Ethical Hacking News
UEFI Secure Boot on Arm: A Comprehensive Overview
In recent years, the adoption of ARM-based devices has increased dramatically. However, until recently, UEFI Secure Boot was not fully supported on this platform. But that is changing fast, as new solutions are being developed and working examples exist for some popular devices.
UEFI Secure Boot has been adopted by Linux Arm64 devices. The technology was initially developed for x86 platforms but is now being implemented on ARM-based devices. There are dozens of chip manufacturers, resulting in diverse hardware implementations and no homogeneous picture of the firmware. u-boot provides compliance with UEFI specifications and allows Secure Boot, but certificates and keys must be manually deployed. Red Hat distributions (Fedora, RHEL) face challenges due to signed shim not using Microsoft certificates. CentOS Stream and Alma Linux are better prepared with Microsoft-signed shim. UEFI Secure Boot on ARM is becoming a practical reality for users, requiring extra effort to set up and deploy necessary certificates and keys.
Linux Arm64 – where do we stand?
The world of computer hardware is constantly evolving, and one of the most significant advancements in recent years has been the increasing adoption of ARM-based devices. These days, everybody talks about AARCH64, or Arm64, which is the 64-bit version of Arm. As a result, it's essential to understand how UEFI Secure Boot operates on this platform.
UEFI Secure Boot for Linux Arm64 – where do we stand?
In the early days of UEFI, the technology was initially developed by Intel as a firmware for its Itanium-based high-end datacenter computers. The Unified Extensible Firmware Interface (UEFI) with Secure Boot incorporated became a standard in the x86 world. However, this technology never made it to the ARM platform until recently.
The enormous success of devices like the Raspberry Pi and its single-board computer clones has massively increased the adoption of the hardware platform in recent years. Unsurprisingly, the same is true of Linux installations on Arm. These days everybody talks about AARCH64, or Arm64, which is the 64-bit version of Arm.
The topic of UEFI Secure Boot for Linux on ARM has two different aspects: considering what kind of UEFI functions are provided with the shipped hardware and how Linux deals with it.
While the core UEFI specification is architecture-independent, its implementation on ARM-based devices differs from the x86 one. Instead of just a few there are dozens of chip manufacturers. Remember the company Arm itself just releases specifications for chip designs. The actual plumbing of that in a chip is done by others.
As a result of that diversity of hardware there is no homogeneous picture of the firmware. Each chip vendor normally produces their own firmware, and often enough it is not replaceable / compatible with something else. And even worse, it is not UEFI, which would potentially mean no Secure Boot.
But hold on. There is some common ground: the de-facto standard of the boot-loader for Linux on those ARM devices. This piece of software, called u-boot, does provide compliance with the UEFI specifications and allows Secure Boot. However, there are two main things to consider when going down that path.
Firstly, u-boot itself does not come with any pre-deployed certificates and keys. That is a huge difference from what happens in the x86 world. There, one can expect that at least the Microsoft ones are available with the firmware installed.
To clarify, u-boot itself is not firmware. The vendor firmware is stored on chips on the board. And then this firmware loads u-boot, which is stored on an external drive, for example a USB or an SD-card. U-boot then provides a standard and loads Linux.
But there is also another option. Startup via u-boot consists of several phases and it is possible to sneak in a switch to UEFI. The challenge here is not the implementation of that startup sequence deviation – it is the availability of that hardware specific UEFI implementation.
There are working examples for the Raspberry Pi 3 and 4 and also for some other ARM-based devices. The so-called RK3588 chips especially look very promising. The benefit of this approach is the almost same user experience known from the x86 world. The UEFI GUI is intuitive and close enough to what the user already knows from PCs.
In a nutshell: the UEFI support on ARM is not as great as in the x86 world. If you are lucky, you own hardware where chain-loading as described above is possible.
Apart from that: the hope is on the u-boot implementation of UEFI and Secure Boot.
The software side of life
Given the nature of UEFI Secure Boot on the x86 side, one would not expect any surprises. The technology, the source code, the processes - they are independent of the hardware platform. Hence, whatever works in the x86 world should/will work as well on the ARM side.
Reality tells that this is true for Debian, Canonical/Ubuntu and SUSE part of the house. That means the corresponding distributions – community and Enterprise – simply install with Arm with UEFI Secure Boot enabled and Microsoft keys/certificates pre-deployed.
However, those working within the Red Hat universe can get quite different and surprising results. The community variant Fedora comes with a shim which has not been signed. Consequently, the installation will not work out of the box.
On the RHEL (Red Hat Enterprise Linux) side the surprise is even bigger. The shim is signed but not with a Microsoft certificate/key. Instead, a Red Hat one is used. In both cases the best way forward is to install Linux with disabled Secure Boot. Afterwards the user can create and deploy their own certificates and keys and make either the shim or the grub2 binary trustworthy for UEFI.
Interesting enough, CentOS Stream and Alma Linux – both based on Red Hat code – are better prepared. They come with a Microsoft-signed shim. Based on discussions on the relevant mailing lists there is hope that at least Fedora will work out of the box soon.
In conclusion, the technology behind UEFI Secure Boot has made tremendous progress in recent years. While it faces challenges on the ARM platform, solutions have been found and working examples exist for some popular devices.
The fact that Linux distributions – both community and Enterprise – simply install with Arm with UEFI Secure Boot enabled and Microsoft keys/certificates pre-deployed is a testament to the technology's maturity.
However, the experience of those working within the Red Hat universe serves as a reminder that there is still room for improvement. The development of working out-of-the-box examples for these distributions will help bridge this gap.
In any case, one thing is clear: UEFI Secure Boot on ARM is no longer an exotic concept but rather a practical reality for many users. It may require some extra effort to set up and deploy the necessary certificates and keys, but it is definitely worth it.
The transition from traditional BIOS-based systems to UEFI has been a significant step forward in terms of security and scalability.
As we move forward into an increasingly secure and scalable world, one thing is certain: UEFI Secure Boot on ARM will continue to play an important role in protecting our devices and our data.
Related Information:
https://www.ethicalhackingnews.com/articles/UEFI-Secure-Boot-on-Arm-A-Comprehensive-Overview-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/09/17/uefi_secure_boot_for_linux/
Published: Wed Sep 17 02:35:02 2025 by llama3.2 3B Q4_K_M
