WEBVTT

1
00:00:00.090 --> 00:00:01.380
In this lesson,

2
00:00:01.380 --> 00:00:04.140
we will learn about boot options.

3
00:00:04.140 --> 00:00:07.260
Boot options are methods and sequences

4
00:00:07.260 --> 00:00:09.750
that determine how a system starts

5
00:00:09.750 --> 00:00:11.760
and verifies its integrity

6
00:00:11.760 --> 00:00:14.580
before the operating system loads.

7
00:00:14.580 --> 00:00:18.690
Boot options include Secure Boot and Measured Boot,

8
00:00:18.690 --> 00:00:22.140
where Secure Boot ensures that each component

9
00:00:22.140 --> 00:00:24.210
loaded during the boot process

10
00:00:24.210 --> 00:00:26.550
has a valid digital signature.

11
00:00:26.550 --> 00:00:29.850
And Measured Boot records cryptographic hashes

12
00:00:29.850 --> 00:00:33.150
of each component loaded during the boot process

13
00:00:33.150 --> 00:00:36.570
into a Trusted Platform Module, or TPM,

14
00:00:36.570 --> 00:00:40.890
to create a verifiable log of the boot sequence.

15
00:00:40.890 --> 00:00:44.790
Let's learn more about Secure Boot and Measured Boot.

16
00:00:44.790 --> 00:00:47.460
First, we have Secure Boot.

17
00:00:47.460 --> 00:00:49.410
Secure Boot can be enabled

18
00:00:49.410 --> 00:00:52.800
in the Unified Extensible Firmware Interface,

19
00:00:52.800 --> 00:00:54.810
or UEFI settings.

20
00:00:54.810 --> 00:00:58.050
UEFI is a modern type of system firmware

21
00:00:58.050 --> 00:00:59.940
that offers advanced features

22
00:00:59.940 --> 00:01:02.400
such as a graphical user interface,

23
00:01:02.400 --> 00:01:04.080
mouse support during boot,

24
00:01:04.080 --> 00:01:05.670
and improved security

25
00:01:05.670 --> 00:01:10.650
compared to the older Basic Input/Output System, or BIOS.

26
00:01:10.650 --> 00:01:15.120
UEFI also supports larger disks over two terabytes,

27
00:01:15.120 --> 00:01:18.660
provides a CPU-independent architecture,

28
00:01:18.660 --> 00:01:21.990
and allows a pre-operating system environment

29
00:01:21.990 --> 00:01:26.340
that can include network capabilities and even web browsing.

30
00:01:26.340 --> 00:01:28.380
When Secure Boot is enabled,

31
00:01:28.380 --> 00:01:33.180
it performs three key verifications during the boot process

32
00:01:33.180 --> 00:01:36.000
to ensure the system has not been compromised

33
00:01:36.000 --> 00:01:37.440
by malicious code.

34
00:01:37.440 --> 00:01:40.050
These three verifications are:

35
00:01:40.050 --> 00:01:42.990
one, the firmware checks the integrity

36
00:01:42.990 --> 00:01:46.980
of UEFI executable files and the operating system loader

37
00:01:46.980 --> 00:01:49.650
to ensure they have not been tampered with.

38
00:01:49.650 --> 00:01:52.200
Two, the Windows boot components

39
00:01:52.200 --> 00:01:54.360
verify the digital signatures

40
00:01:54.360 --> 00:01:56.760
of each component before loading,

41
00:01:56.760 --> 00:01:59.430
blocking any that fail the check.

42
00:01:59.430 --> 00:02:02.190
And three, the boot-critical drivers

43
00:02:02.190 --> 00:02:05.760
are validated against their known good hashes,

44
00:02:05.760 --> 00:02:09.030
allowing only verified drivers to load.

45
00:02:09.030 --> 00:02:12.450
Before we explore how Secure Boot is implemented,

46
00:02:12.450 --> 00:02:16.050
let's first review the typical Windows boot process

47
00:02:16.050 --> 00:02:18.060
without Secure Boot.

48
00:02:18.060 --> 00:02:20.310
The process begins with the loading

49
00:02:20.310 --> 00:02:22.260
of firmware boot components,

50
00:02:22.260 --> 00:02:25.320
which then start up the boot manager.

51
00:02:25.320 --> 00:02:28.080
Next, the Windows loader is initiated,

52
00:02:28.080 --> 00:02:30.990
followed by the startup of the Windows kernel.

53
00:02:30.990 --> 00:02:32.550
After the kernel is loaded,

54
00:02:32.550 --> 00:02:35.040
boot-critical drivers are installed

55
00:02:35.040 --> 00:02:37.140
to ensure essential hardware

56
00:02:37.140 --> 00:02:39.870
and system functions are operational.

57
00:02:39.870 --> 00:02:42.360
Finally, the process concludes

58
00:02:42.360 --> 00:02:45.660
with the presentation of the Windows login screen,

59
00:02:45.660 --> 00:02:47.940
signaling that the operating system

60
00:02:47.940 --> 00:02:50.070
is ready for user access.

61
00:02:50.070 --> 00:02:51.960
This standard boot sequence

62
00:02:51.960 --> 00:02:56.400
proceeds without verifying the integrity of the components,

63
00:02:56.400 --> 00:02:59.850
leaving potential vulnerabilities unchecked.

64
00:02:59.850 --> 00:03:02.670
In contrast, with Secure Boot enabled,

65
00:03:02.670 --> 00:03:06.090
the boot process includes several security checks

66
00:03:06.090 --> 00:03:09.630
to ensure that only trusted components are loaded.

67
00:03:09.630 --> 00:03:12.900
First, the firmware verifies the integrity

68
00:03:12.900 --> 00:03:14.940
of the UEFI executable files

69
00:03:14.940 --> 00:03:17.010
and the operating system loader,

70
00:03:17.010 --> 00:03:19.470
ensuring they have not been tampered with

71
00:03:19.470 --> 00:03:21.240
and are safe to execute.

72
00:03:21.240 --> 00:03:23.700
Next, Windows boot components

73
00:03:23.700 --> 00:03:26.070
perform a digital signature check

74
00:03:26.070 --> 00:03:28.650
on each component before loading.

75
00:03:28.650 --> 00:03:31.650
If any component fails this verification,

76
00:03:31.650 --> 00:03:34.770
it is blocked from loading and an alert is triggered,

77
00:03:34.770 --> 00:03:37.980
preventing potentially harmful code from running.

78
00:03:37.980 --> 00:03:40.170
Finally, boot-critical drivers

79
00:03:40.170 --> 00:03:43.530
are verified against their known good hashes

80
00:03:43.530 --> 00:03:46.050
to confirm they have not been altered.

81
00:03:46.050 --> 00:03:49.230
Only drivers that match their expected hashes

82
00:03:49.230 --> 00:03:50.670
are allowed to load,

83
00:03:50.670 --> 00:03:51.930
securing the system

84
00:03:51.930 --> 00:03:55.440
against unauthorized modifications during startup.

85
00:03:55.440 --> 00:03:57.690
As a note, with Secure Boot,

86
00:03:57.690 --> 00:04:01.680
you cannot use a dual-boot system or Linux

87
00:04:01.680 --> 00:04:04.080
because Secure Boot only functions

88
00:04:04.080 --> 00:04:06.150
with the Windows operating system.

89
00:04:06.150 --> 00:04:07.530
After Secure Boot

90
00:04:07.530 --> 00:04:11.160
has successfully completed all of these verifications,

91
00:04:11.160 --> 00:04:13.770
the Windows login screen is presented.

92
00:04:13.770 --> 00:04:17.820
This ensures the entire boot process has been validated,

93
00:04:17.820 --> 00:04:20.820
confirming that no unauthorized changes

94
00:04:20.820 --> 00:04:24.450
or malware have compromised the system's integrity.

95
00:04:24.450 --> 00:04:28.470
So Secure Boot serves as a critical checkpoint

96
00:04:28.470 --> 00:04:30.780
ensuring that the operating system

97
00:04:30.780 --> 00:04:34.770
has started with only trusted and verified components,

98
00:04:34.770 --> 00:04:39.150
significantly reducing the risk of boot-level attacks.

99
00:04:39.150 --> 00:04:41.700
Second, we have Measured Boot.

100
00:04:41.700 --> 00:04:44.550
Sometimes referred to as Trusted Boot,

101
00:04:44.550 --> 00:04:46.830
Measured Boot is a security feature

102
00:04:46.830 --> 00:04:49.860
that helps prevent attacks on the boot process

103
00:04:49.860 --> 00:04:51.270
by checking the integrity

104
00:04:51.270 --> 00:04:54.000
of software components during startup.

105
00:04:54.000 --> 00:04:56.790
Measured Boot uses cryptographic hashing

106
00:04:56.790 --> 00:04:58.620
to compare these components

107
00:04:58.620 --> 00:05:03.000
against a known good catalog of expected hash values.

108
00:05:03.000 --> 00:05:06.450
While this process can slightly slow down the boot time,

109
00:05:06.450 --> 00:05:10.530
it does provide a valuable log of pre-boot activities

110
00:05:10.530 --> 00:05:14.190
that can help detect potential malware within the system.

111
00:05:14.190 --> 00:05:16.170
During the Measured Boot process,

112
00:05:16.170 --> 00:05:20.970
the device's TPM checks the hashes of key system state data

113
00:05:20.970 --> 00:05:23.700
at each stage of the boot sequence.

114
00:05:23.700 --> 00:05:26.190
This includes essential components

115
00:05:26.190 --> 00:05:29.190
such as the UEFI firmware, boot loader,

116
00:05:29.190 --> 00:05:32.520
operating system kernel, and critical drivers.

117
00:05:32.520 --> 00:05:35.580
If any of these components have been modified,

118
00:05:35.580 --> 00:05:38.430
Measured Boot records these changes,

119
00:05:38.430 --> 00:05:40.800
signaling potential security threats

120
00:05:40.800 --> 00:05:42.780
that need investigation.

121
00:05:42.780 --> 00:05:46.290
Importantly, even if discrepancies are detected,

122
00:05:46.290 --> 00:05:49.290
Measured Boot does not halt the boot process,

123
00:05:49.290 --> 00:05:52.350
but instead provides a record of what occurred.

124
00:05:52.350 --> 00:05:54.030
So, Measured Boot

125
00:05:54.030 --> 00:05:57.840
integrates seamlessly with UEFI in enhancing security

126
00:05:57.840 --> 00:06:00.960
by recording each stage of the boot process

127
00:06:00.960 --> 00:06:04.680
and securely storing these measurements in the TPM.

128
00:06:04.680 --> 00:06:08.700
These logs can be accessed by remote management systems,

129
00:06:08.700 --> 00:06:12.240
allowing security teams to verify system integrity

130
00:06:12.240 --> 00:06:16.020
and identify any unauthorized modifications.

131
00:06:16.020 --> 00:06:18.960
Working alongside UEFI and Secure Boot,

132
00:06:18.960 --> 00:06:22.020
Measured Boot adds a critical layer of protection,

133
00:06:22.020 --> 00:06:24.540
ensuring that the system boots securely

134
00:06:24.540 --> 00:06:26.340
and maintains its integrity

135
00:06:26.340 --> 00:06:29.070
throughout the entire boot process.

136
00:06:29.070 --> 00:06:33.120
So remember, boot options are used to manage

137
00:06:33.120 --> 00:06:34.590
how a system starts

138
00:06:34.590 --> 00:06:38.640
and to verify integrity before the operating system loads,

139
00:06:38.640 --> 00:06:40.980
with Secure Boot and Measured Boot

140
00:06:40.980 --> 00:06:43.770
providing key security features.

141
00:06:43.770 --> 00:06:48.030
Secure Boot focuses on blocking unauthorized software

142
00:06:48.030 --> 00:06:49.920
by ensuring that each component

143
00:06:49.920 --> 00:06:52.200
loaded during the boot process

144
00:06:52.200 --> 00:06:54.240
has a valid digital signature,

145
00:06:54.240 --> 00:06:58.770
preventing any untrusted or tampered code from running.

146
00:06:58.770 --> 00:07:02.640
In contrast, Measured Boot does not block components

147
00:07:02.640 --> 00:07:05.640
but instead records cryptographic hashes

148
00:07:05.640 --> 00:07:09.270
of each boot component in the Trusted Platform Module,

149
00:07:09.270 --> 00:07:12.630
creating a detailed log of the boot sequence

150
00:07:12.630 --> 00:07:14.520
that can be analyzed later

151
00:07:14.520 --> 00:07:16.950
for signs of tampering or malware.

152
00:07:16.950 --> 00:07:20.280
In other words, Secure Boot actively prevents

153
00:07:20.280 --> 00:07:22.920
the execution of untrusted software,

154
00:07:22.920 --> 00:07:25.740
while Measured Boot provides visibility

155
00:07:25.740 --> 00:07:27.300
into what has loaded,

156
00:07:27.300 --> 00:07:31.230
allowing security teams to detect unauthorized changes

157
00:07:31.230 --> 00:07:33.570
even after the system has started.

158
00:07:33.570 --> 00:07:37.590
Together, Secure Boot and Measured Boot work with UEFI

159
00:07:37.590 --> 00:07:39.030
to enhance security,

160
00:07:39.030 --> 00:07:42.780
with Secure Boot ensuring only trusted software runs,

161
00:07:42.780 --> 00:07:46.170
and Measured Boot providing a record of the boot process

162
00:07:46.170 --> 00:07:48.003
for further validation.