Secure Boot is a security feature found in the UEFI (Unified Extensible Firmware Interface) standard designed to ensure that a device boots using only software trusted by the Original Equipment Manufacturer (OEM). It works by maintaining a cryptographically signed list of authorized binaries that can run during the boot process. When the system starts up, its firmware verifies the digital signatures of all boot software components, including the boot manager, kernel, and drivers. If the signatures are valid and trusted, the device boots normally; if not, the boot process is blocked to prevent unauthorized or malicious code from running early in the startup sequence. Secure Boot improves the security of the pre-boot environment by preventing tampering and unauthorized software execution, reducing attack surfaces that other security solutions like system encryption cannot cover. It typically requires hardware support for UEFI version 2.3.1 or later and pre-installed cryptographic keys in the firmware's signature database. Operating systems like Windows and Linux distributions support Secure Boot, often using signed boot loaders or small signed loaders (like Microsoft's "shim" for Debian) to maintain trust in the boot chain. Secure Boot can be enabled or disabled through BIOS/UEFI firmware settings, and enabling it often requires the system to use GPT partitioning and boot in UEFI mode. Some setups allow the use of custom keys for tighter control, and Secure Boot usage may be combined with other security measures such as full disk encryption and TPM (Trusted Platform Module) for enhanced protection. In summary, Secure Boot is a crucial mechanism to ensure the integrity and trustworthiness of the software environment from the moment a PC powers on, protecting against rootkits and other low-level malware that could compromise the system before the operating system loads.