You don’t have to be Bill Gates or Chuck Peddle (the inventor of the personal computer) to understand that a safe word, like Secure, Trusted and Measured, before the word Boot, likely means this will improve the security of your computers startup process. However, even experienced IT professionals find this topic confusing so we will explain it.
First lets get through some plain English explanations of these three security features.
What is Secure Boot?
Secure boot is the HARDWARE check to make sure the boot loader has not been tampered with.
What is Trusted Boot?
Trusted Boot is the SOFTWARE (Operating System like Windows 11) validation of the that the bootloader, kernel and other low level code has not been altered since it was last shut down.
What is Measured Boot?
Measured Boot is the service that compares a computers Trusted Platform Module (TPM) to known good versions.
How Measured Boot, Secure Boot and Trusted Boot Work Together
You’ll notice that we changed the order of the these three boot protection services. That is because they run one after the other in the order we now show them.
When you power on your computer, the UEFI chip (new BIOS) starts up before almost anything else and tells your computer what hardware it has, how to control that hardware, what the current hardware settings are and which device to boot from. This is a great time for a hacker to inject some code because all this happens before your security software is running and even before the Operating System (like Windows 11) has started to load.
Intel invented UEFI in 2005 to replace old BIOS chips because BIOS was really old (1975!), really limited (no graphics, no mouse, small, no boot protections…), and slow.
BIOS’ do not support the use of a tiny hardware chip called a Trusted Platform Module (aka TPM) that is soldered on nearly every computers motherboard. Only EUFI does. To be completely accurate, only UEFI supports TPM 2.0, but that is getting into the weeds just a bit too far.
HEALTHY BOOT PROCESS STEP 1 – Measured Boot
UEFI allows for Measured Boot to do something called Remote Attestation which, put simply ,allows it to compare the information stored in the TPM to a known good (i.e. not infected) version stored on a DIFFERENT computer, like one of your companies servers or a services like Microsoft Endpoint Manager (aka InTune). If they match, the TPM has not been tampered with.
No consumers and very few corporations use Measured Boot. In fact I have never seen it but I am certain high security government agencies and some financial institutions use it.
HEALTHY BOOT PROCESS STEP 2 – Secure Boot
If Measured Boot reports the TPM is clean or the computer is not using Measured boot (99.9% of all computers), the computer can use Secure Boot to compare the UEFI’s security keys (aka. digital signature) to those configured by the motherboards manufacturer to confirm nothing has changed.
HEALTHY BOOT PROCESS STEP 3 – Trusted Boot
If Secure Boot is happy, the operating system (i.e. Windows 11) starts loading. Early in that process compares the Boot Loader, the OS Kernel and other low level code to what it wrote into the TPM chip the last time it shut down. If they are the same, it thinks there has been no tampering and starts working normally.
2 Comments
hazenkrate · July 18, 2023 at 6:59 am
What prevents someone from modifying the UEFI security key as well?
Claverhouse · July 6, 2022 at 8:29 pm
Very well explained.
However, a vital omission: since I shall never ever have Microsoft on any computer, I needed to know how to turn all these things off [ and use no MS gadgetry like shims to avoid the extra added computing power and complexity of having boot-level stuff to interfere with simple GPT and GRUB.
Thank you very much anyway.