Which feature ensures only signed bootloaders and kernels run to protect against rootkits?

Establishing a trusted boot path by verifying signatures. UEFI Secure Boot uses digital signatures and a PKI in the firmware to validate each component in the boot sequence—bootloaders and kernels—before they are allowed to run. The firmware holds trusted keys, and boot components must be signed by those keys. If a signature matches, boot proceeds; if not, the boot is halted. This prevents rootkits from loading during startup because unsigned or tampered code cannot pass the checks. Other options don’t provide this boot-time verification: NVRAM Boot ROM is just storage for firmware, PCIe Slot is a hardware interface, and the BMC handles out-of-band management rather than enforcing signed boot code.