Secure Boot in UEFI


The most important feature of the modern UEFI firmware is the Secure Boot or the Trusted Boot. The name suggests its purpose. But, the work process is where lies the mystery.

How it works

  • Traditional BIOS boots from the Windows bootloader, and for Linux OSes it takes the GRUB bootloader used by almost all the Linux distributors.
  • Now, malware like rootkit can replace the bootloader, and enables the normal OS to load from it.
  • This kind of malware stays undetected and invisible in the system. The BIOS is incapable of recognizing malware and trusted bootloader separately.
  • Now, in case of Secure Boot, UEFI keeps a set of signatures inside the firmware.
  • At the time of launching the bootloader, it allows only the EFI executables with trusted signatures.
  • So, malware or any other trespasser can’t boot their files inside the UEFI firmware.

Secure Boot Keys in UEFI Firmware

  • Every boot-up ensures that the UEFI examines each EFI binary to have a valid signature.
  • Sometimes the UEFI search through the binary’s checksum to see if it is mentioned into the permitted list of variables or not.
  • The Secure Boot in UEFI contains mainly four type of keys.
  • The Platform Key (PK) provides access to the secure boot key hierarchy.
  • Next comes the KEK (Key Exchange Key). This one signs EFI binary executables directly or by using the db(allowed certificates or binary hashes) and dbx(blacklisted certificates or hashes) databases.
  • The KEK and db keys(green) can allow binaries to boot the system.

Microsoft has inflicted some conditions in Windows Hardware Certification Requirements for their clients and server systems.

  • The agreement asks the complying manufacturers to set the Secure boot in turned on mode in their computers.
  • These devices will carry the trusted Microsoft key in their list of keys.
  • And, as per the UEFI requirements too, the Legacy or BIOS compatibility mode remains disabled as long as the Secure boot is active.

The PK is mostly provided by the hardware vendor, whereas the KEK is under control of the OS manufacturer (e.g., Microsoft). Hardware manufacturers also keep their own KEK, as KEKs can be more than one.

Activation of Secure Boot in UEFI: What to do

  • In x86 machines, you can disable the Secure boot option to activate the Custom mode.
  • Also, when you alter the secure boot default keys in UEFI, automatically you block the malicious software to do the same in your system.
  • If you want to gain complete control of your computer’s secure boot, you need to change at least the PK and KEK. This way, you can prevent new key installation without your permission.
  • To block commercially alloted EFI binaries, you have to alter the signature database(db) too.
  • In case of ARM devices (Tabs, Smartphones etc.), the option to change the keys are not permitted. Here, the only option is the active Secure boot mode.
  • But, this security-only option is no evil-spirited ploy of Microsoft only, as we have got ourselves locked bootloaders in almost all the Android and in all the iDevices too.
  • Because, it’s not evil, but a necessity, since these devices are somehow more vulnerable in regular hands than your personal desktop or laptop.
  • ARM devices do not permit to change keys, and it is effective for the owner as well as the outside malware too.
  • Still, there are a few options available for Android devices to have unlocked bootloaders. But you have to be an expert to find the right one and to deal with them.

Advantages of Secure Boot in Linux OS

It’s not only Windows, but the secured system is also advantageous for Linux OS too. Yet, Linux OS is not digitally signed by Microsoft, hence won’t be allowed to boot into a PC pre-installed with Windows OS. To solve this matter, Microsoft along with some Linux distributions like Ubuntu, Fedora, Canonical, Red Hat Enterprise, and openSUSE have created an assigned bootloader working in Secure Boot environment for both types of OSs. With a one time fee, Linux distributions can access the Microsoft Sysdev portal for signing their bootloaders.

  • Microsoft assigns a small bootloader called as “shim” for the LinuxFoundation, which can switch to the main Linux GRUB bootloader.
  • The shim checks if it is signed by Linux or not.
  • The users can see the confirmation question before installing the Linux OS. This way, they have the option to choose the right OS for their requirement.
  • Some Linux distributors don’t agree to be assigned by Microsoft. In that case, you can go for the disabled mode of the Secure Boot, if you are confident enough on that.

Windows Subsystem for Linux

We have got another option in our hand with WSL (Windows Subsystem for Linux).

  • This is a Linux Compatibility layer on Windows 10 and Windows Server 2019.
  • In this layer, Linux Binary Executables can be operated as Windows native in ELF format.
  • The Linux Compatible Kernel Interface (without Linux Kernel code) created by Microsoft is able to implement a GNU userspace over itself.
  • This space may carry a Bash shell with command language.
  • The big fishes behind this ‘conspiracy’ are the Linux Distributions Ubuntu, Canonical, openSUSE, Kali Linux, Debian, SUSE Linux Enterprise Server, and of course Microsoft itself.

Seems like we are done here today. If you want to know more about the Secure boot feature in UEFI firmware, just let us know about your query. Until then, let’s go check on our next topic on accessing the BIOS in any PC.

Go to the next topic How to Access BIOS in Windows 10.

Leave a Reply

Your email address will not be published. Required fields are marked *