Technical white paper

Secure Boot for Linux on HPE Servers

Secure Boot for high performance computing software, as defined in the UEFI specification, provides an industry standard defense against potential malware attacks. Without Secure Boot, malware can attack systems during pre-boot by targeting the system-embedded firmware during the interval between BIOS initiation and operating system load. Malware inserted at this point compromises the security of the operating system, no matter how secure. Secure Boot protects the system by preventing the insertion of malware during the pre-boot process. This technical white paper introduces Secure Boot technology and explains what it is, how it works and how to use it on UEFI-based HPE servers running Linux.

What is Secure Boot?

Secure Boot, a high performance computing software solution, is a method to restrict which binaries can be executed to boot the system. With Secure Boot, the system BIOS will only allow the execution of boot loaders that carry the cryptographic signature of trusted entities. In other words, anything run in the BIOS must be "signed" with a key that the system knows is trustworthy. With each reboot of the server, every executed component is verified. This prevents malware from hiding embedded code in the boot chain.
Secure Boot is:
  • Intended to prevent boot-sector malware or kernel code injection.
  • Hardware-based code signing.
  • Extension of the UEFI BIOS architecture.
  • Optional with the ability to enable or disable it through the BIOS.