Secure Boot
What is Secure Boot?
Secure BootUEFI feature that verifies the cryptographic signature of every boot component, refusing to launch a bootloader, kernel, or driver not signed by a trusted authority.
Secure Boot is a feature of the UEFI firmware specification that establishes a chain of trust from the platform firmware up to the operating system. At each step, the firmware verifies the signature of the next stage (bootloader, kernel, drivers) against keys stored in firmware-protected variables: PK, KEK, db, and dbx. If the signature is missing or revoked, boot is halted. Secure Boot defends against pre-OS malware such as bootkits and persistent rootkits like LoJax or BlackLotus. It is required for Windows 11, supported by major Linux distributions via shim, and complemented by Measured Boot via TPM PCRs and remote attestation services such as Intel BootGuard.
● Examples
- 01
Microsoft revoking vulnerable boot binaries via the UEFI dbx after the BlackLotus disclosure.
- 02
A Linux distribution signing GRUB with shim under the Microsoft UEFI CA so it boots on stock OEM firmware.
● Frequently asked questions
What is Secure Boot?
UEFI feature that verifies the cryptographic signature of every boot component, refusing to launch a bootloader, kernel, or driver not signed by a trusted authority. It belongs to the Cryptography category of cybersecurity.
What does Secure Boot mean?
UEFI feature that verifies the cryptographic signature of every boot component, refusing to launch a bootloader, kernel, or driver not signed by a trusted authority.
How does Secure Boot work?
Secure Boot is a feature of the UEFI firmware specification that establishes a chain of trust from the platform firmware up to the operating system. At each step, the firmware verifies the signature of the next stage (bootloader, kernel, drivers) against keys stored in firmware-protected variables: PK, KEK, db, and dbx. If the signature is missing or revoked, boot is halted. Secure Boot defends against pre-OS malware such as bootkits and persistent rootkits like LoJax or BlackLotus. It is required for Windows 11, supported by major Linux distributions via shim, and complemented by Measured Boot via TPM PCRs and remote attestation services such as Intel BootGuard.
How do you defend against Secure Boot?
Defences for Secure Boot typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- cryptography№ 1178
Trusted Platform Module (TPM)
Standards-based security chip soldered to a mainboard or implemented in firmware that provides hardware-rooted key storage, attestation, and measured boot.
- malware№ 117
Bootkit
Malware that infects the boot process — MBR, VBR, or UEFI — to load before the operating system and obtain persistent, privileged control.
- malware№ 949
Rootkit
Stealth malware that grants and hides privileged access to an operating system or device, evading detection by standard tools.
- cryptography№ 462
Hardware Token
Physical device that stores cryptographic secrets and performs authentication operations, used as a possession factor in multi-factor authentication.
- cryptography№ 321
Digital Signature
A public-key cryptographic mechanism that proves the authenticity, integrity and non-repudiation of a message or document.
- cryptography№ 879
Public-Key Cryptography
A branch of cryptography that uses paired public and private keys to enable encryption, key exchange, digital signatures, and authentication without a pre-shared secret.
● See also
- № 445Glitch Attack
- № 060ARM TrustZone
- № 679Microsoft Pluton
- № 460Hardware Attestation