secure-os.org
All guidesQubes OSTailsWhonixHardened LinuxDisk encryptionThreat model
security

What Is Secure Boot? How It Blocks Boot-Level Malware (2026)

secure-os· Updated July 16, 2026· 5 min read #security#uefi#boot#hardening
Close-up of a microchip on a printed circuit board

The short version: Secure Boot is a UEFI firmware feature that checks the digital signature of everything that tries to run when your computer starts, and refuses to load anything that is not signed by a trusted key. Its whole job is to stop malware that loads before your operating system - the kind that is otherwise almost impossible to detect. It is not a complete defence on its own, but it closes a door that used to be wide open.

What Secure Boot actually is

When you power on a modern PC, the UEFI firmware runs first, then hands off to a bootloader, which loads the operating system kernel. Secure Boot inserts a check into that chain: before the firmware runs the bootloader, and before the bootloader runs the kernel, it verifies a cryptographic signature against a database of trusted keys stored in the firmware. If the code is properly signed, it runs. If it is unsigned or has been tampered with, Secure Boot blocks it.

In other words, Secure Boot enforces a simple rule: only software someone trusted has vouched for is allowed to start your machine.

Why it matters: stopping bootkits

The reason this is worth having comes down to timing. Malware that loads at boot - a bootkit or a boot-level rootkit - runs before the operating system and before your antivirus. Once it is in control that early, it can hide itself from everything that loads afterward, which is exactly why boot-level infections are so hard to detect and remove. See our explainer on what a rootkit is for how nasty that gets.

Secure Boot attacks the problem at the source: if the tampered or unsigned boot code cannot pass the signature check, it never gets to run in the first place. That is a much stronger position than trying to find and remove it after it has already loaded.

A close-up of a computer motherboard. Secure Boot lives in the UEFI firmware and checks signatures before any operating system code runs.

How it works under the hood

Secure Boot relies on a small set of keys and lists held in the firmware:

  • Platform Key (PK) and Key Exchange Keys (KEK) establish who is allowed to manage the trust settings.
  • The db (allowed) database holds the signatures and keys of software permitted to run.
  • The dbx (forbidden) database lists signatures that are revoked - for example, bootloaders later found to be vulnerable.

At each step of startup, the component’s signature is checked against db and dbx. On most consumer PCs the trusted keys come from Microsoft and the hardware maker, which is why Secure Boot is on by default and is required for Windows 11.

Secure Boot and Linux

A common myth is that Secure Boot blocks Linux. It does not. Major distributions like Ubuntu and Fedora support Secure Boot using a small signed program called shim, which is trusted by the standard keys and then loads the distro’s own signed bootloader and kernel. If you build custom kernels or use certain out-of-tree drivers, you can enrol your own keys through MOK (Machine Owner Key) rather than turning the protection off. Disabling Secure Boot is possible, and sometimes necessary for niche setups, but it means giving up the boot-level protection - so prefer enrolling keys over switching it off.

The honest limits

Secure Boot is valuable, but it is one layer, not a force field:

  • It protects the boot chain, not everything after it. Malware that arrives through a phishing link or a malicious download, and runs once the OS is up, is a different problem.
  • It has had real weaknesses over the years - signed-but-vulnerable bootloaders (the “BootHole” class of issues) showed that a trusted signature is only as good as the code behind it, which is why the dbx revocation list exists.
  • It depends on keeping firmware updated so revoked, vulnerable components are actually rejected.

Treat it as a strong foundation that other defences build on, not as the only thing standing between you and an attacker.

FAQ

Should I keep Secure Boot enabled? For almost everyone, yes. It is a low-cost, high-value defence against boot-level malware, it is on by default, and modern Linux distributions work with it. Only disable it if you have a specific technical reason, and prefer enrolling your own keys instead.

Does Secure Boot slow down my PC? No. The signature checks happen only during startup and add no meaningful time, and they have no effect on performance once the system is running.

Is Secure Boot the same as TPM? No, though they are often mentioned together. Secure Boot verifies boot software signatures; a TPM is a separate chip that stores keys and measurements. Windows 11 and some anti-cheat systems ask for both, but they do different jobs.

The bottom line: Secure Boot makes sure only trusted, signed software can start your computer, shutting out the boot-level malware that hides from everything else. Keep it on, keep your firmware updated, and treat it as the solid base of a layered defence - including the modern, hardened systems we cover in immutable Linux distros.