Secure Boot

How It Works

When a device with secure boot powers on, the first code that executes is a bootloader stored in read-only memory. This bootloader contains the manufacturer's public key and uses it to verify the cryptographic signature of the firmware before allowing it to run. If the signature doesn't match — because the firmware was modified, replaced, or corrupted — the device refuses to boot or displays a warning.

This creates a chain of trust from the hardware up through the software. The bootloader trusts the manufacturer's key, the manufacturer signs only vetted firmware, and the user trusts that the verification process is sound. Some hardware wallets like the Coldcard display a visual indicator (specific words or icons) during boot that changes if the firmware is modified, giving users a human-verifiable check.

Secure boot is not without controversy. If only the manufacturer can sign firmware, it creates a gatekeeper. Some argue this conflicts with the open-source ethos — you should be able to run your own firmware. The Coldcard addresses this by allowing users to verify the firmware hash themselves while still maintaining secure boot integrity. The ideal approach combines secure boot for tamper detection with open-source firmware that anyone can audit and, if needed, compile and sign themselves.

Key Points

• Verifies firmware integrity at every boot using cryptographic signatures
• Prevents tampered or malicious firmware from executing on hardware wallets
• Creates a chain of trust from hardware bootloader through running software
• Some devices provide visual indicators that change if firmware is modified
• Best when combined with open-source firmware for independent community auditing