Wiki source code of UEFI Secure Boot

Last modified by Sabrina V. on 2026/02/02 10:18
Hide last authors
jklein 3.1 1 and verifies its signature using the distribution certificates embedded in the Shim package.
2
3 {{aagon.floatingbox/}}
4
5 For systems with UEFI firmware and Secure Boot activated, the PXE boot process differs fundamentally from classic legacy boot via BIOS. UEFI uses a modern architecture model based on 64-bit operation, modular expandability and cryptographic verification. While legacy boot loads arbitrary code without integrity checks, Secure Boot enforces a continuous chain of trust that extends from the firmware starter to the kernel. Each component must be digitally signed in order to be executed.
6 To boot a system with Secure Boot activated via PXE, a boot file signed by Microsoft is required. This file, known as the Shim bootloader, is provided by the respective Linux distribution and forms the bridge between the UEFI firmware and the actual bootloader (usually GRUB).
7 Since the Shim bootloader is signed by Microsoft, it is classified as trustworthy by the firmware. The Shim package also contains certificates for the respective distribution, which are used to verify the subsequent components (such as GRUB, the kernel and the initramfs). It is crucial that the certificate chain remains unchanged throughout the entire boot process so that each component is only loaded from an authorized source.
8
9
10 = PXE boot process in UEFI mode =
11
12 The process typically proceeds as follows:
13
14 1. **UEFI firmware initialisation**
15 The firmware initialises hardware components and checks whether Secure Boot is active. It then starts the network stack for PXE boot.
16 1. **DHCP request and boot file assignment**
17 The PXE client sends a DHCP request and receives the IP address, boot server (TFTP/HTTP) and the name of the boot file to be loaded, typically ##bootx64.efi##.
18 1. **Shim start (Microsoft signed)**
19 The firmware loads ##bootx64.efi## (the Shim bootloader). Since this is signed by Microsoft, it is accepted as trustworthy.
20 1. **GRUB boot (Distribution signed)**
21 The Shim bootloader loads ##grubx64.efi## and verifies its signature using the distribution certificates embedded in the Shim package.
22 1. **Kernel and initramfs start**
23 GRUB loads the kernel (##vmlinuz##) and the initramfsd (##initrd.img##). Both must be signed, otherwise Secure Boot will deny access to the boot process.
24 1. **System start and key verification**
25 Only when all signatures are valid will the kernel be executed and the operating system booted.
26
27 This architecture ensures that only verified and signed components are executed during the entire boot process.
28
29 = Preparation of the boot files =
30
31 For PXE booting under Secure Boot, you need the following files, which are provided by the respective distribution:
32
33 * ##bootx64.efi## – Shim bootloader (Microsoft signed, from the shim-signed package)
34 * ##grubx64.efi## – GRUB EFI bootloader (distribution signed)
35 * ##vmlinuz## – Linux kernel (signed)
36 * ##initrd.img## – Initial RAM disk (signed)
37
38 These files are usually stored in the ##/tftpboot/## directory or a subfolder such as ##/tftpboot/uefi/## and deployed via DHCP/TFTP.
39
40 Example structure
41
42 {{code language="bash"}}
43 /tftpboot/
44 ├── bootx64.efi
45 ├── grubx64.efi
46 ├── grub.cfg
47 ├── myDistro
48 ├──── vmlinuz
49 └──── initrd.img
50 {{/code}}
51
52 {{aagon.warnungsbox}}
53 If you have multiple distributions, please note that Shim and GRUB must always be used as a matching pair. Each distribution comes with its own set of certificates. Mixing different versions will therefore lead to signature errors and boot failures.
54 {{/aagon.warnungsbox}}
55
56 = GRUB configuration file =
57
58 Unlike legacy boot, UEFI Secure Boot uses a GRUB configuration instead of PXELINUX files.
59 This configuration is usually stored in a file called ##grub.cfg##, which is loaded by ##grubx64.efi##.
60
61 Example structure of the GRUB configuration directory
62
63 {{code language="bash"}}
64 /tftpboot/
65 └── grub.cfg
66 {{/code}}
67
68 {{aagon.infobox}}
69 Note: Some GRUB implementations expect the ##grub.cfg## file to be located in the following location: ##tftpboot/grub/grub.cfg##
70 {{/aagon.infobox}}
71
72
73
74 **Important GRUB parameters:**
75
76 * **set timeout: **Sets the timeout in seconds before the default entry is started
77 * **menuentry: **Defines a boot entry in the menu
78 * **linuxefi: **Loads the kernel (EFI-specific command)
79 * **initrdefi**: Loads the initramfs (EFI-specific command)
80 * **set root:** Defines the root file system or TFTP path
81
82
83
84 = Example configuration (standard variant) =
85
86 A simple GRUB configuration file for PXE boot with Secure Boot may look as follows:
87
88 {{code language="ba"}}
89 set default=0
90 set timeout=5
91 set color_normal=white/black
92 set menu_color_highlight=black/light-gray
93
94 menuentry "Boot from local disk" {
95 exit
96 }
97
98 menuentry "Rescue System (Secure Boot)" {
99 linuxefi /myDistro/vmlinuz root=/dev/ram0 rw
100 initrdefi /myDistro/initrd.img
101 }
102 {{/code}}
103
104 This configuration offers two menu options:
105
106 1. Start the rescue or installation system via kernel and initramfs
107 1. Local boot process via ‘exit’ (transfers control to firmware)
108
109 If you now start from this configuration, you will see the following screen and the boot will start automatically from the local disk after 5 seconds.
110
111 [[UEFI Boot screen>>image:UEFI Boot_Bootscreen.png||alt="UEFI Boot Screen"]]
112
113
114
115 = Note on Secure Boot in ACMP =
116
117 The PXE boot system in ACMP supports Legacy BIOS, UEFI Boot and UEFI with Secure Boot.
118
119 However, functionality may be limited when Secure Boot is activated. For maximum compatibility, it is recommended to use a distribution with officially signed boot loaders (Shim + GRUB) or to disable Secure Boot.
120
121
© Aagon GmbH 2026
Besuchen Sie unsere Aagon-Community