Skip to main content


Home Secure boot

Secure boot

(also trusted boot, UEFI secure boot)

Secure boot definition

Secure boot is a security feature implemented in the Unified Extensible Firmware Interface (UEFI) that ensures the integrity of a computer's boot process. It prevents unauthorized or malicious software from running during startup by checking the digital signature of each component, such as the bootloader and operating system kernel, against a database of trusted keys. If any component fails the signature verification, the system will not boot.

See also: BIOS rootkit, cold boot

Secure boot examples

  • Windows operating systems: Secure boot is enabled by default on devices with Windows 8 or later, providing an added layer of protection against rootkits and other low-level malware.
  • Linux operating systems: Many Linux distributions, such as Fedora and Ubuntu, also support secure boot with appropriately signed bootloaders and kernel components.

Secure boot vs. other boot protection methods

  • Secure boot vs. measured boot: While secure boot checks digital signatures to ensure the authenticity of boot components, measured boot records the measurements of these components in a Trusted Platform Module (TPM) to provide a trusted log for remote attestation.
  • Secure boot vs. hardware root of trust: Secure boot relies on firmware-based checks and digital signatures, whereas the hardware root of trust uses a dedicated hardware component to establish trust in a computing device.

Pros and cons of secure boot

Pros:

  • Provides protection against low-level malware and rootkits.
  • Ensures that only authorized software components are executed during the boot process.

Cons:

  • May restrict user freedom by preventing the installation of alternative operating systems or unsigned drivers.
  • Can be vulnerable to attacks that exploit vulnerabilities in the firmware itself.

Tips for secure boot usage

  • Keep your device's firmware and operating system up to date to minimize vulnerabilities.
  • Ensure that secure boot is enabled in your device's UEFI settings.
  • If using a non-Windows operating system, verify that your distribution supports secure boot and follow the recommended installation process.