Secure Boot Explained

Secure boot for dummies

Secure Boot Explained
Photo by Ben Grayland / Unsplash
This is a very simplified explanation of Secure Boot. It is not fully accurate.

What is Secure Boot?

Simply put, Secure Boot acts like a security gate, allowing only trusted software through if it meets the necessary security criteria. Secure Boot allows computers to boot with firmware, bootloaders and operating systems that are signed by trusted parties such as Microsoft, Linux Distributions, or the manufacturer.

In a more complex sense, Secure Boot uses cryptographic checksums and signatures to ensure that the system only boots using trusted software. The process begins with the firmware (typically UEFI) validating the bootloader's signature against a list of trusted keys. If the signature is verified, the bootloader is executed. The bootloader then validates the signatures of the operating system (OS) kernel and critical drivers. This mechanism ensures that only software trusted by the OEM, as indicated by the trusted signatures, is executed. If all signatures are valid, the system proceeds to boot and passes control to the OS.

In other words, Secure Boot could potentially protect you against bootkits. However, this isn't always the case as seen with the BlackLotus UEFI bootkit.

Which devices use Secure Boot?

When I first learned about Secure Boot, I thought it only applied to traditional computers, like desktops and laptops. However, Secure Boot is also used in many other devices, including IoT devices, smartphones, and embedded systems. With Secure Boot enabled, these devices can only boot with firmware that has been signed and trusted by the manufacturer. This is beneficial as it helps prevent unauthorised or malicious custom firmware from being installed. For example, if a hacker were to take control of your smart washing machine, they could potentially flood your home.

Should you use Secure Boot?

With cybercrime being more prominent than ever, yes you should. If you're using Windows, enabling Secure Boot should not interfere with your system, as Microsoft provides the necessary Secure Boot keys that verify the integrity of Windows and its components.

However, if you're using a Linux-based OS, you should check beforehand whether it is signed. If not, you'll probably have to enrol your own keys before you can use it.

Does Secure Boot mean I'm safe?

As mentioned earlier in the article, it doesn't mean you're always safe. The hacker group BlackLotus developed a bootkit that was able to bypass Secure Boot on Windows.

Usually this wouldn't be a problem if the vulnerable binaries were added to the UEFI Revocation List File (a database of binaries that cannot be trusted anymore, also known as DBX), which it wasn't. Otherwise performing your usual Windows update would fix this problem. However, it would then be followed by the inability to boot (if you're still using the vulnerable binaries), which isn't very user-friendly.

Secure Boot as mentioned earlier also means you trust your motherboard's manufacturer to be competent. Which isn't always the case, which has left millions of consumer and enterprise devices vulnerable.