Secure boot – Microsoft Q&A

Secure Boot is a security standard and feature of UEFI-based firmware that ensures a PC or device boots only with software trusted by the device or PC manufacturer.

During startup, the UEFI firmware:

1. Verifies the digital signature of each piece of boot software (UEFI firmware drivers/Option ROMs, EFI applications, and the operating system bootloader and drivers) against a set of trusted digital certificates stored in firmware.
2. If all signatures are valid and trusted according to the Secure Boot policy, the firmware allows the boot process to continue and hands control to the operating system.
3. If any component is not trusted or has been tampered with, it is blocked from running, helping to prevent pre-boot malware such as bootkits and firmware rootkits.

Secure Boot relies on a public key infrastructure (PKI) and a hierarchy of keys and certificate databases in firmware:

• Platform Key (PK) – typically owned by the hardware manufacturer; establishes control of the platform.
• Key Exchange Key (KEK) – used to authorize updates to the Secure Boot databases; may include Microsoft and OEM KEKs.
• Allowed Signature Database (DB) – contains certificates and signatures for code that is allowed to run.
• Disallowed Signature Database (DBX) – contains revoked or blocked certificates and signatures.

Windows 8 and later, including Windows 11, use UEFI Secure Boot as part of the Trusted Boot architecture to protect the boot process by enforcing signature checks from firmware through the Windows kernel and early boot drivers.

References: