Linux Secure Boot

What is Linux Secure Boot?

Linux Secure Boot is a Hyper-V feature that Microsoft introduced in Windows 10 and Windows Server 2016. The feature allows specific Linux distributions to boot properly when running in Hyper-V generation 2 virtual machines.

The introduction of Linux Secure Boot addressed a Hyper-V issue that prevented non-Windows operating systems (OSes) from booting in virtual machines, if those VMs ran on computers that used the Unified Extensible Firmware Interface. The UEFI standard defines a firmware specification that includes support for Secure Boot.

The term Linux Secure Boot is sometimes used in a more general sense when referring to a Linux OS that supports UEFI Secure Boot. In this context, Linux Secure Boot is simply a feature in a Linux OS that makes it possible to use Secure Boot on a UEFI-based computer. However, even if a Linux distribution can use Secure Boot, the OS will not necessarily run in a Hyper-V generation 2 VM. Hyper-V supports only specific Linux distributions.

The role of Secure Boot in system startup

All computers rely on a boot loader that hands control from the computer's firmware to the OS each time the computer starts. Prior to the introduction of Secure Boot, boot loaders provided a common attack vector for mechanisms such as rootkits, which bypass the boot loader and launch malware that starts the OS in a compromised state. Infections from such attacks are difficult to isolate and remove with traditional antimalware tools.

To better protect the boot loading process, industry experts developed the Secure Boot feature as part of the UEFI specification. On a computer configured with UEFI firmware, Secure Boot verifies the boot loader before handing over control to the OS. In this way, Secure Boot ensures that only approved OSes can run on a UEFI-based computer.

Secure Boot checks the cryptographic signature in the operating system's bootloader to see if it matches a registered key in the UEFI firmware. If a match is found, the boot process proceeds. If Secure Boot cannot verify the boot loader, the system will generate an error and the boot process will halt. Most of today's computers are configured with UEFI firmware.

Secure Boot on Windows computers

All Windows OSes require the use of Secure Boot, including Windows 10 and 11, as well as Windows Server 2016 and later. Before the introduction of Secure Boot, users could install any OS on their computers as long as the system's hardware met the requirements for the particular OS.

The move toward Secure Boot started in 2011. At the time, Microsoft required Secure Boot to be enabled on all systems certified to run Windows 8. The firmware also had to contain the correct Microsoft cryptographic key, which prevented the installation of nonapproved OSes, including many versions of Linux.

To get around this restriction, administrators had to disable Secure Boot before installing a Linux OS, or they had to operate Secure Boot in a custom mode, which permitted additional OS keys to be added to the firmware.

Linux Secure Boot in Hyper-V

Microsoft introduced Secure Boot for Hyper-V generation 2 VMs in Windows Server 2012 R2. However, the VMs were limited to Windows OSes. Secure Boot was not an option for VMs that ran a Linux OS.

Microsoft added the Linux Secure Boot feature to Hyper-V in Windows 10 and Windows Server 2016. The feature continues to be supported in Windows Server 2019, Windows Server 2022, Hyper-V Server 2016 and Microsoft Hyper-V Server 2019.

Administrators can use a Linux distribution in a Hyper-V VM as long as the digital signature of the distribution's boot loader corresponds with a cryptographic key in the UEFI firmware. Currently, the following Linux versions can use Secure Boot in Hyper-V generation 2 VMs:

• CentOS 7.0 and later.
• Debian 7.0 and later.
• Fedora version 18 and later.
• OpenSUSE version 12.3 and later.
• Oracle Linux 7.0 and later.
• Red Hat Enterprise Linux (RHEL) 7.0 and later.
• SUSE Linux Enterprise Server (SLES) 12 and later.
• Ubuntu 16.04 and later.

To take advantage of the Linux Secure Boot feature, administrators must use a generation 2 Hyper-V VM. They must also ensure that the Secure Boot feature is enabled on the VM and that the VM is configured to use the Microsoft UEFI certificate authority template before starting the VM.

Administrators can manage VM configurations with Hyper-V Manager, Virtual Machine Manager or an elevated Windows PowerShell session.

Disabling Secure Boot

The Hyper-V Secure Boot feature supports only specific Linux versions. For other versions, administrators might find it necessary to disable the Secure Boot feature for the target VM.

Before taking this step, however, they should consider the potential security implications of running a mission-critical server without the protection of Secure Boot. Before disabling Secure Boot, administrators should check with the system manufacturer for firmware upgrades that might provide adequate compatibility with Secure Boot.

Virtual environments can contain many vulnerabilities for attackers to exploit. See what to keep in mind when securing virtual environments. Also, follow these steps to optimize Hyper-V performance.