What is Secure Boot?
This article explains Secure Boot and how you can effectively protect your data.
Let’s start!
What happens when booting with Secure Boot?
Booting under Windows is not so trivial – the user pushes a button and sees the logo of the manufacturer / of Windows. Within the few seconds of booting, the computer goes through a 7-step process that is not easy:
You click the start button on your laptop or PC, which triggers the boot process and the power supply fires up the CPU.
2. Warming up – But what first?
The machine loads first, not the Windows, but a Basic Input and Output System (BIOS), which is burned into the motherboard as software (firmware). This firmware solves the problem that the central processing unit (CPU) needs software to read the memory where the software for reading is located?!?
3. The all-round check-up
The BIOS system checks if all components in the computer are working properly before the system is started (Power on Self Test). If some idiot has assembled the system incorrectly, the BIOS can warn.
In addition, a computer can suffer from old age or overuse of any component. The BIOS prevents further damage and warns the user.
BIOS or UEFI – The BIOS usually has no way of monitoring the trustworthiness of the boot process. A UEFI, the newer alternative, is able to. Also, UEFI firmware allows for easier updates.
4. Booting yes, but from what?
The operating system is on a hard disk.
This can contain several operating systems or file partitions with different file systems. Therefore, at the beginning of each hard disk is a table of contents, the Master Boot Record).
The Windows Boot Manager allows you to choose between different operating systems. When booting from memory, the computer only executes signed code. Manufacturers sign code with a Certificate Authority. Read this article about it. If the system detects a change (hash summation), the system will not boot any further.
5. The first load
The bootloader loads the operating system into the main memory (RAM) from the hard disk.
In this step, the computer loads only the kernel Ntoskrnl.exe, the core component, into the main memory, and the software “Hardware Abstraction Layer” (HAL), Hal.dll. The kernel itself then starts loading the rest of the operating system. The software “Hardware Abstraction Layer” is the communication interface between hardware and software. The security chip in the computer (TPM) monitors what the computer starts (hash summation).
6. Drivers and 7. logon
The operating system loads the drivers for the devices that are built into the system. The services are added. A driver is a special software that is a kind of instruction manual for the operating system. Unlike Apple, Windows supports a lot of hardware. In order for this hardware to run, the system needs an explanation of how the system can address the hardware.
The login screen appears.
Source: https://automateinfra.com/2021/11/09/windows-boot-process-step-by-step/
Where can I activate Secure Boot?
Immediately after pressing the start button, you must enter the BIOS. This can be done by repeatedly pressing F12, F2, DEL or other keys depending on the mainboard / laptop manufacturer.
Navigate to the Boot section with the arrow keys (or mouse) and select Secure Boot. Restart the PC and it is activated.
Secure Boot with Linux
Secure Boot is possible with Linux. The only question is how complex the installation process is. The GitHub user Jaib77 has created a compilation for ElementaryOS, an Ubuntu / Debian distribution, how an installation could look like.
Unlike Windows, Linux is not plug-and-play. Microsoft developed the UEFI together with the mainboard developers. Microsoft immediately had their keys burned into every UEFI mainboard.
Secure Boot for macOS
Apple uses a very similar system:
1. The Apple T2 security chip is comparable to the TPM chip in Windows / Linux computers. This starts the necessary components.
2. T2 monitors the loading of the operating system (bootloader). This verifies the file with the same methods. Apple can be even more precise in this process because they only allow components that are built in from the factory. Foreign components can lead to problems. Because Apple provides hardware and software, they have more control over the system.
3. The system displays the login screen.
Why isn’t a Windows password sufficient?
If you do a normal installation, then you can simply remove the disk and read the data with another operating system.
Isn’t that negligent on Microsoft’s part?
No. Most private users have their PCs at home, which are “physically” protected. The danger lurks on the Internet. Microsoft has built several security mechanisms against the internet threat.
Why is the hard disk not protected against access? In the event of a system error (broken Windows update or other error), the user can still read the data on the hard disk like a USB stick. If you are afraid that someone can abuse the physical access to the computer, you should always use Secure Boot in combination with full encryption. This is mandatory for laptops and many manufacturers activate this function from the start.
4 Bonus Tips for More Protection
Computer manufacturers have come up with even more methods to prevent data theft.
1. No chance -Back Cover Temper Detection
Thinkpads have back cover temper detection. This means that the hard disk is erased as soon as an attacker tries to open the back of the laptop. The sensor sends a signal to the firmware, which executes the self-destruct mode.
2. Another obstacle – BIOS password
To prevent an attacker from simply starting an alternative operating system, you can password-protect the BIOS on some devices. The user does not get into the boot menu and always starts in the same operating system. Some manufacturers have methods of resetting this by briefly removing the battery and re-installing it.
3. Hard disk password
The BIOS allows you to set a boot password. Before booting, the BIOS will ask you for the code for the hard disk. Just as with the BIOS password, there are workarounds that can reset these passwords.
4. Keep it quiet with full encryption
If you want to fully encrypt your hard drive, use Bitlocker for Windows, LUKS for Linux or FileVault for macOS. These systems are considered secure as long as the computer is off. If you leave your device in a café without login spears, all your measurements are useless.