1 Reply Latest reply on May 7, 2013 5:37 PM by SafeBoot

    Surface Pro - Secure Boot issue - Invalid Signature Detected


      Any ideas why my Surface PRO will not boot with Secure Boot Turned On ? I'm running the latest version of EEPC7.


      I get:


      Secure Boot Violation

      Invalid Signature Detected. Check Secure Boot Policy in Setup.


      According to the release notes, its supported:


      What is Secure Boot?
      Secure Boot is a feature enabled by UEFI, but Microsoft mandates specific implementations for x86 (Intel) PCs. Any system with a Windows 8 logo sticker has Secure Boot enabled.


      UEFI has a firmware validation process, called Secure Boot, which is defined in Chapter 27 of the UEFI 2.3.1 specification. Secure Boot defines how platform firmware manages security certificates, validation of firmware, and a definition of the interface (protocol) between firmware and the operating system. It creates a root of trust starting in UEFI, which validates the next module in the chain before loading and executing it to ensure that it hasn’t changed since it was digitally signed. With the Secure Boot architecture and its establishment of a chain of trust, the customer is protected from malicious code executing in the boot process by ensuring that only signed, certified 'known good' code and boot loaders can execute before the operating system itself loads.


      Does EEPC 7.0 support Secure Boot?
      Yes. However, earlier releases of EEPC will not support Secure Boot.


      Does this mean that EEPC is signed, so the Secure Boot process trusts it?


      Does Secure Boot work on a Windows 8 BIOS-based system?
      No, it works only on UEFI-based systems.

        • 1. Re: Surface Pro - Secure Boot issue - Invalid Signature Detected

          Because Microsoft used a different signature for secure boot on their Surface, then they did for the standard release of Windows 8 - they also don't load the third party root certificates at boot time...


          This is an interested situation - it means only code signed by Microsoft can run within the Surface uEFI environment, no third party boot software like McAfee EEPC...


          as an aside, I still don't believe they are shipping the devices with the (required) uEFI simple pointer protocol, so even if it did boot, the OSK won't work - though they could change (=fix) that at any point with an update.


          Message was edited by: SafeBoot on 5/7/13 6:37:23 PM EDT