Secure boot

This could be a messy subject, I'm not sure yet.

Now I know not all computers support secure boot. I have a couple of old BIOS systems that do not.
I also know that not all distro's support secure boot either. But it seems most of the mainstream ones do.

On my computers that support secure boot, I leave it turned on. Yes, sometimes it adds a few seconds to the boot up.
But it's supposedly safer.

I guess the idea is, the applications that get run at boot up are signed by something similar to an ssh key.
That vendor guarantees, that no malicious software/malware will get loaded by the boot up applications.

However, it doesn't protect you once the OS is loaded.

Anyway, back to the question. For those of you that have computers that support secure boot, do you leave it enabled?
If not, why not?

I've heard it cause Linux not to boot, but from my experience, it's only the distro's that don't support it.

the number of distributions that can take secure boot is rising, but at this stage there are many more that dont.

Though some Distro's support secure boot It can cause problems with some wifi/bluetooth adaptors, So if your having problems with those I suggest you turn off secure boot.

I recently read some drivers can cause secure boot not to work. I wasn't aware of this.

Apparently Arch and Manjaro, have some un-signed libraries that keep them from booting
with secure boot, if Nvidia drivers are installed.

I suppose that would be a legitimate reason if it's true.
But I've used Nvidia drivers with secure boot on at least 4 different distro's.

But I know fedora/redhat (most clones), Ubuntu, openSuSE, all do.
I haven't used Mint in a while, so I'm not sure about that one.

Brickwizard said:

the number of distributions that can take secure boot is rising, but at this stage there are many more that dont.

Click to expand...

I would have guessed most do, but you are probably right.
Still, even if there are 200 distro's out there, I wonder if you remove the 4 big players,
what percentage of Linux users, use the other 180 distros?
That's a topic for another thread.

I don't use it because this is just a gimmick. It was broken from the beginning and nothing changed.
There was a discussion about secure boot after boothole incident where it was concluded that secure boot by design never will be really secure.
Most secure Linux distro: Qubes by default is not using secure boot.

I have both types of computers some with secure boot and some without.

The secure boot computers can be frustrating when trying to install Linux on them although a few changes in bios usually gives positive results.

If I install using secure boot I leave it enabled and it hasn't caused any problems yet.

I believe most if not all of the Linux distros I use have secure boot of some type.

When it comes to workstations, I only have it enabled on my laptop since Silverblue supports secureboot. On my desktop I don't have it enable since it's still in development and there is a disclaimer that you could end up with an unbootable system.

Outside of that I would like to see that it actually improves security because there are so many topics on the internet about secure boot that say that makes the boot process of your system more secure and topics where they say it makes the boot process of your system less secure as well as your running system less secure.

As I don't run any windows,So I consider it to be superfluous, and just disable it as a matter of course.

I disable secure boot on all my machines But I never boot Windows anyway. only Linux of one sort or another.

dos2unix said:

Anyway, back to the question. For those of you that have computers that support secure boot, do you leave it enabled?
If not, why not?

Click to expand...

Yes. I see that it is a good system to prevent the installation of malware in the kernel space by means of a tampered module. It is recognised widely as a good contribution by Microsoft that has nothing to do with Windows, but with the security of any and all kernels.

For what is worth:

kc1di said:

But I never boot Windows anyway. only Linux of one sort or another.

Click to expand...

But it's for Linux also. Many vendors have signed boot shims.