Secure Boot – Overview, Risks, and Handling of Legacy Systems
1. What is Secure Boot?
Secure Boot is a security mechanism that ensures a device starts only with trusted, non-tampered software.
Already during power-on, all boot components are cryptographically verified.
In short:
- Secure Boot verifies what is allowed to start
- If a component is invalid or manipulated → the boot process is blocked
The goal is to prevent malware from becoming active before the operating system loads.
2. How does Secure Boot work? (Simplified)
Secure Boot is based on a Chain of Trust:
- UEFI firmware starts
- It verifies the bootloader signature
- The bootloader verifies the kernel
- The kernel verifies drivers and system components
👉 Each stage may only start if it is cryptographically trusted.
3. What does Secure Boot protect against?
Secure Boot primarily protects against:
- Bootkits and rootkits (malware before the OS)
- Manipulated bootloaders
- Unauthorized operating systems
- Persistent attacks that bypass traditional antivirus solutions
4. Secure Boot vs. TPM
| Secure Boot | TPM |
|---|---|
| Verifies what is booted | Measures whether something has changed |
| Part of UEFI | Separate hardware chip |
| Enforces trust | Enables evidence (e.g. BitLocker) |
➡️ Together they form the basis for Trusted Boot and Zero-Trust Endpoints.
5. What does “certificates are expiring” mean in Secure Boot?
Secure Boot can be compared to an access control at a factory gate:
- Every boot component has a digital ID (certificate)
- This ID is valid only for a limited time
- At boot time Secure Boot checks:
“Is this ID authentic and still valid?”
When a certificate expires
- The ID is no longer valid
- Secure Boot can no longer trust the component
- The system will not boot (or only in a degraded mode)
⚠️ Important:
This happens at a fixed point in time, not gradually.
6. Which systems are most affected?
🔴 High impact
- Old hypervisors
- VMware ESXi (older major versions)
- Hyper-V on older Windows Servers
- Legacy KVM / Xen installations
- Legacy Linux systems
- Old RHEL / CentOS / SLES versions
- Special appliances
- Custom-built images
- Industrial / OT systems
- Production PCs
- Edge devices
- Machine controllers with UEFI
- Offline or isolated systems
- No patch access
- No firmware updates
🟡 Lower impact
- Windows 10 / 11
- Windows Server 2016+
- Current Linux distributions
➡️ Certificates are usually updated automatically.
7. Why are hypervisors particularly critical?
Hypervisors:
- often run for 5–10 years
- are rarely reinstalled
- form the foundation of many virtual machines
➡️ A single affected hypervisor can impact dozens of VMs.
8. Can Secure-Boot certificates be installed afterwards?
Firmware / BIOS / UEFI
- ❌ On older systems, usually not possible
- Secure Boot keys (PK, KEK, db, dbx) are part of the firmware
- Keys are provided by the hardware/firmware vendor
- Without a supported key update mechanism, they are not replaceable
Conclusion:
Secure Boot cannot usually be retrofitted or repaired on old hardware.
Virtual Machines
- ✅ Yes, on the VM level
- Each VM has its own virtual UEFI
- VM Secure Boot is independent of host Secure Boot, if supported by the hypervisor
Requirements:
- VM firmware = UEFI
- Secure Boot enabled in the VM
- Supported hypervisor (e.g. ESXi ≥ 6.x)
Operating Systems (easiest and recommended path)
Windows
- Windows 10 / 11
- Windows Server 2016+
➡️ Secure-Boot-relevant certificates are maintained automatically via Windows Update.
Modern Linux distributions
These use a signed “shim” bootloader:
- RHEL 7+
- SLES 12+
- Ubuntu 18.04+
➡️ Regular OS updates (shim + kernel) are sufficient.
Legacy Linux versions
- RHEL 6
- CentOS 6
- Old special-purpose distributions
❌ Not patchable for Secure Boot
➡️ Reinstallation or Secure Boot must be disabled.
9. Special case: VMware ESXi
ESXi 5.x
- ❌ No Secure Boot in the modern sense
- Boots via legacy BIOS or UEFI without Secure-Boot enforcement
- ❌ No Secure-Boot certificate validation during host boot
Important clarification:
With ESXi 5.x, boot failures due to expired Secure-Boot certificates do not occur,
because Secure Boot is technically not active.
The real risks are:
- End of Life (no security patches)
- Known vulnerabilities remain unpatched
- No modern platform security features
- Compliance only possible with documented exceptions
Possible actions:
- Continued operation with formal risk acceptance
- Isolation / hardening
- Planned migration
Newer ESXi versions
| ESXi Version | Secure Boot Capability |
|---|---|
| ESXi 7 / 8 | ✅ Full (host & VM, hardware-dependent) |
| ESXi 6.7 | 🟡 Limited |
| ESXi ≤ 6.0 | ❌ Practically unusable |
➡️ From ESXi 6.5 onward, Secure Boot becomes relevant, including certificate and key management topics.
10. Is Secure Boot mandatory everywhere?
No – not retroactively.
Audit-safe rule of thumb
| Situation | Secure Boot |
|---|---|
| New system | ✅ Required |
| New installation | ✅ Required |
| Major upgrade | ✅ Required |
| New hardware | ✅ Required |
| Unchanged legacy system | ❌ Not required |
| Isolated legacy system | ❌ With documentation |
➡️ “New” is the decisive trigger, not the system’s age.
11. Recommended actions
Short term
- Identify systems using Secure Boot
- Capture versions and risks
- Establish transparency
Medium term
- Upgrade to supported platforms
- Use modern images and firmware
- Establish Secure Boot as a standard
Exception cases
- Disable Secure Boot
- Document and accept the risk
- Define a transition or migration plan
12. Key message
- Secure Boot is a standard for new platforms
- Legacy systems are handled risk-based
- Not everything can be retrofitted
- Migration is the only sustainable long-term solution
13. Key takeaways
Secure Boot only protects the layer on which it is enabled.
Where Secure Boot is not active, Secure-Boot certificates cannot block booting.
Secure Boot is a target state – not a retroactive requirement.