Secure Boot
Secure Boot is a UEFI feature that prevents untrusted software from running during boot. Every component — bootloader, kernel, drivers — must be signed with a trusted key. This blocks bootkits (malware that infects the boot process before the OS loads) and ensures the system starts in a known-good state.
The Secure Boot Trust Chain
UEFI Secure Boot verification chain:
UEFI firmware
|
| checks signature using keys in UEFI db (Platform Key, Key Exchange Key)
v
GRUB bootloader (signed by distro key or shim)
|
| checks signature on kernel
v
Linux kernel (signed)
|
| checks signatures on kernel modules
v
Running system
Keys involved:
PK (Platform Key) - firmware vendor (ASUS/Dell/HP) or owner
KEK (Key Exchange Key) - used to update db/dbx
db (Signature Database) - allowed signers (Microsoft + distro keys)
dbx (Forbidden Signature Database) - revoked keys/hashes
shim — How Linux Distros Work with Secure Boot
Why do Linux distros use a "shim" bootloader?
Microsoft signs shim — a thin first-stage bootloader. shim is signed with Microsoft's key (in UEFI db), so UEFI trusts it. shim then verifies GRUB using the distro's own key (embedded in shim). GRUB verifies the kernel. This chain means Linux works with Secure Boot without distros needing direct Microsoft approval for every kernel update.
Boot sequence with Secure Boot:
UEFI firmware
checks: is /boot/efi/EFI/ubuntu/shimx64.efi signed by MS key? YES
|
shim (signed by Microsoft, contains Ubuntu's key)
checks: is grubx64.efi signed by Ubuntu's key? YES
|
GRUB (signed by Ubuntu)
checks: is vmlinuz signed by Ubuntu's key? YES
|
Linux kernel (signed, validates modules on load)
# Check if Secure Boot is active:
mokutil --sb-state
# SecureBoot enabled
# Or:
cat /sys/firmware/efi/efivars/SecureBoot-*/
# (binary, 4th byte: 1=enabled, 0=disabled)
MOK — Machine Owner Key
How do you load custom kernel modules with Secure Boot enabled?
Secure Boot requires all kernel modules to be signed. If you compile a custom module (e.g., VirtualBox, nvidia from source), you need to sign it with a key that the kernel trusts. MOK (Machine Owner Key) is a UEFI extension that lets you enroll your own key — without disabling Secure Boot.
# Enroll a custom key for signing modules (Ubuntu/Fedora):
# 1. Generate a key pair:
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv \
-outform DER -out MOK.der -days 36500 -subj "/CN=MyMOK/"
# 2. Enroll in MOK database:
mokutil --import MOK.der
# Enter a password — needed to confirm at next reboot
# Reboot → MOK Manager appears → Enroll Key → enter password
# 3. Sign a module:
/usr/src/linux-headers-$(uname -r)/scripts/sign-file \
sha256 MOK.priv MOK.der my_module.ko
# 4. Load the module:
insmod my_module.ko # now loads with Secure Boot active
# List enrolled MOK keys:
mokutil --list-enrolled
# View kernel's trusted keys (MOKs + built-in):
keyctl list %:.machine
Managing Secure Boot
# Check Secure Boot variables from Linux:
efi-readvar -v PK # Platform Key
efi-readvar -v KEK # Key Exchange Key
efi-readvar -v db # Allowed signers
efi-readvar -v dbx # Revoked keys
# Verify a signed EFI binary:
sbverify --cert /usr/share/ca-certificates/... grubx64.efi
# Check if GRUB and kernel are signed:
pesign -S -i /boot/efi/EFI/ubuntu/grubx64.efi
# When Secure Boot causes problems:
# Symptom: "Required key not available" when loading a module
# Fix options:
# 1. Sign the module (see MOK section above)
# 2. Disable Secure Boot in UEFI settings (reduces security)
# 3. Use distribution-provided signed version
# Fedora/RHEL: check module signing:
modinfo my_module | grep sig
# sig_id: PKCS#7
# signer: Fedora kernel signing key
Frequently Asked Questions
What will I learn here?
This page covers the core concepts and techniques you need to understand the topic and progress confidently to the next lesson.
How should I use this page?
Start with the overview, then follow the section links to deepen your understanding. Use the table of contents on the right to jump to specific sections.
What should I read next?
Use the navigation below to continue to the next lesson or explore related topics.