Loading learning content...
A chain is only as strong as its weakest link. In boot security, this isn't a metaphor—it's an engineering constraint that shapes every design decision. If any single stage of the boot process fails to properly verify the next, the entire security model collapses.
Boot chain verification is the systematic process of ensuring that each component loaded during boot is authentic and unmodified before it executes. This verification begins with hardware-rooted trust and extends through firmware, bootloaders, the operating system kernel, and ultimately to early user-space components. Each stage acts as a gatekeeper for the next, collectively creating an unbroken chain from the Root of Trust to the running system.
By the end of this page, you will understand the complete boot chain verification process—the specific mechanisms at each stage, how verification handoffs occur, what information passes between stages, and how modern systems achieve end-to-end boot integrity. You'll be equipped to analyze, design, and troubleshoot boot verification architectures.
Before examining each stage in detail, let's establish a complete view of the modern boot chain on a UEFI-based x86_64 system. This chain represents the sequence of trust transfers that must all succeed for a fully verified boot.
Chain Verification Properties
Each link in this chain must satisfy several properties:
1. Cryptographic Binding: The verification uses cryptographic hashes and/or signatures that make forgery computationally infeasible.
2. Temporal Ordering: Each verification happens BEFORE the verified component executes. There's no retroactive verification.
3. Unidirectional Trust: Trust flows in one direction—from hardware to software, from earlier stages to later stages. Later stages cannot modify earlier verification decisions.
4. Complete Coverage: Every piece of executable code is verified. Any unverified code represents a potential bypass.
5. Fail-Closed: Verification failure halts the boot process or enters recovery. Systems don't 'fall back' to unverified boot.
Any stage that loads code without verification creates a 'verification gap'—an opportunity for attackers. Common gaps include: unsigned kernel modules, unverified initramfs contents, or option ROMs from expansion cards. A complete boot security design must address or accept each potential gap.
The hardware verification stage is the foundation upon which all other verification rests. This is where the immutable Root of Trust verifies the first mutable code—the platform firmware.
Intel Boot Guard Architecture
Intel Boot Guard is a hardware-based boot verification technology available on Intel platforms from 4th generation Core processors (Haswell) onwards.
Key Components:
1. Authenticated Code Module (ACM) The first code executed after CPU reset. It's an Intel-signed module stored in the SPI flash but cryptographically verified by the CPU microcode before execution.
2. Boot Policy Manifest (BPM) A data structure containing hashes of the Initial Boot Block (IBB) and the OEM's public key. The ACM verifies IBB against these hashes.
3. Key Manifest (KM) Contains Intel's public key and the OEM's public key hash. Stored in CPU fuses (one-time programmable memory).
4. Field Programmable Fuses (FPFs) One-time programmable memory in the CPU that stores:
Boot Guard Profiles:
| Profile | Verification | Measurement | Behavior on Failure |
|---|---|---|---|
| 0 | Disabled | Disabled | N/A |
| 3 | Enabled | Disabled | Halt boot |
| 4 | Disabled | Enabled | Continue (log only) |
| 5 | Enabled | Enabled | Halt boot |
Verification Flow:
Once hardware verification bootstraps trust, firmware takes over the verification responsibility. Modern UEFI firmware is modular, with multiple phases and dozens of individual components—each requiring verification.
Firmware Volume Architecture
UEFI firmware is organized into Firmware Volumes (FVs)—logical containers that hold firmware files. Each FV can contain:
SPI Flash Layout (Simplified)
┌────────────────────────────────────────────────────────┐
│ Descriptor Region (Flash regions, permissions) │
├────────────────────────────────────────────────────────┤
│ Intel ME / AMD PSP Region (Separate processor FW) │
├────────────────────────────────────────────────────────┤
│ BIOS Region │
│ ┌─────────────────────────────────────────────────┐ │
│ │ FV_RECOVERY (SEC + PEI Core + Critical PEIMs) │ │
│ ├─────────────────────────────────────────────────┤ │
│ │ FV_MAIN (DXE Core + DXE Drivers) │ │
│ ├─────────────────────────────────────────────────┤ │
│ │ FV_LOGO (Boot graphics) │ │
│ ├─────────────────────────────────────────────────┤ │
│ │ NVRAM (UEFI Variables - PK, KEK, db, dbx, etc.) │ │
│ └─────────────────────────────────────────────────┘ │
└────────────────────────────────────────────────────────┘
FV and FFS Verification
The Firmware File System (FFS) within each FV supports signed firmware files:
UEFI PI Specification Signing:
Verification Flow within Firmware:
1. Boot Guard verifies FV_RECOVERY (IBB)
│
▼
2. SEC (Security Phase) executes from verified IBB
│ - Establishes temporary memory (CAR)
│ - Locates PEI Core within FV_RECOVERY
│ - PEI Core is within already-verified region
│
▼
3. PEI Core loads PEIMs from FV_RECOVERY
│ - Each PEIM can have individual signature
│ - Or: Entire FV hash was verified by Boot Guard
│ - Memory Reference Code (MRC) PEIM initializes DRAM
│
▼
4. PEI Core locates and verifies FV_MAIN
│ - Uses hash/signature from verified FV_RECOVERY
│ - Establishes trust before loading DXE Core
│
▼
5. DXE Core loads DXE Drivers
│ - Each driver verified individually (signature or hash)
│ - Drivers published to UEFI protocol database
│ - Secure Boot policy becomes active
│
▼
6. BDS Phase loads OS bootloader
- Bootloader verified via Secure Boot (db/dbx)
UEFI NVRAM (where variables like PK/KEK/db are stored) cannot be pre-verified by Boot Guard because it's mutable by design. Instead, authenticated variables have their own cryptographic protection—changes require valid signatures. This creates a layered defense: firmware code is verified by Boot Guard; firmware configuration is protected by authenticated variable mechanisms.
Option ROM Verification
Expansion cards (graphics, network, storage controllers) often contain Option ROMs—firmware that executes during boot to initialize the device. These present a verification challenge:
The Problem:
Solutions:
UEFI Secure Boot for Option ROMs: Starting with UEFI 2.3.1, Option ROMs can be verified just like bootloaders. Unsigned Option ROMs are blocked if Secure Boot is enabled.
Option ROM Deny Lists: Some firmware allows specifying which PCI devices' Option ROMs to block.
Centralized Option ROM Storage: Some enterprise systems store Option ROMs in the main firmware image rather than on the card, enabling pre-verification.
Hardware Validation: PCIe 5.0+ introduces IDE (Integrity and Data Encryption) for enhanced device authentication.
Practical Implications: On systems with Secure Boot enabled, inserting a PCIe card with an unsigned Option ROM may:
This is a security feature, not a bug—it prevents malicious devices from executing arbitrary code during boot.
The bootloader is the bridge between firmware and the operating system. Its verification is typically performed by UEFI Secure Boot, but the bootloader itself must then verify the kernel and initramfs it loads.
Windows Boot Verification
The Windows boot chain is tightly integrated:
1. bootmgfw.efi (Windows Boot Manager)
2. winload.efi (Windows Loader)
3. ntoskrnl.exe (Windows Kernel)
Key Verification Mechanism: Windows verifies signatures using the same Authenticode infrastructure as user-mode code signing. Certificates chain to Microsoft Root CAs. Enterprise deployments can add custom certificates.
Linux Boot Verification
Linux typically uses shim + GRUB:
1. shim.efi
2. grubx64.efi (GRUB)
3. vmlinuz (Linux Kernel)
4. initramfs
Modern Approach: Unified Kernel Images (UKI) Bundle kernel + initramfs + cmdline into single signed PE binary, eliminating verification gaps.
12345678910111213141516171819202122232425262728
# Examining the Linux boot chain verification # 1. Check shim signature (verified by UEFI Secure Boot)sbverify --cert /path/to/ms-uefi-ca.crt /boot/efi/EFI/ubuntu/shimx64.efi# Expected: Signature verification OK # 2. Extract the certificate embedded in shimobjcopy -O binary --only-section=.vendor_cert /boot/efi/EFI/ubuntu/shimx64.efi vendor.crt# This is the distribution's certificate that shim trusts # 3. Check GRUB signature (verified by shim)sbverify --cert /path/to/distro.crt /boot/efi/EFI/ubuntu/grubx64.efi# Expected: Signature verification OK # 4. Check kernel signature (verified by GRUB)sbverify --cert /path/to/distro.crt /boot/vmlinuz-$(uname -r)# Expected: Signature verification OK # 5. View MOK-enrolled certificates (supplement to shim's embedded cert)mokutil --list-enrolled # 6. Check Secure Boot enforcement status from running systemmokutil --sb-state# Expected: SecureBoot enabled # 7. Verify kernel lockdown is active (blocks bypasses)cat /sys/kernel/security/lockdown# Expected: [integrity] confidentiality (or similar)GRUB and Kernel Lockdown
When booting with Secure Boot, the Linux kernel enables 'lockdown' mode, which restricts operations that could undermine boot security:
Lockdown Restrictions (Integrity Mode):
Lockdown Restrictions (Confidentiality Mode):
These restrictions ensure that even with root access, an attacker cannot use the running kernel to bypass boot-time verification for the next boot.
Traditional Linux boot does NOT verify the initramfs (initial ramdisk). An attacker with root access can modify /boot/initramfs-*.img, and this modified initramfs will execute as part of boot. Solutions include: (1) Unified Kernel Images that bundle everything into one signed binary, (2) Separate initramfs signature verification, (3) dm-verity for root filesystem that chains from a verified initramfs.
Once the kernel is running, verification continues. Kernel modules are the extension code of the kernel, and unsigned modules represent a critical attack surface. Modern kernels enforce module signature verification when Secure Boot is active.
Linux Kernel Module Signing Facility
The Linux kernel includes a cryptographic module signature verification system:
Configuration Options:
CONFIG_MODULE_SIG=y # Enable signature verification
CONFIG_MODULE_SIG_FORCE=y # Reject unsigned modules
CONFIG_MODULE_SIG_ALL=y # Sign all modules during build
CONFIG_MODULE_SIG_SHA256=y # Use SHA-256 for hashing
CONFIG_MODULE_SIG_KEY="..." # Path to signing key
Signature Format: Module signatures are appended to the module file. The signature structure includes:
Verification Flow:
1. modprobe/insmod requests module load
│
▼
2. Kernel reads module from filesystem
│
▼
3. Kernel checks for signature appended to module
│ If no signature and CONFIG_MODULE_SIG_FORCE: REJECT
│
▼
4. Kernel verifies signature against trusted keys
│ Trusted keys: Embedded in kernel + secondary keyring
│ If verification fails: REJECT
│
▼
5. Module loaded into kernel memory
│
▼
6. Module init function executed
12345678910111213141516171819202122232425262728293031
# Working with kernel module signatures # Check if a module is signedmodinfo nvidia | grep -E '^sig'# sig_id: PKCS#7# signer: DKMS module signing key# sig_key: AB:CD:EF:...# sig_hashalgo: sha256# signature: (base64-encoded signature data) # Sign a module with your own key/usr/src/linux-headers-$(uname -r)/scripts/sign-file \ sha256 \ /path/to/MOK.key \ /path/to/MOK.crt \ /path/to/module.ko # Verify a module's signature/usr/src/linux-headers-$(uname -r)/scripts/sign-file \ sha256 \ /path/to/MOK.key \ /path/to/MOK.crt \ /path/to/module.ko --check # View the kernel's trusted keyscat /proc/keys | grep asymmetric # Check if module signature enforcement is activegrep -i sig /boot/config-$(uname -r)# CONFIG_MODULE_SIG=y# CONFIG_MODULE_SIG_FORCE=y <-- If set, unsigned modules rejectedKernel Keyring Architecture
The kernel maintains multiple keyrings for trusting module signatures:
Built-in Keyring (.builtin_trusted_keys)
Secondary Keyring (.secondary_trusted_keys)
Platform Keyring (.platform)
Machine Keyring (.machine)
This layered keyring system enables:
Windows enforces similar driver signing requirements via the Kernel-Mode Code Signing (KMCS) policy. All kernel drivers must be signed. Since Windows 10 1607, drivers must additionally be signed by Microsoft's attestation service (EV certificate + Microsoft countersignature), closing the loophole of self-signed drivers even with legitimate certificates.
When one boot stage transfers control to the next, it must pass the verification context properly. The handoff mechanism differs between stages and has significant security implications.
| Transition | Mechanism | What's Passed | Security Notes |
|---|---|---|---|
| Boot ROM → Firmware | Jump to verified address | Nothing—firmware re-reads own keys | Firmware keys are verified by Boot ROM |
| SEC → PEI | Hand-off Blocks (HOBs) | Memory map, firmware volume locations | HOBs in verified memory region |
| PEI → DXE | HOBs + DXE Handoff | System table pointers, memory map | DXE Core verified before handoff |
| DXE → Bootloader | UEFI protocols | Boot services, UEFI variables access | Bootloader can read db/dbx |
| Bootloader → Kernel | Boot parameters | Memory map, initrd location, cmdline | Linux: kernel trusts bootloader-provided data |
| Shim → GRUB | Shim protocol | Verification function, context struct | GRUB uses shim's verification service |
Shim → GRUB Handoff in Detail
The shim-to-GRUB handoff is particularly interesting because shim must provide GRUB with the ability to verify the kernel:
Shim Lock Protocol: Shim publishes a "shim lock protocol" that GRUB (and any other shim-loaded binary) can use:
// Shim Lock Protocol Interface
typedef struct {
EFI_STATUS (*Verify)(void *buffer, UINT32 size);
EFI_STATUS (*Hash)(void *data, UINT32 datasize,
void *hash, UINT32 hashsize);
EFI_STATUS (*Context)(void *buffer, UINT32 size,
void **context);
} SHIM_LOCK;
GRUB Verification via Shim:
Verify(kernel_buffer, size)This design means GRUB doesn't need to implement its own verification logic or have access to signing keys—it delegates to shim, which has the complete trust context.
Bootloader → Kernel Handoff in Detail
This transition is critical because the kernel must trust configuration data from the bootloader:
Information Passed to Linux Kernel:
Security Concern: Command Line Manipulation
The kernel command line can fundamentally alter system behavior:
init=/bin/sh → Boot to root shellselinux=0 → Disable SELinuxmodule.sig_enforce=0 → Disable module signingIf an attacker controls the bootloader, they can pass arbitrary parameters. Secure Boot mitigates this by ensuring only signed bootloaders (which have whitelisted parameters or lock parameters) execute.
Unified Kernel Images (UKI) Solution:
UKIs bundle cmdline into the signed binary, preventing parameter manipulation:
┌─────────────────────────────────────┐
│ Unified Kernel Image (PE binary) │
│ ┌─────────────────────────────────┐ │
│ │ EFI stub │ │
│ ├─────────────────────────────────┤ │
│ │ Kernel image │ │
│ ├─────────────────────────────────┤ │
│ │ initramfs │ │
│ ├─────────────────────────────────┤ │
│ │ Kernel cmdline (fixed) │ │ ← Signed with everything
│ ├─────────────────────────────────┤ │
│ │ Signature │ │
│ └─────────────────────────────────┘ │
└─────────────────────────────────────┘
With UKI, there's no separate cmdline to manipulate—it's cryptographically bound to the kernel.
Every handoff is a trust boundary. The receiving stage must either: (1) Verify everything it receives before trusting it, (2) Receive it from a verified source through a secure channel, or (3) Accept it as part of the trusted computing base. When analyzing boot security, examine each handoff for potential trust leaks.
When verification fails at any point in the boot chain, the system must respond appropriately. The response varies by stage and has significant implications for both security and usability.
| Stage | Failure Response | Recovery Options | User Visibility |
|---|---|---|---|
| Boot Guard (HW) | System halt | Firmware reflash (if possible), RMA | LED error code, POST hang |
| Firmware internal | Boot to recovery FV | Capsule update, recovery jumper | OEM-specific recovery screen |
| Secure Boot (UEFI) | Refuse to load image | Enter Setup, enroll key, update image | Security Violation error message |
| Shim | Display error, may allow MOK enrollment | mokutil to enroll, or rebuild with signing | Shim error screen with details |
| GRUB | Halt or menu fallback | Update signed kernel, enroll key | GRUB error message |
| Kernel (modules) | Module load refused | Sign module, update MOK | dmesg: module verification failed |
Diagnosing Verification Failures
When boot fails with Secure Boot, systematic diagnosis is essential:
Step 1: Identify the failing stage
Step 2: Determine the specific failure
Step 3: Check databases and signatures
# View current db/dbx/KEK
efi-readvar -v db
efi-readvar -v dbx
# View MOK
mokutil --list-enrolled
# Check an image's signature
sbverify --list /boot/efi/EFI/ubuntu/shimx64.efi
# Check if an image's hash is in dbx
pesign --signature-at 0 -i /path/to/binary --show-signature
# Compare signer hash against dbx entries
Step 4: Resolve
12345678910111213141516171819202122232425262728293031
# Comprehensive Secure Boot troubleshooting script echo "=== Secure Boot Status ==="mokutil --sb-state echo -e "\n=== Platform Key ==="mokutil --pk echo -e "\n=== Key Exchange Keys ==="mokutil --kek echo -e "\n=== Enrolled Certificates (db) ==="mokutil --db echo -e "\n=== Revoked (dbx) Count ==="mokutil --db-x | wc -l Entries echo -e "\n=== Machine Owner Keys ==="mokutil --list-enrolled echo -e "\n=== Bootloader Signature ==="sbverify --list /boot/efi/EFI/$(ls /boot/efi/EFI/ | grep -v BOOT | head -1)/shimx64.efi 2>&1 echo -e "\n=== Kernel Signature ==="sbverify --list /boot/vmlinuz-$(uname -r) 2>&1 echo -e "\n=== Kernel Lockdown Status ==="cat /sys/kernel/security/lockdown 2>/dev/null || echo "Lockdown not available" echo -e "\n=== Module Signature Enforcement ==="grep -E "^CONFIG_MODULE_SIG" /boot/config-$(uname -r)Every recovery mechanism is a potential attack vector. Allowing recovery too easily (e.g., disabling Secure Boot from a menu) undermines the protection. Requiring too much (e.g., full firmware reflash) makes legitimate recovery impractical. Design recovery with threat models in mind—what can an attacker with physical access achieve?
Boot chain verification is the systematic propagation of trust from an immutable root through every component that executes before the system is fully operational. Let's consolidate the essential insights:
What's Next:
With a comprehensive understanding of boot chain verification, we'll now explore TPM (Trusted Platform Module)—the hardware component that doesn't just verify boot but measures and records it. TPM enables remote attestation, sealed secrets, and a cryptographic log of exactly what booted, providing verifiability beyond the boot moment.
You now understand how verification propagates through the complete boot chain—from silicon-level roots of trust through every layer of firmware, bootloaders, and the operating system. This knowledge is essential for designing secure systems, diagnosing boot security issues, and understanding the guarantees that measured and attested boot can provide.