What Is Secure Boot?
Secure Boot is one feature of the latest Unified Extensible Firmware Interface (UEFI) 2.3.1 specification. The feature defines an entirely new interface between operating system and firmware/BIOS. When enabled and fully configured, Secure Boot helps a computer resist attacks and infection from malware.
First developed by Intel, Secure Boot performs two tasks when a PC is switched on and before the OS loads. First, it verifies that the motherboard firmware is digitally signed, which helps reduce the risk of rootkits, which will modify the firmware and, thus, corrupt the signature.
Secure Boot then queries the digital signature of the OS in the bootloader to see if it matches a cryptographic signature that’s stored within the UEFI firmware. If both signatures match, the OS is permitted to load. If they don’t, Secure Boot concludes that the bootloader has been tampered with and will prevent the OS from starting.
Windows 7 does not support Secure Boot, nor can it store its cryptographic signature in the PC’s firmware when it’s installed. Many Linux distros don’t support Secure Boot either, though the most common distros do, and information is available on their web sites. Having Secure Boot enabled means that an OS that doesn’t have a valid cryptographic signature will not be permitted to boot. There are ways around this. Some UEFI systems will allow you to register a bootloader as “safe,” while you can also disable Secure Boot on some, but not all, UEFI systems.
What Is Trusted Boot?
Did you find this tutorial helpful? Don’t forget to share your views with us.