Secure Boot (a platform feature in UEFI) will check the boot loader before launching it and ensure it’s signed by a trusted entity. If the boot loader has been replaced or tampered, UEFI won’t allow it to boot. This prevents malware from hijacking your boot process and concealing itself from your operating system
Microsoft Requires Secure Boot Enabled
Microsoft requires PC manufacturers to enable Secure Boot if they want to place a Windows logo sticker to their PC. Hence, these PCs ship with Microsoft’s certificate stored in UEFI. This prevents Linux operating systems from booting
How Microsoft Allows Linux Distributions to Boot with Secure Boot
Linux distributions can pay a one-time fee of $99 to access the Microsoft Sysdev portal, where they can apply to have their boot loaders signed.
Linux distributions generally have a “shim” signed. The shim is a small boot loader that simply boots the Linux distributions main GRUB boot loader. The Microsoft-signed shim checks to ensure it’s booting a boot loader signed by the Linux distribution, and then the Linux distribution boots normally
How You Can Disable or Control Secure Boot
- you can disable Secure Boot in the UEFI settings
- you can customize Secure Boot to control which signing certificates Secure Boot offers
- you can sign your own Linux boot loader and ensure your PC could only boot boot loaders you personally compiled and signed