[SOLVED] Question about Secure Boot and CSM

[frizzlebyte]

Hi all,

I have been looking around for an answer to my question, but it's not like the typical "PC can't boot after disabling CSM" problem that people have, so I'm coming here to work this out and see if I can get an answer.

Basically, my goal is to allow me to enable Secure Boot on my ASRock AB350 Pro4, if I choose to do so. I have a Samsung 970 EVO Plus SSD and a hard disk, and boot from the SSD. Windows 10 is installed already.

Now, my understanding is that Secure Boot won't work with a legacy bios, and most people seem to say that if you have installed Windows 10 with CSM enabled, you can't use Secure Boot because UEFI is somehow different, maybe? However, most of what I see indicates that this is because the partition is usually formatted as MBR in these cases, rather than GPT, when you have CSM enabled.

In my case, my SSD was properly formatted GPT when Windows was installed, and continues to boot (apparently using UEFI) just fine when CSM is disabled. Does this indicate that, if I set up Secure Boot, it will work properly, or does enabling CSM do something else under the hood to UEFI that isn't apparent from just the GPT/MBR partition scheme?

I'd just try setting up Secure Boot to see what happens, but if I can avoid an unnecessary reformat, I'd like to do so. Thanks, all!

 

[Traditore]

Enabling CSM does nothing "under the hood". While it does more than MBR/GPT support, it's nothing but an ON/OFF switch and you'll be fine

 

[SkyNetRising]

Now, my understanding is that Secure Boot won't work with a legacy bios, and most people seem to say that if you have installed Windows 10 with CSM enabled, you can't use Secure Boot because UEFI is somehow different, maybe? However, most of what I see indicates that this is because the partition is usually formatted as MBR in these cases, rather than GPT, when you have CSM enabled.

In my case, my SSD was properly formatted GPT when Windows was installed, and continues to boot (apparently using UEFI) just fine when CSM is disabled. Does this indicate that, if I set up Secure Boot, it will work properly, or does enabling CSM do something else under the hood to UEFI that isn't apparent from just the GPT/MBR partition scheme?

Why exactly do you need secure boot? It just causes more complications.

BIOS can be legacy and UEFI.
On legacy BIOS you can install windows in legacy mode only.
On UEFI BIOS you can install windows in UEFI mode or in legacy mode (if you enable CSM). So with disabled CSM you can boot/install in UEFI mode only.
Windows in UEFI mode requires boot drive to be partitioned in GPT. Windows in legacy mode requires boot drive to be partitioned in MBR.
That's pretty much all, you have to know (about UEFI/legacy differences).

 

[Colif]

Any PC made in the last 10 years likely has a UEFI bios. UEFI is just a set of standards for creating modern bios that fix limitations created by Legacy bios

Prior to 2009 every bios was legacy only (although it wasn't called legacy until after 2009) and did not have a Secure boot mode at all. SO the statement

Secure Boot won't work with a legacy bio

is technically right for any bios made prior to 2009 simply as mode did not exist. It likely you mean it won't work in legacy boot mode and that is correct.

Skynet asked right question though, why? Its main advantage (?) is it stops you booting off non approved devices, so no way to boot off USB excluding via the OS (winre).

 

[frizzlebyte]

Thanks for the responses, all. Much appreciated.

Why exactly do you need secure boot? It just causes more complications.

Skynet asked right question though, why? Its main advantage (?) is it stops you booting off non approved devices, so no way to boot off USB excluding via the OS (winre).

I was under the impression that, because I don't need or want an OS other than Windows 10, and can count on one hand the number of times I've ever needed to boot to any OS on USB other than Windows, the main benefit in my case is that it prevents rootkits and ransomware from being loaded into the motherboard firmware. Am I mistaken about this, or is it just that this concern is more overblown than what really happens with viruses 'in the wild'?

And aside from complicating booting to other OSes besides Windows, what kinds of complications does Secure Boot cause? (Not sarcasm; real question)

Thanks again for the help, all.

 

[Colif]

You are correct about rootkit and ransomware protection - https://blogs.msdn.microsoft.com/b8/2011/09/22/protecting-the-pre-os-environment-with-uefi/ although I am not sure how often this is a problem, I can't recall last time I helped anyone with a computer with such a problem.

What is Secure Boot?

Secure Boot is one feature of the latest Unified Extensible Firmware Interface (UEFI) 2.3.1 specification (Errata C). The feature defines an entirely new interface between operating system and firmware/BIOS.

When enabled and fully configured, Secure Boot helps a computer resist attacks and infection from malware. Secure Boot detects tampering with boot loaders, key operating system files, and unauthorized option ROMs by validating their digital signatures. Detections are blocked from running before they can attack or infect the system.

https://www.intel.com.au/content/ww...000006942/boards-and-kits/desktop-boards.html


Secure boot stops PC from booting from any USB, even those with windows installers on them. So if you need to reinstall windows at a later time, you may need to turn it off. It depends on circumstances as if win 10 still works at the time, you can use advanced startup to boot off any USB if you want to.

Some bios let you boot off USB one time only without need to touch secure boot, but your Asrock doesn't appear to have that feature. I looked in the manual.

 

[frizzlebyte]

Thanks much, @Colif. Appreciate the help. It seems that as long as my drives are formatted as GPT, I can (probably) set up Secure Boot without reformatting, then. I'm still on the fence about actually enabling it, but at least it seems to be an option.

As always, Tom's Hardware forums are the best.

 

[SkyNetRising]

It seems that as long as my drives are formatted as GPT, I can (probably) set up Secure Boot without reformatting, then.

If your OS is installed in UEFI mode, only then you can enable secure boot.
And only boot drive (containing bootloader) has to be GPT. Partitioning of other drives doesn't matter.

 

[frizzlebyte]

If your OS is installed in UEFI mode, only then you can enable secure boot.
And only boot drive (containing bootloader) has to be GPT. Partitioning of other drives doesn't matter.

Ah, thanks for cluing me in on 'UEFI mode.' That made me think to see if there is a way to check if my computer is likely running in UEFI mode, and there is:

https://www.tenforums.com/tutorials/85195-check-if-windows-10-using-uefi-legacy-bios.html

I've got Secure Boot up and running now thanks to you all. Thanks again!