A security researcher has demonstrated how UEFI Secure Boot can be circumvented using signed bootloaders, undermining the technology designed to prevent bootkits and unauthorized code execution. The technique exploits the fact that most motherboards only include Microsoft's trusted keys, forcing bootable software vendors to obtain Microsoft signatures for their bootloaders. This process involves code audits and justification for signing with globally trusted keys.

To create a universal bootable recovery drive that works without disabling Secure Boot, two main approaches exist: modifying GRUB with internal EFI loaders while bypassing signature verification, or creating custom pre-loaders that hook UEFI file verification functions. The second method proves preferable as it allows executed software to load and start other software, unlike the first method which restricts arbitrary file execution. The researcher developed the Super UEFIinSecureBoot Disk by modifying PreLoader and GRUB2 components.

The breakthrough came when examining Kaspersky Rescue Disk 18, which uses a signed bootloader that allows module loading through the insmod command. By modifying the chainloader module to self-load EFI files into memory without using UEFI LoadImage/StartImage functions, the researcher created the Silent UEFIinSecureBoot Disk. This approach ports PE header parsing code from shim or PreLoader to GRUB, enabling execution of untrusted code while maintaining Secure Boot's enabled state. The technique demonstrates how signed bootloaders can be abused beyond their intended purposes, raising questions about the effectiveness of Secure Boot's current implementation.