<!-- Source: https://melinasecurity.com/knowledge/glossary/secure-boot/  License: CC BY 4.0 with attribution to Melina Security  Last-updated: 2026-06-12 -->

# Secure boot

**slug:** `secure-boot` · **URL:** `/knowledge/glossary/secure-boot/` · **category:** Hardware Security · **reviewer:** Gleb

### Definition

Secure boot is the cryptographic verification of firmware or operating-system images by the platform before they are allowed to execute, anchored in an immutable hardware root of trust. The goal is to prevent execution of unauthorized or tampered software — including persistent malware that survives reflashing or reboot.

### What it means

A secure-boot chain typically starts in mask ROM or one-time-programmable fuses that store a root-of-trust public key. The ROM verifies the next-stage bootloader against that key; the next-stage bootloader verifies the kernel; the kernel optionally verifies userspace components. Each step extends a chain of trust from the silicon to the runtime environment.

Common implementations include UEFI Secure Boot (PCs), Android Verified Boot (AVB), iOS Secure Boot, Qualcomm Secure Boot, Tegra Secure Boot, Intel Boot Guard, ARM Trusted Firmware bootchain, and vendor-custom chains in automotive ECUs and industrial controllers. The implementation details determine the security guarantee — a chain that verifies only the bootloader but not the root filesystem is materially weaker than one that verifies every stage.

For offensive-security assessment, secure-boot testing covers: identification of the root-of-trust mechanism and key-provisioning model, verification scope (which stages are actually checked), rollback-protection mechanisms (anti-version-downgrade), debug-interface state after boot, and fault-injection resistance.

### Related terms

- [TrustZone](/knowledge/glossary/trustzone/)
- [Embedded Linux](/knowledge/glossary/embedded-linux/)
- [FreeRTOS](/knowledge/glossary/freertos/)

### Authoritative sources

- [UEFI Secure Boot specification](https://uefi.org/specifications)
- [Android Verified Boot](https://source.android.com/docs/security/features/verifiedboot)
- [NIST SP 800-147 (BIOS Protection Guidelines)](https://csrc.nist.gov/publications/detail/sp/800-147/final)

---