Secure Boot verifies cryptographic signatures of bootloaders and OS kernels before execution — preventing unsigned/malicious boot software from running even with physical access.
Secure Boot is part of UEFI specification. Root of trust: UEFI firmware (signed by manufacturer) → Secure Boot verifies bootloader → bootloader verifies OS. Required for Windows 11. BitLocker + Secure Boot + TPM provides strong protection against boot-level attacks.