Secure Boot is a UEFI firmware mechanism that verifies during startup whether the bootloader and OS kernel are signed with trusted keys. Unsigned or tampered software is prevented from loading. This protects the boot chain against rootkits and bootkits that install themselves before the operating system. Secure Boot is available on most modern systems and should be enabled. In an ISMS it is part of endpoint-security measures. Make sure custom kernel modules or Linux distributions are correctly signed to avoid compatibility issues.