none
Secure Boot Logo Test RRS feed

  • Question

  • Hi,

    I have a problem regarding on Secure Boot Logo Test. Secure Boot on my BIOS is already disabled.

    I got this error.

    AreNotEqual(0, 0) - After ExitBootServices(), attempting to call GetVariable() on an existing variable with attributes "NV,BS" should fail.

    IsTrue - Secure Boot is Enabled

    I hope anyone can help me. Thanks

    Tuesday, December 11, 2012 7:34 AM

Answers

  • Hello Hyasmine,

    The "Secure Boot Logo Test" should be run with Secure Boot in the shipping configuration - enabled with default certificates.

    Ignoring that for now, "AreNotEqual(0, 0) - After ExitBootServices(), attempting to call GetVariable() on an existing variable with attributes "NV,BS" should fail."  is likely either because Secure Boot is disabled, or it is a BIOS bug that requires a BIOS code change.  If this failure reproduces after enabling Secure Boot, report it to your BIOS vendor.

    Regarding "IsTrue - Secure Boot is Enabled", this means that the BIOS is telling the OS that Secure Boot is enabled.  Either secure boot has not been successfully disabled, or the BIOS is reporting incorrect information to the OS.


    Best Regards, J Cox [Microsoft] “This posting is provided AS IS with no warranties, and confers no rights.”

    Tuesday, December 11, 2012 11:17 PM

All replies

  • Hello Hyasmine,

    The "Secure Boot Logo Test" should be run with Secure Boot in the shipping configuration - enabled with default certificates.

    Ignoring that for now, "AreNotEqual(0, 0) - After ExitBootServices(), attempting to call GetVariable() on an existing variable with attributes "NV,BS" should fail."  is likely either because Secure Boot is disabled, or it is a BIOS bug that requires a BIOS code change.  If this failure reproduces after enabling Secure Boot, report it to your BIOS vendor.

    Regarding "IsTrue - Secure Boot is Enabled", this means that the BIOS is telling the OS that Secure Boot is enabled.  Either secure boot has not been successfully disabled, or the BIOS is reporting incorrect information to the OS.


    Best Regards, J Cox [Microsoft] “This posting is provided AS IS with no warranties, and confers no rights.”

    Tuesday, December 11, 2012 11:17 PM
  • Hi JJ,

    Thanks for that information.

    But how to make my BIOS reporting to OS that the secure boot is enable?


    Wednesday, December 12, 2012 1:40 AM
  • You can also verify the Secure Boot settings from an Powershell window run as Administrator.  When Secure Boot is configured in its default, shipping configuration (enabled with keys that support Windows 8):

    "Confirm-SecureBootUEFI' should return $true

    "Get-SecureBootUEFI SecureBoot" should return 1

    "Get-SecureBootUEFI SetupMode" should return 0

    If these don't match, I recommend reviewing the documentation provided by your system or BIOS vendor.  If that is unsuccessful, then there may be a bug in the BIOS or documentation.


    Best Regards, J Cox [Microsoft] “This posting is provided AS IS with no warranties, and confers no rights.”

    Thursday, December 13, 2012 3:24 AM
  • I tried those code you mention this is what I got.

    My secure boot on BIOS is disable.

    Thursday, December 13, 2012 6:14 AM
  • Hello,

    On my setups [DellR720, Cicso USC C240 and IBM X3550,

    when i try executing the command, it display following error.

    Get-SecureBootUEFI Secureboot

    Get-SecureBootUEFI : Cmdlet not supported on this platform: 0xC0000002

    Any hints which systems support secure boot or any special settings to do during WS12 OS installation.

    Friday, February 1, 2013 7:07 AM
  • Priya,

    The Secure Boot PowerShell cmdlets require:

    * Window 8 or Server 2012 (you already have this)

    * The OS must be installed in UEFI mode, not in Legacy mode using the Compatibility Support Module.  Often you need to select "UEFI USB" or "UEFI DVD-ROM" from the BIOS boot menu during OS installation.  Your system manufacturer should have documentation on how to do this.  Your server platform may support this, but it may be an older UEFI version that does not support Secure Boot.

    Using Secure Boot with Windows requires UEFI Specification Version 2.3.1 Errata B.  Note that UEFI 2.3.1 Errata B is only 1 year old.  Due to this recent availability, it may be difficult to find on Server platforms because they invest more time in testing prior to release.  Contact your system manufacturer to see if this firmware is available for your platforms.


    Best Regards, J Cox [Microsoft] “This posting is provided AS IS with no warranties, and confers no rights.”

    Saturday, February 2, 2013 6:35 PM
  • Hi

    Please typing below command line in PowerShell with admin and then to check you PK,KEK,db and dbx under win8 or Server 2012 UEFI OS.

    Get-SecureBootUEFI pk 

    Get-SecureBootUEFI kek

    Get-SecureBootUEFI db

    Get-SecureBootUEFI dbx

    result:

    Attributes : NON VOLATILE for 'Get-SecureBootUEFI pk' kek db dbx

    Monday, February 4, 2013 2:03 AM
  • Hi.

    I typing command line in PowerShell.

    PS C:\Windows\system32> Confirm-SecureBootUEFI
    True
    PS C:\Windows\system32> Get-SecureBootUEFI SecureBoot

    Name                       Bytes                      Attributes
    ----                       -----                      ----------
    SecureBoot                 {1}                        BOOTSERVICE ACCESS...


    PS C:\Windows\system32> Get-SecureBootUEFI SetupMode

    Name                       Bytes                      Attributes
    ----                       -----                      ----------
    SetupMode                  {0}                        BOOTSERVICE ACCESS...


    PS C:\Windows\system32> Get-SecureBootUEFI pk

    Name                       Bytes                      Attributes
    ----                       -----                      ----------
    PK                         {161, 89, 192, 165...}     NON VOLATILE...


    PS C:\Windows\system32> Get-SecureBootUEFI kek

    Name                       Bytes                      Attributes
    ----                       -----                      ----------
    KEK                        {161, 89, 192, 165...}     NON VOLATILE...


    PS C:\Windows\system32> Get-SecureBootUEFI db

    Name                       Bytes                      Attributes
    ----                       -----                      ----------
    db                         {161, 89, 192, 165...}     NON VOLATILE...


    PS C:\Windows\system32> Get-SecureBootUEFI dbx

    Name                       Bytes                      Attributes
    ----                       -----                      ----------
    dbx                        {38, 22, 196, 193...}      NON VOLATILE...

     Secure Boot Logo test FAIL with 2 error

    OriginalName WexValue Microsoft.UefiSecureBootLogo.Tests.VerifyBootServicesVariableBehavior
     
    Message 2/17/2013 10:42:12.092 PM Try to read a pre-existing NV,BS Microsoft Windows variable at Runtime using SetVariable()with "NV,BS,RT" specified. This should fail.
    Error 2/17/2013 10:42:12.092 PM AreNotEqual(0, 0) - After ExitBootServices(), attempting to call GetVariable() on an existing variable with attributes "NV,BS" should fail. WexContext Verify
     
    File:   Need_Symbols Line: 0
    Error Type:    
    Error Code:   0x0
    Error Text:   Error 0x00000000
    End Test 2/17/2013 10:42:06.164 PM Microsoft.UefiSecureBootLogo.Tests.VerifyBootServicesVariableBehavior
    Result:   Fail

    OriginalName WexValue Microsoft.UefiSecureBootLogo.Tests.OutOfBoxAllowCorrectlySignedSetVariable
     
    Error 2/17/2013 10:42:27.092 PM Unexpected Powershell Exception: System.Management.Automation.CmdletInvocationException: Incorrect authentication data: 0xC0000022 ---> System.UnauthorizedAccessException: Incorrect authentication data: 0xC0000022 at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord) --- End of inner exception stack trace --- at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input) at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke) at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync) at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings) at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection`1 input, PSDataCollection`1 output, PSInvocationSettings settings) at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection`1 output, PSInvocationSettings settings) at Microsoft.UefiSecureBootLogo.Tests.OutOfBoxAllowCorrectlySignedSetVariable()
    File:    Line: -1
    Error Type:    
    Error Code:   0x0
    Error Text:   Error 0x00000000
    Error 2/17/2013 10:42:27.092 PM IsTrue - SetVariable() that appends using valid Out-of-Box AuthInfo should succeed. WexContext Verify
     
    File:   Need_Symbols Line: 0
    Error Type:    
    Error Code:   0x0
    Error Text:   Error 0x00000000
    End Test 2/17/2013 10:42:21.164 PM Microsoft.UefiSecureBootLogo.Tests.OutOfBoxAllowCorrectlySignedSetVariable
    Result:   Fail

    But verify signature is PASS

    Found signature type: EFI_CERT_X509_GUID
    Message 2/17/2013 10:42:27.092 PM "db": Found Microsoft UEFI CA 2011.
    Message 2/17/2013 10:42:27.092 PM IsTrue - "db": Microsoft-ownerd signature is a supported type WexContext Verify
     
    Message 2/17/2013 10:42:27.092 PM Found signature type: EFI_CERT_X509_GUID
    Message 2/17/2013 10:42:27.092 PM "db": Found 2011 Microsoft Windows L2 Certificate.
    Message 2/17/2013 10:42:27.092 PM IsTrue - "db": Found correct Microsoft Windows PCA Certificate. WexContext Verify
     
    End Test 2/17/2013 10:42:21.164 PM Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmMicrosoftSignatureInDB
    Result:   Pass

    Please HELP!





    • Edited by Artosk Monday, February 18, 2013 8:40 AM
    Monday, February 18, 2013 8:16 AM
  • Artosk,

    The first failure in "VerifyBootServicesVariableBehavior" is a firmware bug - contact your firmware or system vendor for an update. 

    Regarding the second failure, if testcase "OutOfBoxVerifyMicrosoftKEKpresent" fails, then your system is misconfigured.  If "OutOfBoxVerifyMicrosoftKEKpresent" passes, then this failure in "OutOfBoxAllowCorrectlySignedSetVariable" is a firmware bug.


    Best Regards, J Cox [Microsoft] “This posting is provided AS IS with no warranties, and confers no rights.”

    Monday, February 18, 2013 2:46 PM
  • I have a system that has the same problem as the user above.  I have put in the above configurations into powershell and get the results that you say I should get.    I have been in talks with the vendor and they have given me all sorts of information, but nothing has fixed the issue.  I have installed the os in UEFI mode and have tried having the keys installed and not having the keys installed.  I still get an error.  Is this a bios issue.  I have another system that is doing the same thing by a different motherboard manufacture.

    Thursday, March 28, 2013 4:48 PM
  • Hi Ashorey,

    There two things for enabling secure boot 1) having keys installed (can be done from power shell) 2) Enabling Secure boot (Can be done only from BIOS).

    So setting up keys from power shell is alone not sufficient.  Secure boot has to be enabled from the BIOS. Please check your bios settings ,re-confirm that it has Secure boot enabled and then run the test.

    Regards

    Kishore

    [Microsoft] “This posting is provided AS IS with no warranties, and confers no rights.”

     

    Thursday, March 28, 2013 6:31 PM