Updated: Oct 14, 2020
Most of the modern PCs come with a UEFI feature called "Secure Boot" enabled by default, in fact, if a manufacturer wants to put a windows logo on their product. According to windows' guidelines, they need to enable Secure Boot by default. Sadly this means that if the Secure Boot option is turned on it will prevent you from changing the default operating system to another operating system say Linux. Well, actually if you have secure boot enabled it won't even let you boot into an external USB drive.
Well, almost all of the time you can just navigate into the BIOS settings and toggle the Secure Boot option off.
What is Secure Boot?
Secure Boot is actually a UEFI BIOS feature for ensuring the integrity of firmware and software running on a platform. This feature establishes a trusted relationship between the UEFI BIOS and the programs that it will eventually launch such as Bootloaders, UEFI drivers, and utilities.
Once Secure Boot is enabled and configured only software or firmware which is recognized by the BIOS can be launched. This is done by the BIOS by checking for a specific authentication key, the BIOS will only recognize only those Softwares which are signed with approved keys, and only those firmware or Softwares are allowed to execute in that particular system. Similarly, Softwares signed with blacklisted keys or anything else that is not recognized by the BIOS aren't allowed to execute.
How does it work?
Secure Boot mechanism relies on private/public key pairs to verify the authenticity of particular software or firmware before executing it. To properly understand the concept behind the authentication part we first need to know a bit about digital signatures.
The idea of a digital signature is to generate a pair of keys:
A private key will be stored privately and secured by the originator.
A public key can be distributed freely
The mathematic correlation between the private/public key pair allows for checking the digital signature of a message for authenticity. To do the check, only the public key is necessary, and the message can be verified as having been signed by the private key without ever knowing the private key itself. Although, a message can not be signed using a public key only the private key is capable of signing the message properly.
One of the biggest advantages of digital signatures is that it is illogical and mostly impossible to try to figure out the content of the private key using only the public key, this feature allows for seamless distribution of the public key without compromising the integrity of the private key.
Some of the other details of secure boot
Now as you have understood the basic concept of digital signature let's jump back to Secure Boot.
The Secure Boot technology consists of a collection of keys, categorized as follows:
Key Exchange Key
The Platform Key (PK) establishes a trust relationship between the platform owner and the firmware (UEFI BIOS) by controlling access to the Key Exchange Key database. There is a single Platform Key per platform, and the public portion of the Platform Key is installed into the system, typically during production. The private portion of the Platform Key is necessary for modifying the Key Exchange Key database.
The Key Exchange Key (KEK) database establishes a trust relationship between the firmware and the OS. The Key Exchange Key consists of a list of public keys that can be checked against for authorization to modify the whitelist database or blacklist database. There can be multiple Key Exchange Keys per platform. The private portion of a Key Exchange Key is necessary for modifying the whitelist database or blacklist database.
The whitelist database (DB) is a list of public keys that are used to check the digital signature of a given firmware or software. To discuss the white list database, let's assume the system is booting and is about to execute the bootloader for selecting an OS to boot. The system will check the digital signature of the bootloader using the public keys in the whitelist database, and if this bootloader was signed with a corresponding private key, then the bootloader is allowed to execute. Otherwise, it is blocked as unauthorized.
The blacklist database (DBX) is a list of public keys known to correspond to malicious or unauthorized firmware or software. Any software signed with a corresponding private key from this database will be blocked.
Why is Secure Boot important?
Secure Boot can be very useful when it comes to preventing malicious attacks on your computer. As it works on the Private/Public key pair authentication technique it can and it does prevent malicious programs to run on your PC if it is not listed in the whitelist domain.
Although this also means that almost all the PCs that come with a pre-installed copy of windows is locked to Windows only when Secure Boot is turned on in a UEFI BIOS. And if you want to change your operating system you can't use the Secure Boot feature. Although there is something called Linux Secure Boot which is actually a Windows feature that allows some Linux distribution to boot under Hyper-V as Generation 2 virtual machines. Linux Secure Boot resolves an issue where non-Microsoft operating systems could not boot on computer platforms that use UEFI firmware.