Secure Boot is a security standard defined by the UEFI Forum that ensures a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the system starts, the firmware verifies the digital signature of each boot component—including UEFI drivers, EFI applications, and the operating system bootloader—against a database of authorized keys stored in non-volatile memory. Any component whose signature is missing or invalid is blocked from execution, preventing rootkits and bootkits from compromising the system before the OS kernel loads.
Glossary
Secure Boot

What is Secure Boot?
Secure Boot is a fundamental platform security standard that establishes an immutable chain of trust from firmware to operating system, ensuring only cryptographically signed software executes during the boot process.
The process relies on a hardware root of trust anchored in the platform's firmware, which contains the Platform Key (PK) and Key Exchange Key (KEK) databases. These keys validate the signature database (db) of authorized binaries and the forbidden signature database (dbx) of explicitly revoked software. This mechanism is foundational to measured boot and remote attestation workflows, as it guarantees the integrity of the initial computing environment before any sensitive workloads or Trusted Execution Environments are initialized.
Key Features of Secure Boot
Secure Boot establishes a cryptographic chain of trust from firmware to the operating system, ensuring only authenticated code executes during the boot process.
Cryptographic Signature Verification
Every boot component—from UEFI firmware to OS bootloader—must be signed with a private key. The firmware verifies each signature against a database of authorized public keys before execution.
- Uses RSA-2048 or ECDSA asymmetric cryptography
- Signature database stored in db (authorized) and dbx (revoked) variables
- Prevents bootkits and rootkits from injecting malicious code before the OS loads
Platform Key (PK) Hierarchy
The Platform Key sits at the root of the Secure Boot trust hierarchy. The platform owner uses it to sign the Key Exchange Key (KEK), which in turn signs the authorized signature databases.
- PK is typically enrolled during manufacturing or by the device owner
- KEK separates OS vendor keys from platform owner control
- Enables multi-stakeholder trust without sharing root secrets
Hardware Root of Trust Integration
Secure Boot anchors its trust chain in an immutable hardware root of trust, typically a Trusted Platform Module (TPM) or on-die ROM. This ensures the initial firmware cannot be tampered with.
- First-stage bootloader stored in write-protected ROM
- TPM Platform Configuration Registers (PCRs) record boot measurements
- Enables remote attestation of the boot state to external verifiers
Revocation and Blacklisting
The dbx (forbidden signatures database) allows immediate revocation of compromised bootloaders or drivers. When a critical vulnerability like BlackLotus or BootHole is discovered, updated dbx entries prevent exploitation.
- Revoked hashes and certificates block known-malicious binaries
- Timestamp-based revocation prevents rollback to vulnerable versions
- UEFI Capsule Updates deliver revocation lists securely
Measured Boot Integration
While Secure Boot enforces execution policy, Measured Boot records cryptographic hashes of every loaded component into TPM PCRs. Together they provide both enforcement and auditability.
- Each boot stage extends a PCR with its hash before executing the next
- Logs stored in the Event Log for post-boot verification
- Enables trusted computing attestation workflows for enterprise device compliance
Frequently Asked Questions
Clear, technically precise answers to the most common questions about the Secure Boot standard, its cryptographic mechanisms, and its role in establishing a hardware-rooted chain of trust for modern computing platforms.
Secure Boot is a firmware-based security standard that ensures a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the platform powers on, the UEFI firmware verifies the digital signature of each piece of boot software—including the bootloader, OS kernel, and drivers—against a database of authorized keys stored in non-volatile RAM. The process establishes a hardware-rooted chain of trust that begins with the platform's immutable key store. If any component's signature fails verification or has been revoked, the firmware halts the boot process, preventing the execution of unauthorized or tampered code. This mechanism is critical for defending against bootkits and rootkits that attempt to inject malicious code before the operating system's security defenses load.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Secure Boot is the first link in a hardware-rooted chain of trust. These related concepts define the broader ecosystem of platform integrity, cryptographic verification, and confidential computing that builds upon a verified boot process.
Hardware Root of Trust
A physically immutable, inherently trusted source within a computing platform that serves as the foundation for all subsequent security operations. It is the absolute anchor for Secure Boot, providing the first unalterable code executed at power-on.
- Typically embedded in ROM or one-time programmable fuses
- Stores the root key used to verify the initial bootloader's digital signature
- Any compromise of the root of trust invalidates the entire chain of trust
Measured Boot
A process that cryptographically measures and logs each component of the boot chain into a Platform Configuration Register (PCR) within a TPM. Unlike Secure Boot, which enforces policy by halting on failure, Measured Boot records the exact state for later remote verification.
- Stores SHA-256 hashes of firmware, bootloader, and OS kernel
- Enables Remote Attestation to prove boot integrity to a third party
- Does not stop an untrusted component from loading; it records the fact that it did
Attestation
The process by which a Trusted Execution Environment generates a cryptographically signed report proving its identity, integrity, and that it is running specific code on genuine hardware. Secure Boot establishes the clean state that attestation then verifies to a remote relying party.
- Binds the platform's identity to a specific software hash
- Prevents replay attacks with fresh nonces from the verifier
- Forms the basis for Secure Provisioning of secrets into verified enclaves
Trusted Platform Module (TPM)
A dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The TPM stores the authorized signature database that Secure Boot consults during verification and provides the PCRs used by Measured Boot.
- Compliant with ISO/IEC 11889 standard
- Securely stores platform measurements in shielded locations
- Performs key generation, encryption, and digital signing operations
Chain of Trust
A hierarchical sequence of validation where each component in a system is authenticated by the preceding component, beginning with the immutable Hardware Root of Trust and extending through firmware, bootloader, OS kernel, and ultimately to the application layer.
- Secure Boot enforces the first critical links in this chain
- A break at any single link compromises all subsequent layers
- Extends into user space with technologies like Code Transparency
Trusted Computing Base (TCB)
The set of all hardware, firmware, and software components that are critical to a system's security. A vulnerability in any TCB element can compromise the entire system. Secure Boot's role is to minimize and verify the early boot TCB.
- Includes the CPU, firmware, bootloader, and hypervisor
- A smaller TCB reduces the attack surface for Side-Channel Attacks
- Confidential computing aims to shrink the TCB by removing the host OS

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us