How much security is provided by secure boot?

When booting the OS, when we press F2 on start up, the bios screen comes up. Here, we have the option of enabling secure boot. I am given to understand that now the firmware verifies the signature of the bootloader which in turn verifies the signature of the kernel. In turn, the kernel verifies the signature of some other modules. If the verification fails at any point, the boot process is aborted. Now, with regard to all this, I have a few questions:

1) If the system boots properly when secure boot is enabled, can we assume that kernel is genuine as its signature has been verified?

2) What about other programs or commands which are run from the shell, like 'apt', 'rm', 'shasum', 'sudo', etc. Can we assume that the signatures for these are also verified and hence they are also genuine?


Only the software involved in the boot process is checked by secure boot.

  • The bootloader (Ubuntu uses grub in UEFI mode) and the kernel are checked; they should match a signature. I think also kernel drivers are checked, and unsigned drivers will be blacklisted, which might exclude some proprietary drivers for graphics and wifi.

  • Other software is not checked by the secure boot feature. This includes regular application programs, both command line (text mode) programs and graphics mode (GUI) programs , but also drivers for software, that are not kernel drivers and other help programs that can run in the background.

Secure boot is not enough to keep you safe. You must use other methods to avoid malware. Install programs from the Ubuntu repositories and maybe from well-known PPAs, but avoid programs from any random website (unless you have the source code and understand it). Remember that also websites and document files can be infected by malware.