Have a Question?
Secure Boot on the Vault
Overview
What is Secure Boot?
Secure Boot is a protocol developed by the UEFI (Unified Extensible Firmware Interface) Forum and is part of the UEFI firmware standard. Its primary goal is to protect the system from bootkit and rootkit attacks by ensuring that only software components authorized and signed by the OEM (Original Equipment Manufacturer) are executed during the boot process.
How It Works
Initialization: When you turn on a computer, the firmware (UEFI) initializes and performs a series of checks. Secure Boot is part of this process.
Signature Verification: Secure Boot checks the digital signatures of the firmware, bootloader, and operating system. Each component must be signed with a trusted certificate. If the signature matches the trusted database, the component is allowed to execute.
Key Management: Secure Boot relies on a series of keys:
Platform Key (PK): This key is held by the OEM and is used to control the key database.
Key Exchange Key (KEK): This key is used to update the database of trusted keys and is typically managed by the OEM or administrators.
Signature Database (db): This database contains the signatures of trusted software and is used to verify components during boot.
Revoked Signature Database (dbx): This database contains signatures of known malware or compromised software, preventing them from being executed.
Enforcement: If the signatures are valid, Secure Boot allows the boot process to continue. If not, it halts the process or displays a warning, preventing unauthorized code from running.
Benefits
Protection Against Malware: Secure Boot helps prevent malware, such as rootkits and bootkits, from compromising the system at a low level before the operating system is fully loaded.
Integrity Verification: Ensures that the system firmware and bootloaders have not been tampered with and are as the manufacturer intended.
Prevention of Unauthorized Code Execution: Limits the execution of unsigned or unauthorized code, which enhances overall system security.
Enhanced Trust: Provides a trusted environment for booting the operating system and running software, which is crucial for maintaining system integrity and security.
Limitations and Considerations
Compatibility: Secure Boot can sometimes interfere with the installation of unsigned or custom operating systems and software. Users may need to disable Secure Boot to install certain distributions or drivers.
Management: For enterprises, managing the Secure Boot keys and signatures can be complex and requires careful handling to avoid inadvertently blocking legitimate software.
Firmware Dependency: Secure Boot relies on the firmware (UEFI) and requires support from the hardware and software being used.
Overall, Secure Boot is a valuable security feature that helps protect the integrity of the boot process, but it should be understood and managed carefully to balance security with compatibility needs.
Enter coreboot BIOS menu
The first step to enabling Secure Boot on the Vault is entering the BIOS menu.
Press or Hold the “Delete” key on your keyboard while the Boot Splash Screen is displayed
Navigate to the Device Manager
Press the down arrow on your keyboard until you reach the “Device Manager” option
Navigate to Secure Boot Configuration
Press the down arrow on your keyboard until you reach “Secure Boot Configuration,” then press Enter
Enable Secure boot
Press the down arrow on your keyboard until you reach “Enable Secure Boot”
Press Space or Enter to enable secure boot
If successful, you will see the message: “Configuration changed, please reset the platform to take effect!”
Save
Press F10 on your keyboard to save, then press Y to confirm
Escape to the main menu
Press Esc on your keyboard two times to return to the main menu
Navigate to Reset
Press the down arrow key until “Reset” is selected, then press Enter to reset
Boot into Ubuntu to verify
If you would like to use Ubuntu to verify that Secure Boot is enabled, follow the following steps.
Within Ubuntu, open a terminal window
Run command sudo mokutil –sb-state and press Enter
If prompted for a password, type in your password and press Enter
If Secure Boot is enabled, the terminal will display the following output: SecureBoot enabled
Lastly, run command sudo efi-readvar -v PK and press Enter
If “command not found,” is displayed, install efitools with the command sudo apt install efitools and press Enter
If Secure Boot is enabled, the following output will be displayed:
Variable PK, length 1055
PK: List 0, type X509
Signature 0, size 1027, owner 8be4df61-93ca-11d2-aa0d-00e098032b8c
Subject:
C=PL, ST=Pomerania, L=Gdansk, O=3mdeb Sp. z o.o., CN=Dasharo PK, emailAddress=contact@dasharo.com
Issuer:
C=PL, ST=Pomerania, L=Gdansk, O=3mdeb Sp. z o.o., CN=Dasharo PK, emailAddress=contact@dasharo.com
Using Windows 11 to verify
(1) Within Windows 11, click on the Start button
(2) Type “System Information”
(3) Click on the icon for System Information
If Secure Boot is enabled, the value for “Secure Boot State” will be set to “On”