UEFI Secure Boot is a security standard that ensures a device boots using only trusted software verified by cryptographic signatures. When enabled, the UEFI firmware checks the signature of each piece of boot software, including the firmware drivers, bootloaders, and operating system, allowing only signed and trusted software to run. This process prevents unauthorized or malicious code from executing during system startup. Key points about UEFI Secure Boot:
- It requires UEFI firmware (not traditional BIOS) with Secure Boot enabled.
- The firmware stores authorized signature keys from the OEM or trusted authorities.
- At startup, every boot component's signature is checked; unsigned or tampered components are blocked.
- Secure Boot requires the system disk to use GPT (GUID Partition Table) partitioning instead of MBR.
- Most modern PCs come with Secure Boot enabled and pre-loaded with trusted keys (e.g., Microsoft keys).
- Users can disable Secure Boot or add custom keys via BIOS/UEFI settings if needed.
- Secure Boot is important for modern operating systems like Windows 10/11 and supported Linux distros to prevent boot-level malware.
- Enabling Secure Boot usually involves entering the UEFI firmware settings from the boot menu and enabling the Secure Boot option in the Boot tab.
- Some PCs may require switching from Legacy BIOS mode to UEFI mode to support Secure Boot.
Secure Boot plays a critical role in protecting the boot process against rootkits, bootkits, and other early malware by ensuring only authenticated software can initialize the OS.
