Secure boot, also known as Trusted boot, is a new feature available to users of Windows 8 computers. It uses a special chipset available on Unified Extensible Firmware Interface (UEFI) motherboards. UEFI is a graphical environment that has replaced, on most systems, the standard Basic Input/Output System (BIOS) firmware interface that one sees when booting a computer. The UEFI firmware can access a list of digitally signed software and uses this list to allow or disallow any software to run. The list is stored in a protected location on a Trusted Platform Module (TPM) 1.2 chipset on the motherboard.
This provides a significant enhancement in antimalware protection. There is a certain class of malware, sometimes called a rootkit, which attempts to load itself before the boot loader starts the actual operating system. If the rootkit is successful, the operating system’s antimalware protection software will not sense the rootkit as it loaded into its own allocated memory space before actual system startup. Secure/Trusted boot will ensure such antimalware cannot load as it will not have a digital signature that is stored in the trusted location, and the UEFI only allows loading of software with these signatures.
Careful consideration should be given, however, to users who may need to dual boot certain operating systems, such as Windows 8 and a Linux variant. The motherboard vendor might not have a digital signature of a Linux operating system or boot loader, and without such a signature in the trusted location and with Secure/Trusted boot turned on, that operating system will not load. Microsoft has asked that all independent software vendors, including distributors of various Linux systems, to submit their software for approval for a digital signature. This has naturally created a great deal of controversy.
Another antimalware enhancement to Windows 8 and Windows Server 2012 is the Measured boot feature. Measured boot logs all boot components that are started before the operating system loads and all system components before the antimalware software starts. The logs are kept in a trusted location resistant to spoofing and tampering on a TPM chipset. These logs are forwarded by the local antimalware software to a remote antimalware server that verifies the loaded operating system and components.
For more information about these features, consult the Microsoft white paper, Secured Boot and Measured Boot: Hardening Early Boot Components against Malware, which can be downloaded here: http://msdn.microsoft.com/en-us/library/windows/hardware/br259097.aspx