Secure Boot configuration
Secure Boot is implemented in the BIOS and does not require special hardware. Secure Boot ensures that each component launched during the boot process is digitally signed. Secure Boot also ensures that the signature is validated against a set of trusted certificates embedded in the UEFI BIOS.
UEFI drivers loaded from PCIe cards
UEFI drivers loaded from mass storage devices
Preboot UEFI shell applications
OS UEFI boot loaders
When Secure Boot is enabled, only firmware components and operating systems with boot loaders that have an appropriate digital signature can be executed during the boot process. Only operating systems that support Secure Boot and have a UEFI boot loader signed with one of the authorized keys can boot.
User can customize the certificates embedded in the UEFI BIOS by adding or removing their own certificates.