(also trusted boot, UEFI secure boot)
Secure boot definition
Secure boot is a security feature implemented in the Unified Extensible Firmware Interface (UEFI) that ensures the integrity of a computer’s boot process. It prevents unauthorized or malicious software from running during startup by checking the digital signature of each component, such as the bootloader and operating system kernel, against a database of trusted keys. If any component fails the signature verification, the system will not boot.
Secure boot examples
- Windows operating systems: Secure boot is enabled by default on devices with Windows 8 or later, providing an added layer of protection against rootkits and other low-level malware.
- Linux operating systems: Many Linux distributions, such as Fedora and Ubuntu, also support secure boot with appropriately signed bootloaders and kernel components.
Secure boot vs. other boot protection methods
- Secure boot vs. measured boot: While secure boot checks digital signatures to ensure the authenticity of boot components, measured boot records the measurements of these components in a Trusted Platform Module (TPM) to provide a trusted log for remote attestation.
- Secure boot vs. hardware root of trust: Secure boot relies on firmware-based checks and digital signatures, whereas the hardware root of trust uses a dedicated hardware component to establish trust in a computing device.
Pros and cons of secure boot
- Provides protection against low-level malware and rootkits.
- Ensures that only authorized software components are executed during the boot process.
- May restrict user freedom by preventing the installation of alternative operating systems or unsigned drivers.
- Can be vulnerable to attacks that exploit vulnerabilities in the firmware itself.
Tips for secure boot usage
- Keep your device’s firmware and operating system up to date to minimize vulnerabilities.
- Ensure that secure boot is enabled in your device’s UEFI settings.
- If using a non-Windows operating system, verify that your distribution supports secure boot and follow the recommended installation process.