Many devices now enforce verified/trusted/secure boot, which according to Wikipedia "will only allow signed software to run on the device." Platforms that support this feature include Android, iOS, Windows, and Chrome OS.

From what I understand, secure boot verifies everything in the boot process using a chain of trust based on cryptographic signatures, and thus prevents a compromised system from booting. However, since this feature is only triggered on system startup, it does nothing to secure the device after the boot process is complete, before the next reboot.

If this is the case, would periodically rebooting secure-boot-enabled devices (e.g. Chromebooks, Surface Pros, iPhones, Nexus/Pixel phones) improve the security of the device?

  • 698
  • 5
  • 8

1 Answers1


Periodic rebooting does very little to improve device security in general.

Secure boot is designed to protect your system from attacks that target the boot process, e.g. the part of a computer's uptime where the operating system can't yet protect the system, because it's not loaded yet.

Once the operating system is loaded and running, it becomes the OS's job to protect the system. So... secure boot protects you from someone sneaking into your home and hiding a software keylogger somewhere deep in the boot process. But it can't protect you from attacks that target a security hole in an application or the operating system itself. If, for example, you visit a website that infects your browser with malware, which then installs itself in the system without being detected, this malware will still be there when you reboot. secure boot can't protect you against this.

There are only three cases in which periodic reboot would improve security:

  1. When your computer gets infected with transient malware which only runs in memory and doesn't install itself into the system. A reboot would wipe such malware from your system.
  2. If you have a system that runs entirely from write-protected media and provides only ram drive storage. In that case, rebooting will also wipe the malware.
  3. When your computer gets infected with malware which tries to install itself into the computer's boot-process - secure boot should detect this malware, and the sooner you reboot, the sooner you know.

I'm not sure whether malware which attacks firmware (e.g. military-grade cyber-weapons which attack the BIOS or hard drive firmware etc) would be in any way affected by secure boot. I'm thinking that malware which could alter a computer's firmware would be undetectable and could disable secure boot alltogether if it wanted to. Maybe someone can comment?

Out of Band
  • 9,150
  • 1
  • 21
  • 30
  • "Secure Boot" generally encompasses protection of the firmware and low-level OS components of a device, so that (as you said) in theory a bad actor can't modify them without causing a boot error/failure. Of course, sometimes an attacker--especially an sophisticated attacker, with lots of resources--can discover flaws or problems that can allow even robust security layers to be bypassed. See the answers to a question in the same area I asked a while back: http://security.stackexchange.com/questions/102554/how-do-rootkits-other-low-level-malware-still-manage-to-load-on-systems-protec?rq=1 – mostlyinformed Nov 23 '16 at 12:20
  • Also, while implementations of Secure Boot generally only deal with protection against changing firmware and some OS components, the basic concept behind it--a trusted root of components checks the signatures of a next set of components before letting them load, which then check the signatures of a next set, and so on--could be extended all the way up to user-land programs & scripts. Actually, today if you pair Secure Boot with very aggressive use of application whitelisting & lockdown of drivers, you actually can try to get to something that would look a bit like that Holy Grail. (Good luck.) – mostlyinformed Nov 23 '16 at 12:56