Which feature helps protect the boot process by loading only signed firmware and components?

Secure Boot protects the boot process by establishing a trusted path that only loads signed firmware and components. It uses hardware-backed keys stored in the firmware to verify digital signatures on the bootloader, kernel, and other essential elements. If every piece is signed and matches a trusted key, the system boots normally; if any item is unsigned or tampered with, the boot is halted, preventing malware (like rootkits) from loading before the operating system starts. This creates a chain of trust from the very first code that runs to the OS. In contrast, disk encryption protects data at rest, not the integrity of what runs during boot; firmware updates can introduce new code but don’t enforce the signature checks; automatic rollback helps revert to a previous version but doesn’t ensure boot-time validation.