Windows 8 and 8.1 Forums


Show me your UEFI settings page - looking for functions

  1. #1


    Posts : 187
    Windows 8 64 bit

    Show me your UEFI settings page - looking for functions


    Can people please show me their UEFI settings page? I'm looking to prove or disprove something that the HP people are now telling me.

    First off, they do not give tech support for UEFI - UEFI is advanced they say with advanced Issues. This is why you will find no mention of UEFI in an HP service manual. They say contact Microsoft which is silly because MS only requires the use of these features - they are not the OEM responsible for the bios/UEFI functionality.

    According to the Windows Hardware Certification Requirements for Client and Server Systems, Sections 14 through 18 under the heading: System.Fundamentals.Firmware.UEFISecureBoot ( Windows Hardware Certification Requirements for Client and Server Systems) Users, not OEM's are supposed to have the ability to delete Secure Boot keys ( even Microsoft's key if they wanted, of course this would cause Windows 8 not to boot in UEFI mode with Secure Boot enabled) or add your own Secure Boot keys assuming you have one that's needed for an OS you created or some other system running at boot time.

    I think either the tech support at HP are either lackeys reading from a script and even the Supervisors have no clue whats going on or HP is doing this on purpose to pull a fast one. I think it's possible HP may be in breech of agreement with Microsoft - that, or something else is going on that's not clear to anyone.

    I want to know, does Anyone have a UEFI firmware settings section that allows this functionality of being able to delete (not disable) the Secure Boot Keys (PK) or add your own keys as is Required by Microsoft?

      My System SpecsSystem Spec

  2. #2


    Lynnwood, WA
    Posts : 173
    Windows 8, Windows 7


    It depends on how UEFI is implemented in the system. For most HP systems, you still have the option for legacy booting, which makes UEFI secure boot not nearly as effective. If you've built a system using such legacy modes, there's nothing to disable. I have yet to see an HP system that is pure UEFI. If that time comes, then yes, there will be a setting to turn of Secure Boot... it will read something like "Secure Boot: Enabled/Disabled or Yes/No."

    I can't go into detail about systems I've seen that aren't ready for prime-time or speculate whether it will show up sooner rather than later.

    -J

    (Disclaimer: I work for Microsoft. My opinions are my own. I do not speculate on un-released products nor will I divulge any information relating to such)
      My System SpecsSystem Spec

  3. #3


    Posts : 187
    Windows 8 64 bit


    While that's interesting that's really outside of the scope of this discussion. Disabling Secure Boot and or switching between UEFI and Legacy Bios mode are two issues that have nothing to do with the above issue. HP tech support told me the same thing - as if they could not understand the question. They kept repeating instructions for disabling Secure Boot and or switching to Legacy Mode. We already have a way to disable Secure Boot as mentioned here: Secure Boot - Enable or Disable in UEFI

    HP tech support did not understand that disabling Secure Boot and the ability to remove or add Secure Boot keys (PK) are two totally different things. When I patiently explained to them the issue and actually read from the Windows Hardware Certification for Client and Server Systems document they told me they don't give support for UEFI and I would have to ask Microsoft about this.

    Let me ask you this. If I create a Secure Boot Key for a operating system I create, How do I implement this in UEFI so that it can check against the information in my boot loader (in my distro disks) to KNOW it's o.k. to let it install? There Has to be a way to add this key to UEFI so it can use verify my system as good to install.

    Whats the normal procedure for doing this?
      My System SpecsSystem Spec

  4. #4


    Orbiting the Moon
    Posts : 2,975
    Windows 10 x64


    Quote Originally Posted by Dark Rider View Post
    I want to know, does Anyone have a UEFI firmware settings section that allows this functionality of being able to delete (not disable) the Secure Boot Keys (PK) or add your own keys as is Required by Microsoft?
    It's a plain simple page based on the Insyde BIOS used in all HP's. You have the ability to enable lagacy mode (CMS) for MBR boot.
    You can also disable SecureBoot BUT that's all... most advanced options are hidden from the user.

    Where does it states that your own keys are required?
    They are possible but not required.

    I have a HP UEFI here but I don't see any advanced options anytime soon.
    There will be BIOS mods possible in the future but as long as all works nicely with default settings, I'm not gonna manually tweak the settings.

    This is for laptops in my case. I don't have any idea about the possible additions a HP desktop pc can have in the UEFI settings.
      My System SpecsSystem Spec

  5. #5


    Lynnwood, WA
    Posts : 173
    Windows 8, Windows 7


    Quote Originally Posted by Dark Rider View Post

    Let me ask you this. If I create a Secure Boot Key for a operating system I create, How do I implement this in UEFI so that it can check against the information in my boot loader (in my distro disks) to KNOW it's o.k. to let it install? There Has to be a way to add this key to UEFI so it can use verify my system as good to install.

    Whats the normal procedure for doing this?
    They don't give support for this because it is not something they've built so the end user can mess with. I say mess with and not re-configure because there's very little need to do so. If you install a legit OS, UEFI will take it just fine because it is signed and certified and the UEFI boot files will reflect that. There is nothing on your part that you realistically will need to do.

    Quote Originally Posted by Hopachi View Post
    Quote Originally Posted by Dark Rider View Post
    I want to know, does Anyone have a UEFI firmware settings section that allows this functionality of being able to delete (not disable) the Secure Boot Keys (PK) or add your own keys as is Required by Microsoft?
    This is for laptops in my case. I don't have any idea about the possible additions a HP desktop pc can have in the UEFI settings.
    This is the same for desktops. It is not a necessary setting to change so it is left out of the locked down, non-engineering version of the board.
      My System SpecsSystem Spec

  6. #6


    Posts : 187
    Windows 8 64 bit


    Hopachi says, " Where does it states that your own keys are required?
    They are possible but not required."

    JLyman says, "They don't give support for this because it is not something they've built so the end user can mess with"

    It Is required and they Do have to provide the user support for it because section 17 says:

    Mandatory. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:

    It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx), which puts the system into setup mode.

    If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system is operating in Setup Mode with SecureBoot turned off.

    The firmware setup shall indicate if Secure Boot is turned on, and if it is operated in Standard or Custom Mode. The firmware setup must provide an option to return from Custom to Standard Mode which restores the factory defaults. On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enabled.
    This is the agreement HP has with Microsoft. HP's UEFI must provide the ability to access and use this Custom mode.

    Hopachi, the using your own keys comes into play if you make a system (New os or system tool) that needs to boot with UEFI's Secure Boot enabled. You have to create a key for your firmware so it can check this key against the key in your boot loader. However it's implemented. you the User must have the ability to do this if you need to. It is this Custom mode with it's deleting or adding keys functionality that should be present in your UEFI Firmware settings according to this. It even says in this document you have the ability to delete ( not disable) Microsoft's own key.

    I contend, HP only ships with Standard mode UEFI Firmware Settings functionality. Or else, I should be able to access the Custom option. Lets say I want to "modify the contents of the Secure Boot signature databases and the PK." Remember, this is a Secure Boot option, not what you can pass to the system by disabling Secure Boot. My system does not seem to have the ability to do this. The only Secure Boot options I do have is either on or off. Lets say i want to completely delete Microsoft's own key. I would need to access this Custom mode and it's functionality to do that. it's missing from HP's UEFI Firmware Settings.

    JLyman, My take on this is you may be right but they Have to rebuild the bios/UEFI to enable this functionality. The User ( not the OEM) has to be able to use Custom mode and all the things listed above it's supposed to be able to do.

    Perhaps the problem I'm having with it is not in the UEFI firmware but Microsoft's writing of the document. This statement, "If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system is operating in Setup Mode with SecureBoot turned off." suggests that you can first delete the PK and then on exiting the firmware Secure Boot will be started in Off Mode - when they really mean, By turning Secure Boot off, you effectively delete the PK - But this really sounds like to me whats happening is " This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx), which puts the system into setup mode." And which can then be " return from Custom to Standard Mode which restores the factory defaults." but it doesn't read that way at all as written. It actually sounds like you should have more ability from Firmware settings to control PK.

    UEFI specifies (section 27.5) a Platform Key (PK), which is designed to be controlled by the Platform Owner (whoever owns the hardware) and a set of Key-Exchange Keys (KEKs), which are designed to be controlled by the OEM and OS vendors. “Controlled” in this sense means that these keys are public/private key pairs; whoever knows the private key is the key controller, but to install the
    key, you only need the public piece, which means KEKs may be installed by anybody without controlling them. This separation is vital because it allows the platform owner to decide which keys they trust without compromising the ability of the KEK controllers to assure themselves that the OS booted securely.
    Making UEFI Secure Boot Work With Open Platforms | The Linux Foundation
    Last edited by Dark Rider; 30 Jan 2013 at 20:43.
      My System SpecsSystem Spec

  7. #7


    Lynnwood, WA
    Posts : 173
    Windows 8, Windows 7


    Quote Originally Posted by Dark Rider View Post
    Hopachi says, " Where does it states that your own keys are required?
    They are possible but not required."

    JLyman says, "They don't give support for this because it is not something they've built so the end user can mess with"

    It Is required and they Do have to provide the user support for it because section 17 says:

    Mandatory. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:

    It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx), which puts the system into setup mode.

    If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system is operating in Setup Mode with SecureBoot turned off.

    The firmware setup shall indicate if Secure Boot is turned on, and if it is operated in Standard or Custom Mode. The firmware setup must provide an option to return from Custom to Standard Mode which restores the factory defaults. On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enabled.
    This is the agreement HP has with Microsoft. HP's UEFI must provide the ability to access and use this Custom mode.

    Hopachi, the using your own keys comes into play if you make a system (New os or system tool) that needs to boot with UEFI's Secure Boot enabled. You have to create a key for your firmware so it can check this key against the key in your boot loader. However it's implemented. you the User must have the ability to do this if you need to. It is this Custom mode with it's deleting or adding keys functionality that should be present in your UEFI Firmware settings according to this. It even says in this document you have the ability to delete ( not disable) Microsoft's own key.

    I contend, HP only ships with Standard mode UEFI Firmware Settings functionality. Or else, I should be able to access the Custom option. Lets say I want to "modify the contents of the Secure Boot signature databases and the PK." Remember, this is a Secure Boot option, not what you can pass to the system by disabling Secure Boot. My system does not seem to have the ability to do this. The only Secure Boot options I do have is either on or off. Lets say i want to completly delete Microsoft's own key. I would need to access this Custom mode and it's functionality to do that. it's missing from HP's UEFI Firmware Settings.

    JLyman, My take on this is you may be right but they Have to rebuild the bios/UEFI to enable this functionality. The User ( not the OEM) has to be able to use Custom mode and all the things listed above it's supposed to be able to do.
    That's if the machine is using a purebred UEFI system. I have yet to see an HP system that used UEFI over BIOS. Every system I've seen was a BIOS based system that ONLY used UEFI as an optional boot manager. If the system is still BIOS-based, the above requirements do not apply.

    I'm going to state this once and only once as this is ending up to be nothing but beating around the bush: Microsoft knows what HP's hardware is like and whether it has passed this certification or not. This stuff is apparent very early on in the build and engineering process. They communicate regularly during testing so any issues regarding this would have come up, already.

    Please reference the attached image.

    Notice the information. Nowhere is UEFI mentioned. This is an HP system that uses UEFI as an interpreter for booting to UEFI-based OSes like Windows 8. That is all it does. If the system was 100% UEFI, then all of the requirements you're fishing for would exist. End of story.
    Attached Thumbnails Attached Thumbnails Capture.PNG  
      My System SpecsSystem Spec

  8. #8


    Posts : 187
    Windows 8 64 bit


    Quote Originally Posted by JLyman View Post
    This is an HP system that uses UEFI as an interpreter for booting to UEFI-based OSes like Windows 8. That is all it does. If the system was 100% UEFI, then all of the requirements you're fishing for would exist. End of story.
    Why didn't you say this to begin with? So, I'm not crazy. I'm 100% Right. I do have a HP bios/UEFI that has scaled down functionality. But Only because it's not designed as a full UEFI system but Only an interpreter. I suppose for a few years most will be hybrid systems ( and hybrid is really the wrong term) because the code for UEFI is so buggy and hardware manufacturers are still figuring out the best ways to create drivers that work well. Interesting info on that here: EFI and Linux: the future is here, and it's awful - Matthew Garrett - YouTube

    You know people read those documents and get the wrong impression when little details like that is left out. Just search the Linux and other non MS system blogs who talk about these systems that are required to use UEFI and Secure Boot. You say, "If the system is still BIOS-based, the above requirements do not apply." Where can I find that in the documentation - or anywhere so I can use it as a reference ?

    So these systems are Legacy Bios based only with a UEFI interpreter. They are Not hybrid Bios/Uefi systems like most people say.
      My System SpecsSystem Spec

  9. #9


    Lynnwood, WA
    Posts : 173
    Windows 8, Windows 7


    Quote Originally Posted by Dark Rider View Post
    Quote Originally Posted by JLyman View Post
    This is an HP system that uses UEFI as an interpreter for booting to UEFI-based OSes like Windows 8. That is all it does. If the system was 100% UEFI, then all of the requirements you're fishing for would exist. End of story.
    Why didn't you say this to begin with? So, I'm not crazy. I'm 100% Right. I do have a HP bios/UEFI that has scaled down functionality. But Only because it's not designed as a full UEFI system but Only an interpreter. I suppose for a few years most will be hybrid systems ( and hybrid is really the wrong term) because the code for UEFI is so buggy and hardware manufacturers are still figuring out the best ways to create drivers that work well. Interesting info on that here: EFI and Linux: the future is here, and it's awful - Matthew Garrett - YouTube

    You know people read those documents and get the wrong impression when little details like that is left out. Just search the Linux and other non MS system blogs who talk about these systems that are required to use UEFI and Secure Boot. You say, "If the system is still BIOS-based, the above requirements do not apply." Where can I find that in the documentation - or anywhere so I can use it as a reference ?

    So these systems are Legacy Bios based only with a UEFI interpreter. They are Not hybrid Bios/Uefi systems like most people say.
    Because the system is still 100% BIOS based. The only time UEFI is called upon is if you have it in the boot list... otherwise you're never handed off to it and the good ol' fashioned BOOTMGR takes over. I think the most accurate description would be "BIOS-based with a possible UEFI second-stage." If you disabled the UEFI boot options, UEFI would NEVER be called upon or interact with the boot process. I'm sorry if I confused you. I was running off of limited information until I could clear the sharing. I like my job, after all.
      My System SpecsSystem Spec

  10. #10


    Posts : 187
    Windows 8 64 bit


    Thanks. I do appreciate the info. That's the first time I've heard anyone describe these systems like that.
      My System SpecsSystem Spec

Page 1 of 2 12 LastLast
Related Threads
I need to change some setting in my UEFI/BIOS but it is stuck in ready only mode. All options are blanked out except for "exit". How can I get it to let me edit the settings again?
UEFI BIOS Firmware settings in General Support
I can't see UEFI BIOS Firmware settings in Windows 8.1 repair Troubleshoot section.
I am having a problem with my Dell Venue pro 11 Tablet displaying a page from a particular program correctly. It shows only the top 2/3 of the page. To see the bottom 1/3, I have to rotate the tablet 90 degrees . However the downside is that the screen now shows only approx. 1/2 the page...
Missing Guest Account does not show on log in page in User Accounts and Family Safety
I am running windows 8.1 and have noticed I am not given a choice anymore between my account and guest account. I have gone to control panel (users and accounts) and Guest Account does not show. However when I go to turn on Guest Account, it is already on. It just will not show up on my login page....
Hi All, I'm having my first encounter with UEFI on a new(to me) HP Laptop with Windows 8.1. (excuse the noobiness) I have read/Googled quite a bit and am trying to understand. If I understand the basics of the UEFI BIOS and "Key" and OS/Software needs a matching "Key" to be able to install. I...
I used to have 2 different locations showing in weather, one after the other. How do I get that back.
I have two wide black margins at the left and right of my screen and can't get a full screen mode when I do a slide show.:huh: I am on Classic theme. Can anyone help please.
Eight Forums Android App Eight Forums IOS App Follow us on Facebook