What are UEFI and Secure Boot?

When you first turn on the power button of a computer at the start of your day, your PC or laptop goes through a set of procedures before allowing you to log in. The first thing that happens is the reset signal generated sets the registers of the CPU to their pre-defined values. The reset vector within the CPU now points to the start address of the BIOS or Basic Input Output System.

BIOS is a small firmware stored in a flash memory on the motherboard of the computer. It functions as a startup process for setting up the various hardware peripherals attached to the motherboard. BIOS starts with the POST or Power-on Self-Test, which checks for the presence of basic stuff such as the monitor, keyboard, mouse and memory – primary and secondary. Next, it looks for the MBR or the Master Boot Record on the secondary memory storage – the hard disk or a Solid State Device.

The MBR contains the Primary Boot loader that redirects the CPU to the Secondary Boot loader. What you see on the screen as GRUB when booting into Linux is the Secondary Boot loader is responsible for loading the actual Operating System present on the memory device of the computer.

Hackers planning to usurp the control of your computer have been targeting some of the elements in this chain of the booting process. Malware planted in the computer can modify the boot loaders so that it first enables a sleeping Trojan horse (a form of virus), before actually loading the Operating System. That allows the virus to control whatever you are doing with the computer and report it back to its original master.

To prevent this from happening, members of the PC industry have modified the plain and simple BIOS to a UEFI secure boot type. When booted through UEFI or Unified Extensible Firmware Interface, the firmware ensures that the system boot loader has a cryptographic key as authorized by a database within the firmware. The next steps involve the boot loaders in a series of signature verification for the kernel and possibly of the user space. That prevents any unsigned code (the Trojan horse) from executing and compromising your computer.

The computer requires no specialized hardware to implement and operate UEFI Secure Boot. The firmware resides in the non-volatile flash storage on the motherboard. This storage also stores the UEFI implementation itself as well as the protected variables including the trusted root certificates of the UEFI.

Therefore, unless presented with a signed next-stage boot loader, the UEFI Secure Boot will prevent your computer from functioning, unless you disable or switch off the Secure Boot mode. Note that UEFI Secure Boot does not verify signatures when installing or changing the boot loaders. Signatures are verified only when booting up and any tampered boot path leads to a display of invalid signature, preventing further operations. Unlike web server certificates, there is no information as to who issued the certificate and the user has no way of overriding the decision to reject the signature of the boot loader.