Understanding AMT, UEFI BIOS and Secure boot relationships
Notes from the lab.
As part of AMT validation, our functional testing lab verifies AMT use cases with UEFI BIOS. I found that many questions popped up by AMT users, so I decided to write this brief explanation about the relationships between AMT, UEFI and Secure boot.
This is not a comprehensive explanation of UEFI, as I focused only on the details which are necessary in order to understand the AMT related subjects.
Let’s start with the basic definitions:
UEFI stands for Unified Extensible Firmware Interface, which is a specification of interfaces for modern BIOS firmware.
UEFI disk devices handling
Part of the UEFI specification is the disk device handling. The UEFI specification defines a "boot manager" that is in charge of loading the OS loader. Auto-detection of the boot loader relies on a standardized file path to the OS loader, depending on the actual architecture to boot (\EFI\BOOT\BOOT[architecture name].EFI, e.g. \EFI\BOOT\BOOTx64.EFI).
Compatibility Support Module (CSM)
The UEFI boot manager is able to load legacy BIOS environment using the Compatibility Support Module (CSM). This module is able to emulate legacy BIOS environment and allow booting legacy operating systems or new operating systems which were installed without UEFI boot loader.
Secure boot can secure the boot process by preventing the loading of drivers or OS loaders that are not signed with an acceptable digital signature. The BIOS maintains a list of platforms keys which are used to verify that the OS loader and drivers are secure. Secure boot is supported by Windows 8, Windows Server 2012, and selected Linux distributions. In order to use it, BIOS must have the public key which signed the OS. When using Secure boot, Compatibility Support Module (CSM) must be disabled.
- In order to use the UEFI based OS loader,
the disk media has to contain the loader that must be located in the standard
file path to enable auto detection.
- If we want to use the UEFI OS loader in
our OS, we need to boot the installation media through the UEFI based OS
loader so that it will install the OS with a UEFI OS loader.
- Compatibility Support Module (CSM)
- Secure boot can be used in order to verify that
the loaded OS is signed. In order to use Secure boot, you must disable the CSM
in BIOS settings.
AMT Remote control operations offers boot control capabilities that allow the IT administrator to perform boot from different Media types like local hard disk, or local CD. It also supports boot from virtual CD or virtual floppy through IDE redirection session(IDEr). The same rules of the UEFI BIOS devices handling applies when boot options and operations are done by AMT with the exception of Secure boot during IDEr session.
Secure boot disable on IDEr
In order to allow IT administrator to use a non signed OS’s to heal the system, when boot from IDEr media is performed, AMT communicates to the BIOS to disable Secure boot of the IDEr media. This should not affect Secure boot of non IDEr devices. Disable of Secure boot does not necessary means that Compatibility Support Module(CSM) is enabled. This depends on the BIOS manufacturer implementation.
It is possible to enforce secure boot during IDEr session from the management console by using WSMAN command to set the EnforceSecureBoot property of the AMT_BootSettingData class to ‘true’ as documented in the AMT SDK. This boot capability must be This boot capability must be supported by the OEM in order that Secure boot disable on IDEr will work.
Disabling secure boot on IDEr is supported in AMT version 8.1 and above.
In case you want to test your platform or management console application operation with UEFI based disk handling capabilities and AMT, first verify that your platform’s BIOS settings and OS media are correct:
Configure the desired settings in BIOS like compatibility Support Module(CSM) enable/disable, Secure boot enable/disable and Secure boot keys. Verify that the Media you are attempting to boot installed according to the desired boot loader type.
When all the settings are defined, attempt to load the media on the platform local devices and make sure that the platform’s behavior is as expected. Only then try to perform remote control operations or IDEr boot.
Q & A
Q: Do I have to disable Compatibility Support Module (CSM) in order to boot with UEFI based OS loader?
A: No. a UEFI BIOS should be able to detect and boot from Media that has a UEFI based OS loader
Q: Can I configure Secure boot when with Compatibility Support Module (CSM) enabled?
A: No. You must disable Compatibility Support Module (CSM) in order to configure secure boot. BIOS may configure it automatically, depending on implementation.
Q: Why can’t I boot from my legacy bootable CD during IDEr session although Secure boot should be disabled during when booting an IDEr CD?
A: When Secure boot is configured in BIOS, Compatibility Support Module (CSM) is disabled too. BIOS writers are required to disable Secure boot on IDEr, but are not required to enable CSM, so this behavior may vary between BIOS types and versions.
In case you want to use legacy media with IDEr and BIOS does not enable CSM on IDEr automatically, you may configure the BIOS to enable CSM before reboot. This can be done from the remote console using AMT KVM or SOL capabilities.