BootGuard vs SecureBoot, what is the difference?

Hello Win-Raid community,

I have been recently studying the features of various processors and there is one thing that bothers me. Intel processors before 4th generation had a so-called Secure Boot feature that did not allow to boot a platform with unsigned firmware. It required fusing the key hash, enabling the secure boot fuse and correctly prepare a BIOS image with signed manifest. However, since 4th generation this feature has been replaced with Boot Guard. Is it true that Boot Guard is available only on the platforms with ME or CSME?

That would imply that the platforms with TXE and CSE do not have Boot Guard so they should still have the Secure Boot. But not all ME and CSME devices do support Boot Guard according to specifications (especially mobile processors). The main difference I have noticed is that BootGuard requires an Authenticated Code Module (singed binary by Intel) in order to Boot Guard being functional, while Secure Boot doesn’t (the rest of the requirements about fusing, signing manifest and preparing BIOs image looks almost the same). Is it also possible to have Secure Boot on a processor that doesn’t support Boot Guard then?

I have platforms that do have:
- ME, processors Intel Celeron 3865U, Core i3-7100U and Core i5-7200U;
- TXE, processors: Intel Celeron J3160, J3060


What you initially described is actually Boot Guard. Secure Boot is an UEFI type Firmware feature that enforces the loading of only Option ROMs and Boot Loaders that are signed based on a Key database stored in the UEFI NVRAM, but that is entirely Software side.

Not exactly. I am not interested in UEFI Secure Boot. What I am referring to is TXE Secure Boot which is a different feature. It is a hardware-based S-CRTM. See Section 2 of this document:…Users_Guide.pdf

It presents the boot flow of UEFI BIOS of the BayTrail platform. The TXE Secure Boot is Stage 1 (according to table 2) where UEFI Secure Boot is at Stage 2/3. Typically Stage 1 contains early boot code with memory training, just enough to train memory and be able to verify next firmware volumes or images. Next Stage 2 is the rest of modules and drivers, mostly DXE where UEFI Secure Boot is initialized and kicks in.

As you can see this is almost the same mechanism as Boot Guard in terms of pre-reset vector firmware verification. But what exactly is different between TXE Secure Boot and ME Boot Guard? Just the ACM requirement?

I also found this guide, looks similar to what you found:

Apollo Lake Signing and Manifesting Guide (Link removed, Intel NDA documentation not allowed on this forum)

Which goes into great detail on how to set up Secure Boot, how to set up signing keys, using MEU, and setting up the manifests. It has one part about Boot Guard, which appears to overlap with Secure Boot procedure, but with an additional step:

So I think Boot Guard is Secure Boot but with additional signing requirements, which are the Initial Boot Block (IBB). Unfortunately this document passes on explaining this topic further, and google search yields no results for anything related to BPM.met module.

I’m trying to set up Boot Guard/Secure Boot on my own machine, which is a Coffee Lake i7-9700K on a MSI Z390 Ace Board. At this point the guide lays out pretty well what to do for Secure Boot, but I’m not sure how to find/extract the IBB and OBB subpartitions for signing, or create a BPM.met module.

also, i’ve tried using the following command to decompose different bin files thinking I could extract the xml from BIOS roms I already have running:
meu -decomp BIOS -f <input.bin> --save <decomp.xml>

but that keeps returning error:
Error 359: Invalid decomp binary type specified. bios

And this is even when I am using it on Decomp BIOS files generated from FIT.

found some information about MEU here: