Other languages english ;

Overview

Secure boot was created to ensure the protection of the operating system (OS). The Linux community did not like the secure boot upgrade. The end user would have to disable secure boot then install Linux. The reason was because the computers did not have the TPM Linux distribution signatures installed in the computer before manufacturing the computers. The Linux distribution developers would have to sign the bootloader, kernel, and drivers. This also created the need for more documentation for computers without Linux distribution signatures to successfully install Linux distribution. This wiki entry will hopefully bring some clarity from users in the Linux community on the secure boot implementation, and it's impact on Linux. The purpose of enabling secure boot is to ensure the OS is secure from rootkits, keyloggers, and malware. The secure boot is for protecting the end user from any threats to security and/or privacy. The secure boot feature stops the OS from booting upon detection of invalid signatures.

Who this applies to

This wiki does not apply to your computer if it was manufactured before 2009. If your computer was manufactured in 2009 or later, You may have a Trusted Platform Module (TPM) chip. This wiki can apply to your computer. Computers with a TPM chip version 1.0 started to appear in 2009. This chip was soon updated to TPM version 1.1 in 2011. The next major update to TPM chips was version 2.0, which came out in 2014. This has been considered the new standard since 2016. The TPM chip does ensure the boot processes of your PC cannot be modified without your knowledge. If you would like to learn more about TPM, please check out the reference links below.

Reference links:
Intel - https://www.intel.com/content/www/us/en/business/enterprise-computers/resources/trusted-platform-module.html
Wikipedia - https://en.wikipedia.org/wiki/Trusted_Platform_Module

Why the secure boot mode option was created

Extensible Firmware Interface (EFI) was developed in the mid 1990's. In 2004, Intel released the first open source Unified Extensible Firmware Interface (UEFI) implementation. Then EFI was transitioned to Unified Extensible Firmware Interface (UEFI) in 2005. There has been several root vulnerabilities found in the computer BIOS that were exposed that allowed the booting OS to be compromised. This left the OS kernel and hardware drivers exposed. Eventually, even more vulnerabilities to the system were discovered making it hard to keep OS secure and protected from exploits. It was clear that the time had come to improve upon the Unified Extensible Firmware Interface (UEFI) with emphasis on making the process even more secure. Then "Trusted Platform Module (TPM) was developed. This was not enough and TPM was updated to make secure boot mode possible. Secure boot was implemented in the BIOS using the TPM chip. This would allow authentication of the OS from signed bootloader, kernel, and drivers. This affected the Linux community because the time secure boot came out limited documentation was available at the time. This is why we have so many issues with secure boot. The Linux community has been working hard on this for years now to learn and implement secure boot on the OS.

The secure mode operation design

Secure boot mode is designed to authenticate the OS from a list of authorized operating systems in the TPM chip. By default, if a signature is in the "blocked" list, The computer will stop booting indicating that an invalid signature has been detected. Secure boot mode operation is meant to validate three areas while booting the OS. Authentication is performed by checking the bootloader, kernel, and kernel drivers on booting. If any of these areas fails authentication, the system will stop booting. This design creates a secure boot environment. If the bootloader, kernel, or its drivers are modified the signature is marked invalid and stops booting. The Invalid signatures are also installed when firmware updates the UEFI firmware. Any OS without a valid signature is also blocked. This presents a challenge during the development of an OS, but is required to maintain OS security.

The secure mode operation while booting

Secure mode authenticates the system from the installed signatures. Here is how the process works.

1. Validate bootloader and proceed if validated.
2. Validate kernel and proceed if validated.
3. Validate every hardware driver while booting and stop if a signature is missing or invalid. Otherwise proceed.

If everything is successful, the OS will boot as expected.

CPU board manufacturer requirements

CPU board manufacturers are required to follow fair trade laws This means that no company can be biased and that all OS vendors share equal rights. All manufactures have a standard to follow that is strictly monitored. We have a few types of CPU boards on the market that must comply with personal data security. Here are the following types of CPU boards that allow secure boot to be disabled, those that do not allow it, or made optional for custom manufactured computers.

1. Personal end user home computers: these can have secure boot disabled.
2. Business to Government computers: in order to maintain data security, these cannot have secure boot mode disabled.
3. Custom manufactured computers specifically made for a company: these allow the option to "disable secure boot options" at the request of the business customer.

The documentation for the UEFI firmware is required to be made available to all OS vendors. This documentation shall have all commands required for UEFI firmware updates. The currently installed OS owns the updating of the firmware. If you have a dual-boot or multi-boot system, then each OS shares ownership rights.

The requirement to enable secure boot

The requirements to successfully enable secure boot mode on an OS are:

1. Extended validation certificate from a signed Certificate Authority (CA) certificate signing request (CSR), private key, and public key. You would generate this and submit to your choice of secure certificate provider the required CSR and key. This would be meant for code signing. The EV cert must come from the domain or organization that requests it to be verified.
2. Tools developed to be used in order to use the signed certificate returned by SSL provider. Remember that you should have both the valid signed certificate, a private key (must have a strong password and be kept secure), and a public key.
3. The OS must be able to install the certificate and public key on computer.
4. The boot image, kernel, and drivers must be signed using the certificate.
5. Must have a TPM chip.

References and documents

Uefi.org documents in PDF file format

Uefi Information - UEFI Secure Boot in Modern Computer Security Solutions 2013.pdf

Microsoft KEK expiring because the certificate is expiring on 10/19/2026. This means there will be another secure boot update coming for current and new computers. Here is the link to the PDF document: Evolving the Secure Boot Ecosystem 9/12/2023

Other links

To learn more about the UEFI and secure boot visit the uefi.org website.

Secure Boot in the Debian wiki

Support history from the secure boot upgrade

Visit this link to see recent issues related to secure boot.

https://forums.mageia.org/en/search.php?keywords=secure+boot&fid%5B0%5D=7

Common issues with TPM

Dual or multi-boot is harder to work with when you want to boot Windows and Linux. This can be even harder for Windows, Linux, and another OS. If the Linux distro does not support secure boot enabled and you have the TPM on the computer, you would need to enable legacy mode and disable secure boot. This is the only way to dual or multi boot with Windows. This will slow down the boot process and disable all BIOS protection. This will also disable any hardware improved features until the OS has booted. Remember that, if you need this kind of environment, you will need to reinstall Windows and any other operating systems you wish to dual or multi boot. This method is not recommended as it will open a security risk of having malware infecting or modifying your computer.

Clarification conclusion

Again, this article will hopefully bring some clarity to the confusion caused by the secure boot updates and its impact on Linux. I hope you learned the importance of the secure boot and why we need it. We need to maintain stable and secure Linux distributions for all users. I will be creating a "How to" and linking it to this wiki when I am finished.