What Is Secure Boot and What Do Shim Files Have to Do With It?

If you’ve ever tried installing Linux and ran into weird boot errors — especially when Secure Boot is involved — you’re not alone. In this article, we’ll break down what Secure Boot actually is, what shim files are, and why they sometimes get in the way of booting Linux — in simple terms, without diving too deep into technical jargon.

Secure Boot is meant to protect you — but it’s not always convenient

Secure Boot was designed with one goal in mind: to prevent malware from loading before your operating system starts. The idea sounds great — if the software trying to boot isn’t digitally signed, your system won’t allow it.

Sounds like solid protection? It is. But things get tricky when Linux enters the picture.

Take Ubuntu 21.04, for example — it had a release where updated shim files didn’t play well with some system firmware. The result? The system simply refused to boot. Users had to either find a patch or roll back to older shim files to get things working again.

What is Secure Boot, in plain English?

Imagine your computer is a fortress, and there’s a gatekeeper checking everyone's ID at the door.
Secure Boot is that gatekeeper. It only lets in software that’s been verified and “signed.”

It’s part of UEFI — the modern replacement for the old BIOS — and it runs right when you turn on your PC. It checks if anything shady is trying to sneak in before your OS starts.

If the software isn’t signed, it doesn’t get through. That helps block boot-level malware and hidden viruses.

How does Secure Boot work?

Secure Boot uses a chain of trust and a few types of keys to decide what’s allowed:
— PK (Platform Key) – the master key, installed by the device maker (like Dell or HP)
— KEK (Key Exchange Key) – acts as a middleman, verifying if other keys can be trusted
— DB (Allowed Database) – a list of approved digital signatures
— DBX (Forbidden Database) – a blacklist of signatures that should be blocked

When Secure Boot is enabled, every file trying to run is checked against these lists. Only trusted ones make it through.

So, what are shim files for?

Linux distros often don’t come with signatures that Secure Boot recognizes. That’s where shim files come in.

A shim is like a translator between Secure Boot and Linux. It’s a small bootloader that is signed by Microsoft, so it passes Secure Boot checks. From there, shim takes over and verifies the actual Linux bootloader (like GRUB). If everything looks good, it hands off control.

In short, shim builds a bridge between UEFI security and Linux — allowing you to boot your distro even with Secure Boot turned on.

Why does Secure Boot matter?

Secure Boot protects your system from some of the nastiest kinds of malware — rootkits and bootkits. These sneak in before your operating system loads and can be almost impossible to detect.

With Secure Boot enabled:
— Those threats get blocked early
— Unsigned or tampered software can’t affect the boot process
— You’ll know right away if something’s off

When should you disable Secure Boot?
There are times when Secure Boot becomes more of a hassle than a help:
— You’re installing a distro that doesn’t support Secure Boot. Some distros aren’t signed, so they just won’t boot.
— You’re using custom drivers or bootloaders. These may fail Secure Boot checks.

Disabling Secure Boot removes a layer of protection — but gives you more flexibility. Just proceed with caution.

Which Linux distros support Secure Boot?

The good news: most major distros support Secure Boot out of the box and include signed shim files and bootloaders.

Some examples:
— Ubuntu
— Fedora
— openSUSE / SUSE
— Zorin OS
— Linux Mint
— Debian
— Red Hat

That’s not a full list — check your distro’s website for details.

If your distro doesn’t support it, don’t worry. You can always disable Secure Boot in the BIOS or manually enroll your own bootloader (though that takes a bit more technical know-how).

How to disable Secure Boot (and whether you should)

If you’ve decided to turn it off:
1. Reboot your PC
2. Enter BIOS/UEFI (usually by pressing F2, F10, or Del during startup)
3. Find the Secure Boot option (usually under Boot or Security settings)
4. Set it to Disabled
5. Save changes and restart

Keep in mind: turning off Secure Boot makes your system more vulnerable. Make sure to keep your system up to date and use antivirus protection — especially if you regularly plug in USB drives or run software from unknown sources.