anavem.
Back to Glossary
B

Bootloader

A bootloader is a low-level program that initializes hardware and loads the operating system kernel during the system startup process.

What is a bootloader?

A bootloader is the first software component executed when a computer or device powers on. Its primary role is to:

  1. Initialize essential hardware components
  2. Locate the operating system
  3. Load the OS kernel into memory
  4. Transfer control to the operating system

Because it runs before the operating system, the bootloader operates in a highly privileged and trusted position.

Why the bootloader matters

The bootloader is security-critical because:

  • It defines what software is allowed to start
  • It establishes the chain of trust during system boot
  • It executes before most security controls are active
  • If compromised, it can enable stealthy, persistent attacks

A malicious or modified bootloader can completely undermine system integrity.

Common bootloader types

Bootloaders vary by platform and architecture:

1) BIOS / Legacy bootloaders

  • Used on older systems
  • Limited security features
  • Vulnerable to boot-time attacks

2) UEFI bootloaders

  • Modern standard on PCs and servers
  • Support Secure Boot, signed binaries, and measured boot
  • More complex, but significantly more secure when properly configured

3) Multi-stage bootloaders

  • Split into several phases (stage 1, stage 2, etc.)
  • Common in Linux and embedded systems

4) Embedded and mobile bootloaders

  • Used in IoT devices, routers, smartphones
  • Often vendor-specific and rarely updated

Bootloader and Secure Boot

Secure Boot is a security mechanism that ensures only cryptographically signed bootloaders and kernels are allowed to run.

When Secure Boot is enabled:

  • Firmware verifies the bootloader signature
  • The bootloader verifies the OS kernel
  • Any unsigned or modified component is blocked

Disabling Secure Boot increases flexibility but also significantly increases risk.

Bootloader as an attack vector

Attackers may target the bootloader to:

  • Install bootkits (a form of rootkit)
  • Persist across OS reinstalls
  • Hide malware from the operating system
  • Bypass endpoint security tools

Bootloader compromise is often seen in:

  • Advanced persistent threats (APTs)
  • Firmware-level attacks
  • High-value or targeted intrusions

Bootloader vs firmware vs kernel

These components are closely related but distinct:

  • Firmware (BIOS/UEFI): hardware initialization layer
  • Bootloader: loads and hands off to the OS
  • Kernel: core of the operating system

A compromise at any lower level affects everything above it.

Indicators of bootloader compromise

Detection is difficult, but possible warning signs include:

  • Secure Boot disabled unexpectedly
  • Boot integrity or TPM measurement failures
  • Abnormal boot behavior or unexplained early crashes
  • OS reinstallations failing to remove malicious behavior
  • Firmware or bootloader hashes not matching known-good values

How to secure the bootloader

Best practices include:

  • Enabling Secure Boot and TPM-based attestation
  • Locking firmware settings with strong passwords
  • Regular firmware and BIOS/UEFI updates
  • Monitoring boot integrity measurements
  • Reinstalling systems from trusted media after suspected compromise

In high-security environments, boot integrity is treated as non-negotiable.

Common misconceptions

  • "The bootloader is part of the operating system"
  • "Antivirus can always detect bootloader malware"
  • "Reinstalling the OS fixes boot-level compromises"
  • "Only nation-states attack bootloaders"