What is Secure Boot and what is it for?


You can also be interested in these:


We will explain to you what Secure Boot is and what it is used for. It is likely that you have heard or read about this feature on your motherboard, especially if you like to install alternative operating systems to Windows. In this guide, you will find all the information you need.



Remember that Secure Boot is integrated into the BIOS or, its more recent version, UEFI. Therefore, you will need to go to it to configure this feature step by step, similarly to when you want to boot your computer from a USB. With this in mind, it is time to start resolving any doubts regarding this protection.

What is BIOS and UEFI?

Before discussing Secure Boot, it is interesting to make some clarifications. Therefore, let us explain to you what BIOS and UEFI are, as Secure Boot is strictly related to both concepts.

BIOS stands for Basic Input Output System. It first appeared in 1975 and its main function is to initialize all the components of the computer and launch the operating system. BIOS has an infinite number of basic parameters that influence the behavior of the different hardware elements.

In summary, it is a very simple software, integrated on the motherboard, that runs before the installed operating system and has a great impact on the behavior of the computer.

On the other hand, UEFI stands for Unified Extensible Firmware Interface. Again, we are talking about firmware that is installed on the motherboard and is responsible for starting up the computer. It was created in 2002 by Intel and presents some more modern features, such as the ability to use a mouse to access the different menus. However, in reality, its main functions are identical to those of BIOS.

Secure Boot and its purpose?

If you have read the previous section, you already know that your motherboard has its own operating system, known as firmware, with options that modify the behavior of the computer and the main hardware components. One of those parameters is Secure Boot, the feature that we are discussing in this guide.

Secure Boot, also known as secure boot, is a feature of UEFI that came with Windows 8. It is a protection that prevents the execution of any system that is not certified or signed.

It is clear that this is a very interesting protection when it comes to protecting your computer from malware. Why? Because it is located in the BIOS or UEFI, the prevention occurs much before the malicious code has been executed. In this way, we say that this is an early security measure, very different from what Smart Screen or an antivirus would be, which run on the operating system.

What is NOT Secure Boot?

It is important to answer this question. Historically, this security measure has generated controversy, especially among the Linux community. The reason is that some distributions are not signed and, therefore, cannot be installed while keeping secure boot enabled. First, the protection must be disabled and then the Linux distribution can be installed.

Investigating the matter, we were struck by a fragment of the Debian Wiki, the Linux operating system on which Ubuntu is based. There they make it very clear that Secure Boot is not a closed environment that only allows the installation of Windows. This is what it says:

UEFI Secure Boot is not an attempt by Microsoft to block Linux out of the PC market here. Secure Boot is a security measure to protect against malware during the early startup of the system. Microsoft acts as a certification authority (CA) for Secure Boot, and signs programs on behalf of other trusted organizations so that their programs will also work. There are certain identification requirements that organizations must meet and the code must be security audited. But these are not too difficult to achieve.

Secure Boot is also not intended to prevent users from controlling their own systems. Users can register additional keys in the system, which allows them to sign programs for their own systems. Many systems enabled for Secure Boot also allow users to remove the keys provided by the platform completely, forcing the firmware to only trust binaries signed by the user.

Debian Wiki

Taking this into account, it is evident that secure boot is really there for security and not as a monopolistic measure by Microsoft. We do not say it, but the Debian team itself, a real institution in the Linux world.

Currently, the most important Linux distributions support Secure Boot, that is, they are signed as legitimate. These are some that you can install on your computer:

  • Ubuntu
  • Red Hat
  • Fedora
  • SUSE
  • Debian

Even alternative operating systems, such as Chrome OS Flex, are signed and compatible with this security layer. Does this mean that those operating systems that do not have a certification for Secure Boot cannot be installed?

How to disable Secure Boot?

How to disable Secure Boot

Secure Boot is not a permanent feature. The truth is that it can be disabled relatively easily. This way, you can install any software on your PC, even if it has not been signed by Microsoft. All you have to do is enter the UEFI BIOS configuration of your computer and locate the Secure Boot entry. Like any other layer of protection, it is not exempt from vulnerabilities.


More stories like this