The promise and practice of UEFI for Full Disk Encryption

When I first heard about UEFI a few years ago I thought it was a great idea. It could make life easier in the long run for developers of full disk encryption to provide advanced authentication and maintenance features for their customers. With this in mind I joined WinMagic up to  Having implemented pre-boot authentication on Apple Macs, which used EFI, we were already familiar with UEFI’s predecessor.

From “UEFI stands for “Unified Extensible Firmware Interface”. The UEFI specification defines a new model for the interface between personal-computer operating systems and platform firmware. The interface consists of data tables that contain platform-related information, plus boot and runtime service calls that are available to the operating system and its loader. Together, these provide a standard environment for booting an operating system and running pre-boot applications.“

Historically “IBM compatible” PCs booted up via the BIOS (Basic Input Output System) built into the ROM (Read Only Memory) of almost all PCs.  The BIOS got the job done but it didn’t make it easy for developers who needed to use the capabilities of the machines such as the WAN card or the USB stack for tokens in pre-boot environment.  In the BIOS environment the solution was to develop our own “pre boot mini OS” or boot Linux, perform pre-boot authentication and then boot Windows.

PC OEMs  (e.g. HP, Lenovo, Dell, etc.) have been shipping UEFI capable machines for a long while but with almost all configured to legacy (BIOS) booting mode so it made no difference in practice for pre-boot applications.  This all changed with the release of Windows 8 in late 2012. Microsoft made it a Windows 8 Logo requirement to ship the BIOS in “native” UEFI mode.  Since we had our UEFI pre-boot application implemented utilizing “standard” features from the UEFI specification AND had successfully tested on some Windows 8 logo machines this marked a major milestone.

However there are “standards” and then there are “implementations”.  Often it takes time for the implementations to converge to the standard. We have found that many of the implementations of UEFI just don’t support the UEFI features needed by pre-boot FDE pre-boot applications. As a consequence the number of Windows 8/UEFI platforms that are supported is limited. The good news is that the PC OEMs and BIOS vendors really are committed to delivering on the promise of UEFI and are open to work with ‘application’ writers such as WinMagic. It is going to take some time but as the PC OEMs ship their new PCs with improved UEFI ROMs, the pre-applications written by WinMagic and others are going to benefit from the long journey from BIOS to UEFI. Afterall, ROM wasn’t built in a day.




Previous Post
What is going on in Healthcare?
Next Post
The value of SEDs

Related Posts

Introducing SecureDoc 6.1

In today’s world, Bring Your Own Device or BYOD has quickly become a reality that organizations have come to expect.  With over 76 per cent of employees using multiple devices, many of which are now owned by the individual not…
Read more

Microsoft is a good UEFI Ecosystem Partner

A colleague brought the following Microsoft Security Advisory to my attention, that says “Microsoft is revoking the digital signature for four private, third-party UEFI (Unified Extensible Firmware Interface) modules that could be loaded during UEFI Secure Boot.” (more…)

4 Comments. Leave new

  • Since I’m new to the SED game… AND I’m new to Linux, I’m really struggling to find answers on how to utilize/manage an SED on a Linux workstation and NAS. What resources/applications/tools are available for Linux machines to ensure that their SEDs are not locked doors with the keys left in them? What do I need to be looking for when I purchase motherboards and drives?

  • Hi Daniel, here’s a quick response via Garry:

    We are not aware of any native support built into Linux for SEDs. Our approach for supporting Linux is via what we call SecureDoc OSA (OS Agnostic)

    We utilize the MBR shadow of the TCG Opal SED to perform PBA (Pre-boot authentication), unlock all the attached drives and then boot into whatever the original OS was. Given the tittle of the Blog “The Promise and practice of UEFI for FDE” we feel obliged to point out that currently OSA only supports mother boards that can boot in legacy BIOS mode (Not UEFI).

    This approach works with software Raid but not hardware RAID cards.

    Finally, currently only TCG Opal SEDs (laptop style drives) are supported by OSA but we are taking a close look at how TCG Enterprise SEDs (for servers) can be supported by OSA

  • Hi Darren,

    Can you direct me somewhere I can purchase a copy of SecureDoc for Linux for a personal laptop? It’s not available from your Store nor can I purchase it from Lenovo (who advertised “SecureDoc for Lenovo” as a selling point when I purchased this W530).


    (If you reply here, please also send a copy to my e-mail address. Thanks.)

  • Hi Jeremy,

    I followed-up directly with you on e-mail. Thanks for your inquiry.

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Contact Us

This will close in 0 seconds