Measured Boot is a relatively new feature introduced in Windows 8 to help protect your device (PC) from rootkits and other malware. Measured Boot will check each start-up component including the firmware all the way to the boot drivers and it will store this information in what is called a Trusted Platform Module (TPM) or Intel Platform Trust Technology (PTT). The recorded measurement can be compared with a golden value, i.e. the expected unique measurement that was calculated on a known, good system. If the measurement does not match the golden measurement the system integrity is considered compromised. The ensures before anything is started up in the boot sequence it will be compared to the TPM to make sure the software is trustworthy and not infected by a virus, and then makes available a log that can be tested remotely to verify the boot state of the client. Below are some related articles: How to fix your device cannot use a Trusted Platform Module: Allow BitLocker without a compatible TPM, “This device cannot use a Trusted Platform Module, allow BitLocker without a compatible TPM when turning on Bitlocker“, how to enable Bitlocker Pre-Boot Authentication via the Group Policy, how to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines, how to view BitLocker disk encryption status in Windows, “Insight on Full Disk Encryption with PBA / without PBA: UEFI, Secure Boot, BIOS, File and Directory Encryption and Container Encryption“, and how to deploy Microsoft BitLocker Administration and Monitoring Tool.
Secure Boot and Measured Boot are currently only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows also have them. When used together, Secure Boot, Trusted Boot and Measured Boot can vouch for a reliable OS platform.
Rootkits are a sophisticated and dangerous type of malware that runs in kernel mode, using the same privileges as the operating system. Because rootkits have the same rights as the operating system and start before it and as such, they can completely hide themselves. Most times, rootkits are part of an entire suite of malware that can bypass local logins, record passwords, and keystrokes, transfer private files, and capture cryptographic data. Different types of rootkits load during different phases of the startup process and they are as follows.
- Firmware rootkits. These kits overwrite the firmware of the PC’s basic input/output system or other hardware so the rootkit can start before Windows.
- Bootkits. These kits replace the operating system’s bootloader (the small piece of software that starts the operating system) so that the PC loads the bootkit before the operating system.
- Kernel rootkits. These kits replace a portion of the operating system kernel so the rootkit can start automatically when the operating system loads.
- Driver rootkits. These kits pretend to be one of the trusted drivers that Windows uses to communicate with the PC hardware.
Windows 10 supports four features to help prevent
bootkits from loading during the startup process. They are as follows below.
- Secure Boot. PCs with UEFI firmware and a Trusted Platform Module (TPM) can be configured to load only trusted operating system bootloaders.
- Trusted Boot. Windows checks the integrity of every component of the startup process before loading it.
- Early Launch Anti-Malware (ELAM). ELAM tests all drivers before they load and prevents unapproved drivers from loading.
- Measured Boot. The PC’s firmware logs the boot process, and Windows can send it to a trusted server that can objectively assess the PC’s health.
Secure Boot: When a device starts, the first step is to find the operating system (OS) bootloader. Note: devices without Secure Boot runs whatever bootloader is on the PC’s hard drive and there isn’t any way for the device to determine if it is a trusted operating system or a rootkit.
Therefore, a device that is equipped with UEFI starts by verifying that the firmware is digitally signed thus reducing the risk of firmware rootkits. If Secure Boot is enabled, the firmware examines the bootloader’s digital signature to verify that it hasn’t been modified. If the bootloader is intact, the firmware starts the bootloader only if one of the following conditions is true as described below.
– The bootloader was signed using a trusted certificate. In the case of PCs certified for Windows 10, the Microsoft certificate is trusted.
– The user has manually approved the bootloader’s digital signature. This allows the user to load non-Microsoft operating systems.
Trusted Boot: Trusted Boot takes over where Secure Boot stops.
The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component.
– Note: Windows 10 can automatically repair the corrupted components, thereby restoring the integrity of Windows and allowing the PC to start correctly.
Early Launch Anti-Malware (ELAM): Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel,
the next opportunity for malware to start is by infecting a non-Microsoft boot driver. Because traditional malware apps do not start until the boot drivers have been loaded thereby giving rootkits disguised as drivers to work. ELAM can load a Microsoft or non-Microsoft anti-malware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot.
Because the operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task to examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not trusted, Windows won’t load it.
Measured Boot: Most antimalware software are extremely very good at detecting
runtime malware, attackers are also becoming smarter at creating rootkits that can hide from detection as well. Detecting malware that starts early in the boot cycle is a challenge that most antimalware vendors address diligently. Typically, they create system hacks that are not supported by the host operating system and can actually result in placing the computer in an unstable state. Up to this point, Windows has not provided a good way for antimalware to detect and resolve these early boot threats.
Starting from Windows 8, a new feature was introduces called "Measured Boot", which measures each component, from the firmware up through the boot start drivers, stores those measurements in the Trusted Platform Module (TPM) on the machine, and then makes available a log that can be tested remotely to verify the boot state of the client.
Working with the TPM and non-Microsoft software, Measured Boot in Windows 10 allows a trusted server on the network to verify the integrity of the Windows startup process. Measured Boot uses the following process:
– The PC’s UEFI firmware stores in the TPM a hash of the firmware, bootloader, boot drivers, and everything that will be loaded before the anti-malware app.
– At the end of the startup process, Windows starts the non-Microsoft remote attestation client. The trusted attestation server sends the client a unique key.
– The TPM uses the unique key to digitally sign the log recorded by the UEFI.
– The client sends the log to the server, possibly with other security information.
In summary, the Measured Boot feature then provides antimalware apps with a trusted (resistant to spoofing and tampering) log of all boot components that started before the antimalware software. Antimalware software uses this log to determine whether components that were initiated before it are trustworthy or if they are infected with malware in the following ways discussed below.
– The antimalware software on the local machine can send the log to a remote server for evaluation.
– The remote server may initiate remediation actions either by interacting with the software on the client or through out-of-band mechanisms, as appropriate.
Depending on the implementation and configuration, the server can now determine whether the client is healthy and grant the client access to either a limited quarantine network or to the full network. In your environment, the system administrator has control of how Measured Boot information is used. In end-user scenarios, for example, online banking), the consumer must opt in to use Measured Boot for the specific service.
A question that you might want to ask in the comment session: Since an operating system can only enforce its security policies only while running (active). How can it protect the data that resides in the storage drive when it is offline or when a malicious user has physical access to the system internals? - This is where Bitlocker Drive Encryption comes in. Windows Measured Boot helps to seal the Bitlocker key to TPM using the boot measurements. If the boot parameters get changed, it will result in a different measurement. TPM only unseals a key if the measurments matches the measurment values with which the key was sealed. This ensures that even if the system is compromised physically, the malicious user wont be able to get access to the data residing in the storage drive easily. I have added some hyperlinks in the first chapter, please refer to those and the following hyperslinks as well: A guide to how Bitlocker Network Unlock works, how to backup existing and new BitLocker recovery keys to Active Directory(AD), and Unable to install Microsoft Bitlocker Administration: Uninstall your current version of MBAM and run setup again.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.