How to disable Secure Boot

How to Disable Secure Boot from EFI Firmware Setup in KVM

Secure Boot is a firmware-level security feature that allows only trusted bootloaders and operating system components to start during the boot process. In some server or virtual machine maintenance scenarios, Secure Boot may need to be disabled temporarily.

This guide explains how to disable Secure Boot from the EFI Firmware Setup using a KVM console.

When Should Secure Boot Be Disabled?

Secure Boot should only be disabled when required. Common scenarios include installing an operating system that does not support Secure Boot, booting from a rescue ISO, loading unsigned kernel modules, troubleshooting boot issues, or performing low-level maintenance.

Security Note:

Secure Boot helps protect the boot process from unauthorized bootloaders and firmware-level threats. Re-enable Secure Boot after maintenance if your security policy requires it.

Prerequisites

Before proceeding, ensure that you have:

KVM console access to the server or virtual machine.

Permission to reboot the system.

Access to the EFI firmware setup menu.

Approved maintenance window for production systems.

Step 1: Open the KVM Console and Reboot

Open the server or virtual machine through the KVM console and reboot the system.

During startup, press F2 before the bootloader starts.

If the boot selection menu appears, select EFI Firmware Setup and press Enter.

Step 2: Enter EFI Firmware Setup

After selecting EFI Firmware Setup, the firmware configuration screen opens.

From the main menu, select Device Manager and press Enter.

Step 3: Open Secure Boot Configuration

Inside Device Manager, select Secure Boot Configuration and press Enter.

Step 4: Check Current Secure Boot State

The Secure Boot Configuration screen shows the current Secure Boot state.

If Attempt Secure Boot is checked, Secure Boot is currently enabled or configured to be attempted during boot.

Step 5: Disable Attempt Secure Boot

Select Attempt Secure Boot.

Press the Spacebar to remove the checkbox.

The value changes from checked to unchecked.

After changing the setting, the firmware displays the following message:

Configuration changed, please reset the platform to take effect!

Press Enter to continue.

Step 6: Save the Configuration

After disabling Attempt Secure Boot, press F10 to save the configuration.

A confirmation message appears:

Save configuration changes?

Press Y to confirm, N or ESC to ignore.

Press Y to confirm and save the changes.

Step 7: Return to the Main Menu

Press Esc twice to return to the main EFI firmware menu.

Step 8: Reset the Platform

From the main menu, select Reset and press Enter.

The server or virtual machine will reboot. Secure Boot will be disabled after the platform reset.

Validation from Linux