The traditional BIOS will boot any software. Normally, your BIOS boots the Windows boot loader or maybe a Linux boot loader, like GRUB. However, it’s possible for malware
, such as a rootkit
, to replace your boot loader. The rootkit
could load your normal operating system with no indication that anything was wrong, staying completely invisible and undetectable on your system. The BIOS doesn’t know the different between malware
and a trusted boot loader, so it allows either to boot.
Windows 8 PCs will ship with Microsoft’s certificate stored in UEFI (and possibly other certificates, depending on the manufacturer). UEFI will check the boot loader before launching it and ensure it’s signed by Microsoft – if a rootkit or another malware program does replace your boot loader, UEFI won’t allow it to boot. This prevents malware from hijacking your boot process and concealing itself from your operating system.