot. Also note that Windows 8 for ARM (Windows RT) cannot be installed on hardware that does not support UEFI or that allows you to disable Secure Boot. For secure boot or ELAM to work, the TPM (trusted platform module) not required!
Another component of Windows 8 Secure Boot is − ELAM(Early-launch Anti-Malware - early launch anti-malware technology), provides antivirus protection before the computer has finished booting. Thereby certified antivirus(meaning products of various vendors, not just Microsoft) starts working even before malware has a chance to run and hide its presence.
Let's try to figure out how to organize a secure Windows boot 8 on a new computer (assuming we have a boxed and not pre-installed OEM Windows version 8). The mother was chosen for the experiment. asus motherboard P8Z77 with UEFI support(and a Windows 8 ready sticker). It should be understood that in a different motherboard, specific screenshots and options will most likely be different, the main thing is to understand the basic principles of installing Windows 8 with secure boot on a new computer
The system is planned to be installed on SSD drive, so in the BIOS settings (it's actually UEFI) as SATAmodeSelection ask AHCI. ()
To install Windows 8 in UEFI mode we need either bootable DVD disc(physical) with the Win 8 distribution, or a bootable USB flash drive with Windows 8 (formatted in FAT32) prepared in a special way (), because. bootable flash drive will not work with NTFS in UEFI. It is worth noting that installing Windows 8 from a USB flash drive to an SSD took only about 7 minutes!
Turn off the computer, insert the boot disk (flash drive) and turn on the computer. You will be presented with a boot options selection screen (UEFI boot menu), where you need to select your boot device (the screenshot shows the Windows Boot Manger option, but in reality you will only have it after installing the system in EFI mode).
Let's dwell on the disk partitioning parameters for the system in more detail. EFI and secure boot require the drive to be in GPT mode (not MBR). In the event that the disk is not marked, no further gestures and manipulations with diskpart need to be performed, the system will do everything itself. If the disk is partitioned, delete them, because. For UEFI to work with secure boot, you need four special partitions that the installer will automatically create.
It is assumed that we want to use the entire disk under Windows 8, so just click Next without creating any sections. Windows will automatically create four partitions of the correct size and give them names:
Next, perform the installation of Windows 8 as usual. After Windows is installed, with Powershell you can make sure that secure boot is used, for this, in command line with administrator rights, run:
Confirm-SecureBootUEFI
If secure boot is enabled, the command will return TRUE (if it returns false or the command is not found, then it is disabled).
So, we have successfully installed Windows 8 in Secure Boot mode with UEFI.
Good day.
Quite often, many users ask questions about Secure Boot (for example, this option sometimes needs to be disabled when Windows installation). If not disabled, this security feature (developed by Microsoft in 2012) will check and look for special keys that are available only for Windows 8 (and higher). Accordingly, you will not be able to boot a laptop from any media ...
In this short article, I want to look at several popular brands of laptops (Acer, Asus, Dell, HP) and show how to disable Secure Boot with an example.
Important note! To disable Secure Boot, you need to go into the BIOS - and for this you need to press the appropriate buttons immediately after turning on the laptop. One of my articles is devoted to this issue -. It lists buttons for different manufacturers and details how to enter the BIOS. Therefore, in this article I will not dwell on this issue ...
(Screenshots from laptop BIOS Aspire V3-111P)
After entering the BIOS, you need to open the "BOOT" tab and see if the "Secure Boot" tab is active. Most likely, it will be inactive and cannot be changed. This is due to the fact that the administrator password is not set in the BIOS section "Security".
To install it, you should open this section and select the item " Set Supervisor Password"And press Enter.
Actually, after that you can open the section " Boot"- the tab" Secure Boot"Will be active and it can be switched to Disabled (i.e. turn off, see screenshot below).
After rebooting the laptop, it should boot from any* bootable device (for example, from a USB flash drive with Windows 7).
Some Asus laptop models (especially new ones) sometimes confuse novice users. In fact, how can you disable secure boot in them?
1. First, go to the BIOS and open the section "Security". At the very bottom there will be an item " Secure Boot Control" - you need to switch it to disabled, i.e. switch off.
2. After the reboot, enter the BIOS again and then in the "Boot" section, do the following:
3. After the reboot, we enter the BIOS and open the “Boot" section - in the "Boot Option" item, you can select bootable media which is connected to USB port(For example). Screenshot below.
Then we save the BIOS settings and reboot the laptop (F10 button).
(Screenshots from Dell Inspiron 15 3000 Series laptop)
In Dell laptops, disabling Secure Boot is probably one of the easiest - one entry into Bios is enough and no administrator passwords, etc. are needed.
After entering the BIOS - open the "Boot" section and set the following parameters:
Actually, then you can edit the download queue. Most install a new Windows OS from bootable USB flash drives - therefore, below is a screenshot of which line needs to be moved to the very top so that you can boot from the USB flash drive ( USB Storage Device).
After entering the settings, press the button F10- this will save the entered settings, and then the button Esc- thanks to it, you exit the BIOS and restart the laptop. Actually, this is the end of disabling secure boot on a Dell laptop!
After entering the BIOS, open the section " System configuration", And then go to the tab" Boot Option"(See screenshot below).
After the reboot, the text "A change to the operating system secure" will appear. boot mode is pending…”.
We are warned about the changes made to the settings and offered to confirm them with a code. You just need to enter the code shown on the screen and press Enter.
After this change, the laptop will reboot, and secure boot will be disabled.
To boot from a USB flash drive or disk: when you turn on your HP laptop, press ESC, and select “F9 Boot Device Options” from the start menu, then you can select the device you want to boot from.
In principle, in laptops of other brands, turning off secure boot proceeds in the same way, there are no significant differences. The only point: on some models, entering the BIOS is “complicated” (for example, in laptops Lenovo- you can read about it in this article :). On the sim round off, all the best!
UEFI Secure Boot- This is a standard protection on the BIOS, which limits the ability to run USB drives as boot disk. This security protocol can be found on computers running Windows 8 and newer. Its essence is to prevent the user from booting from the installer of Windows 7 and below (or an operating system from another family).
This feature can be useful for the corporate segment, as it helps prevent unauthorized booting of the computer from unauthorized media that may contain various malware and spyware.
For ordinary PC users, this feature is useless, on the contrary, in some cases it can even interfere, for example, if you want to install Linux along with Windows. Also due to problems with UEFI settings while working in operating system an error message may appear.
To find out if you have this protection, it is not necessary to go to the BIOS and look for information about this, just take a few simple steps without leaving Windows:
Depending on the motherboard manufacturer, the process for disabling this feature may look different. Consider options for the most popular manufacturers motherboards and computers.
Here, after entering the BIOS, you need to select the partition security. There should be an option "Secure Boot", against which you want to set the value Disable.
If everything was relatively simple with previous manufacturers, then the initially required parameter will not be available for making changes. To unlock it, you will need to put a password on the BIOS. You can do this with the following instructions:
