About Secure Boot

Secure boot is a security mechanism specified in Unified Extensible Firmware Interface (UEFI) to ensure that only approved boot software is executed. The feature protects against rootkit and bootkit malware, and helps to prevent attacks by ensuring that all components and configurations involved in the boot chain are trusted.

The boot components and configurations are signed with a trusted private key. Their integrity is validated by using public keys stored in UEFI. If all boot components are verified, the system is allowed to boot. However, if any element is not signed by a trusted key, the system is not authorized to start.

General Information

Secure boot is specified in UEFI. A UEFI context is available in all OMIs that are compatible with UEFI.

When booting a virtual machine (VM) from these OMIs, depending on the OS of the OMI, the supported boot modes can be Unified Extensible Firmware Interface (UEFI), Legacy BIOS (Basic Input/Output System) or both. For more information, see About Boot Modes and About OMIs.

Secure boot is available only with VM booting on UEFI. If the VM you created does not support UEFI, secure boot cannot be enabled. For more information, see About Boot Modes.

Secure boot ensures that only trusted components and configurations are executed during a VM boot by verifying their integrity and authenticity using digital signatures and cryptographic keys. Each boot component and configuration element is signed with a private key provided by its developer or vendor, corresponding to public keys stored in the UEFI firmware’s trusted database.

During the boot process, UEFI reads each component performing an integrity check by comparing the file’s signature with the trusted keys in the database:

  • If the signatures match, the integrity and authenticity are confirmed and the system boots securely.

  • If the signatures do not match, the VM starts and is in the running state. However, the OS of the VM is not authorized to start.

UEFI Context in Official OMIs

Official OMIs feature an UEFI context that contains all configuration variables required to enable and use secure boot. The UEFI context contains factory keys provided by Microsoft:

  • a Platform Key (PK)

  • Key Exchange Keys (KEK)

  • a database (db)

  • a revoked signatures database (dbx).

If the UEFI context is empty and contains no keys, the VM and OS start without any verification.

It is possible to use custom keys instead of those provided by the official OMIs. For more information on key management and customization, see the Arch Linux Secure Boot documentation.

Secure Boot and VMs

Activation and Deactivation

To enable secure boot at the next VM start, the following conditions must be met:

  • The secure boot state must be set to active.

  • The components (PK, KEK and DB) must be present.

If any of these conditions are not met, secure boot is not applied, and the OS boots without verification. For more information, see Enabling or Disabling Secure Boot.

You can also enable secure boot on a VM that is already started. To do this, you need to use a secure boot action and restart the VM.

If you attach a flexible GPU to a VM with secure boot enabled and you are using the default factory keys, you must install Nvidia’s proprietary drivers. For more information, see Nvidia’s blog.

Secure Boot Actions

You can define one action to apply at the next start of the VM:

  • enable: stores the keys in the UEFI context and enables secure boot.

  • disable: disables secure boot.

  • none: no action is performed at the next VM start.

  • setup-mode: clears the UEFI context from all keys and allows key customization.

    The setup-mode is intended for advanced users who understand the implications of modifying these keys. An incorrect configuration may prevent the system from booting properly.

You can enable or disable secure boot at any time. However, the action is effective at the next stop/start of the VM. Multiple requests are not queued, which means only the last action requested before starting the VM is applied.

Any secure boot action change requires stopping and starting the entire VM, not just the OS inside the VM. For more information, see About VM Lifecycle.

Troubleshooting

You may encounter difficulties when booting or using VMs with secure boot enabled. For assistance, see Troubleshooting Secure Boot VMs or contact our Technical Support.

Related Pages

Export to PDF