What is Secure Boot?
Secure boot is a computer security tool that only allows validated programs to run upon computer start up. This protocol ensures that unauthorized programs, specifically malicious rootkits, do not run at computer start up to bypass anti-virus software detection. This feature is mandatory to install the latest operating systems, Windows 11, as it is a part of the UEFI (Unified Extensible Firmware Interface) or BIOS prerequisite for Windows 11 installation. It is not a requirement for older versions of Windows, like Windows 10 IoT 2021 LTSC, but is necessary for industrial enterprise applications.
How does Secure Boot Work?
Since Secure Boot is a protocol within the UEFI BIOS, it operates on each computer start up. This works hand-in-hand with the TPM (Trusted Platform Module) that is also a prerequisite for Windows 11 installation. In summary, TPM 2.0 is a hardware-based security tool that provides additional data protection where software-based security does not have the capabilities to. This process prevents a computer boot up if hardware has been tampered with and if unauthorized programs, like malicious software, are executed. Secure boot is another layer of data security and protection that ensures only digitally signed and certified programs are launched. There are three main databases that we are going to look at, and they are the signature database (DB), the revoked signature database (DBX), and the key enrollment database (KEK).
-
Signature Database (DB) – The signature database contains the public keys and certificates of trusted firmware components, operating system bootloaders, such as the Microsoft operating system loader, UEFI applications, and UEFI drivers.
-
Revoked Signature Database (DBX) – The revoked signature database contains hashes of malicious and vulnerable components, compromised keys, and compromised certificates, blocking them from being executed to protect your system.
-
Platform Key (PK) – The platform key establishes a trust relationship between the system owner and the firmware in the BIOS, controlling access to the KEK Database.
-
Key Exchange Key (KEK)– The key-exchange key is a database that establishes a relationship of trust between the operating system and the firmware. The KEK contains a list of public keys that can be checked when modifying the whitelist database or revoked signature database. A single platform can have multiple KEKs.
Why is it useful for Industrial Edge Applications?
With the world seeing an uprise in cyberattacks, it is crucial that enterprises take every precaution possible to deter and prevent their valuable data from being tampered with. Tier-one companies such as Microsoft, AMD, and Intel have developed their own methods to enhance protection against malware. Microsoft launched Windows 11 with TPM 2.0 and Secure Boot requirements, and the leading semiconductor giants, Intel and AMD, have developed their versions of firmware TPM (fTPM). TPM is considered a legacy component that was primarily utilized by enterprises that operated with sensitive data. Nowadays, TPM 2.0 is included and almost mandatory for industrial edge computers due to this increase in cyberattacks.
What is the difference between Secure Boot and TPM 2.0?
Secure boot is a simple premeasure feature that is enabled through UEFI BIOS. The role of secure boot is to only allow validated and digitally signed software to launch. For example, the matching operating system and other start up applications like anti-malware programs. TPM 2.0, however, acts as a vault that stores and encrypts the data sensitive digital keys and certificates that is needed to boot the system. If the TPM detects a new hard drive or the incorrect operating system license, then it will not allow the computer to boot further. With Secure Boot, it acts as a security checkpoint where it will only give access to validated start up programs.
What are some disadvantages/downsides of Secure Boot?
Secure Boot can be a minute hassle when trying to boot unauthorized software such a different operating system, or dual-booting. In order to proceed with a dual-boot, Secure Boot must be disabled, but rest assured, Ubuntu supports Secure Boot with dual-boot processes. If you need to disable secure boot for a dual-boot setup, reinstall Ubuntu and Secure Boot can be reenabled. This minimal downside should not be an influential factor to disable the benefits and security of Secure Boot.
How to enable Secure Boot for Windows 11?
First, let us check if secure boot is already enabled. Search ‘msinfo32’ in the Windows search menu, then look for the item ‘Secure Boot State’. If it says ON, then secure boot is already enabled. If it is labeled OFF, then it can be enabled in the UEFI BIOS. Refer to your motherboard manual to navigate through the UEFI BIOS to enable Secure Boot. Once again, check if secure boot is enabled. If Secure Boot is needed to be disabled, simply enter the UEFI BIOS and disable Secure Boot. It is highly encouraged that Secure Boot is left enabled as it has little to no effect on performance or compatiblility, but disabling Secure Boot is not mandatory. If the end user does not download a rootkit virus or any malicious programs, Secure Boot is not needed for computer usage.