The manufacturer puts a key on the chip in your computer. Currently controlled by microsoft. The software you boot is checked against these keys and if they don’t check out, it will refuse to boot. In theory this means you can’t modify the software that is booting. Only microsoft can sign approved code. This includes malware sneakily loading together with the operating system, embeding itself on a low level, with all permissions.
I think it’s important to add some nuance to what you said. While it’s true that computers ship with Microsoft keys. One can remove them and install their own. I run all my machines with self signed bootloaders/kernels and it works great!
The manufacturer puts a key on the chip in your computer. Currently controlled by microsoft. The software you boot is checked against these keys and if they don’t check out, it will refuse to boot. In theory this means you can’t modify the software that is booting. Only microsoft can sign approved code. This includes malware sneakily loading together with the operating system, embeding itself on a low level, with all permissions.
Thanks for the explanation, I should have added a /s, I always turn mine off before wiping winblows
I think it’s important to add some nuance to what you said. While it’s true that computers ship with Microsoft keys. One can remove them and install their own. I run all my machines with self signed bootloaders/kernels and it works great!