What is Secure Boot and why should you have it enabled on your PC?

    13 Nov 2021

    What is Secure Boot and why should you have it enabled on your PC?

    /
    Posted By

    Read time: 4 minutes

    Protecting your online environment in today’s world has never been more necessary. COVID-19 has caused many organizations to rethink how they secure their network and Internet of Things (IoT) devices within that network. To begin the process of protecting IoT devices and Personal Computers in your network, you can start with Secure Boot. Much like the code signing process, Secure Boot verifies that the signatures and keys used by the boot hardware and the OS software are all valid and have not been tampered with.

    What is Secure Boot exactly?

    Secure Boot works by authenticating the code and boot images used by the operating system are authenticated against the hardware before being allowed the ability to boot-up the system. The reason they are authenticated against the hardware is due to the fact that the hardware is pre-configured to authenticate code using trusted credentials. This ensures that the images and code have not been tampered with or changed by threat actors attempting to utilize malware to infect your network or devices in your network. As you can tell, this makes enabling Secure Boot in devices on a network significant, as it thwarts many common malware attacks.
    When dealing with malicious threat actors, many malware attacks will change Operating System code, or install a new boot loader, so that when a system is rebooted, their malware will be launched and spread throughout the device. Enabling Secure Boot will ensure this does not occur, as the bootloader will not have a valid key and signature matching the hardware, thus Secure Boot will stop the boot-up process. If malware got through, in the case that Secure Boot was not enabled, then an organization could face massive repercussions, such as losing millions of dollars or vital information that they would otherwise not want public.

    How does Secure Boot work?

    The process behind Secure Boot is not as complicated as you may think it would be. When a device with Secure Boot enabled is turned on, the first step in the process is that the CPU Internal Bootloader verifies the authenticity of the bootloader. This is done by comparing the signature generated by the manufacturer’s private key to the public key embedded in the device. When working with code signing and Secure Boot, an asymmetric encryption process is used for validation of manufacturer and software authenticity. The process of asymmetric encryption works by first generating two mathematically linked keys, a public key and a private key. The private key is kept secret, known only to the keys’ creator, and the public key is known to anyone. Since these keys are mathematically linked, a piece of software can be signed by the private key and that signature can be verified by the public key. This identifies that the software in question was created by the key owner and has not been tampered with.
    The next step in the Secure Boot process is verifying the authenticity of the Operating System and any applications that are begun at boot. Using the same process as the first step, the embedded public key is used to verify the Operating System and applications are valid. Once all these different parts of the boot-up process are verified for authenticity, the device can be booted-up and run normally. If, at any step in this process, the Operating System, bootloader, or any applications are found to not match the embedded public key, then they the boot-up process stops, and remediation steps are taken.

    Roadblocks for Secure Boot

    Since Secure Boot utilizes a process very similar to code signing, they face many of the same problems. The most pressing issue is protection of the asymmetric signing keys that are used in the Secure Boot process. I mentioned previously that part of the Secure Boot process is that the public key of the public/private key pair is embedded in the software, and what I mean by this is that there is a certificate that was generated through the use of that public key. This digital certificate, much like a code signing certificate, contains the public key’s information and is signed by the private key, thus allowing for the matching of key information between the public and private keys. Protecting these keys is the first major issue many organizations may face.

    If the private key used to sign the digital certificate is compromised by a malicious threat actor, they can then use that certificate to pass bootloaders or Operating System code through the Secure Boot process successfully, thus allowing them to infect users with malware. Protecting these keys properly can be done with either hardware or software based key storage methods. Software based storage is not the strongest method of protecting encryption keys, as the keys can still be taken from the storage method. Hardware based key storage methods, like hardware security modules, protect keys with a much stronger method, as compared to software-based key storage methods. Hardware Security Modules, or HSMs, are tamper-evident and tamper-proof, thus protecting encryption keys much more reliably.

    Other ways to protect data, other than Secure Boot, is by setting strong encryption policies within your organization. These policies provide a uniformity across your organization, thus allowing the different teams within your organization to follow similar protection methods. Additionally, implementing Intruder Protection Systems (IPS) and Intruder Detection Systems (IDS), securing your code at the source, and using organizations like Encryption Consulting to identify gaps in your security systems are other ways to protect data in your organization.

    Conclusion

    At the end of the day, enabling Secure Boot on all of the devices in your organization is a great way to start defending your network from malicious threat actors. Secure Boot provides a built-in method of checking your Operating System and bootloader for malicious code, thus allowing you to feel secure in the device you are using. Other methods, like setting up IPS and IDS or having a third-party assess your security plans, can work hand-in-hand with Secure Boot to provide you with the best possible security systems for your home or enterprise network. To learn more about how Encryption Consulting can help, visit www.encryptionconsulting.com.

    Want to learn from HSM Experts

    We train some of the biggest names in the industry through virtual & Live Classes

    Get a Free Quote for your Encryption Advisory Services

    Free Downloads for Encryption consulting services