What is Secure Boot?
A firmware security feature that ensures only cryptographically signed software can run during the boot process, preventing rootkits and boot-level malware.
Secure Boot creates a chain of trust from firmware to operating system, ensuring nothing has been tampered with.
How It Works
- UEFI firmware verifies the bootloader's digital signature
- Bootloader verifies the kernel's signature
- Kernel verifies drivers and modules
- Any unsigned or tampered component stops the boot process
Controversy
- Microsoft control: Microsoft holds the root signing keys for most PCs
- Linux compatibility: Can be challenging but most major distros support it
- User freedom: Some see Secure Boot as restricting which software you can run
Privacy Perspective
Secure Boot protects against firmware-level malware that could surveil you persistently. However, it relies on trusting Microsoft's (or another vendor's) signing authority. The ideal is Secure Boot with user-controlled keys.
Related Terms
Firmware Security
The security of low-level software embedded in hardware devices, which runs before the operating system and can be compromised to create persistent, undetectable backdoors.
Trusted Platform Module (TPM)
A specialized security chip built into most modern computers that provides hardware-based cryptographic functions and secure key storage.
Have more questions?
Use our guided flow to get the right next privacy step for Secure Boot.
Open Guided Flow