I’ve seen people advocating for both options, but since I’m still new to Linux I’m not sure what to do. I’m currently installing Mint on my laptop to try it out, and I’m not sure if I should enable secure boot or not.
Simply: Do the protections against someone taking your computer and installing a malicious program before/as your OS, or a program that has attained root on your machine and installs itself before/as your OS, matter enough to you to justify the increased risk of being locked out of your machine and the effort to set it up and understand it.
If you don’t understand and don’t want to put in the effort to, then my advice would be to leave it off. Its simple, and the likelihood it saves you is probably very miniscule.
As always, the answer is “depends”. It shouldn’t hurt unless you’re dual-booting windows (they used it last year as a weapon in their “mess up grub” game), but, Imo, it’s worth the trouble if:
- your data is also encrypted – otherwise one just removes the HDD/SSD and reads what they need;
- you provision your own keys – to not depend on Microsoft signing shims for you;
- you delete the already provisioned keys – Microsoft signed a few vulnerable things, like one kaspersky’s (iirc) live CD with grub not locked down, so one can boot up literally anything anyway;
- you lock down grub or whatever bootloader you’re using – otherwise you become that vulnerable live cd;
- you password lock the uefi – otherwise one can simply disable the secureboot;
- your vendor’s implementation isn’t terribly buggy – iirc, some MSI laptops would just ignore all the discrepancies.
So, a lot of ifs, and a necessity to store the uefi password somewhere safe, as those may be a pita to reset.
As for standalone stuff – idk, it might protect you from malware injecting itself into the bootloader or something, but given there’s likely no chain of trust (I.e. the bootloader doesn’t check what it bootloads), it can move in on some later step.
Short answer: off
Long answer: If you won’t use your system for gaming (or anything requiring third-party drivers) and trust Microsoft to not fuck up and will also encrypt your disc, then Secure Boot makes you safer. Otherwise it just causes trouble.
Secure boot has always caused me headaches in the past.
If you want the extra security, go for it. If you don’t care, turn it off.
I use Linux Mint and I disabled it because it was blocking the nvidia driver from initiating. I’m sure I could fix it, but can’t be arsed to.
Yeah not sure how it works on Mint, on OpenSUSE after reboot it asks if you want to enroll the new keys into it. If you miss the timer you will boot and driver will bork
With the open kernel modules you don’t have to do that anymore
Secure boot is a good thing. It’s a security feature. You want it on whenever possible, unless it’s a huge trouble (like if you have to start manually signing your own keys and adding them to the bios).
Edit: added the word manually
If you do, then also choose full-disk encryption. It doesn’t make sense to close a small hole only to leave the big one gaping wide open. And yet on Linux FDE is mostly off by default, even in today’s era of encryption, even on laptops. Personally I don’t understand it.
Once you’re encrypted, then Secure Boot (if you even have the option of it) mitigates against the “evil maid attack”. To get access to your encrypted computer, the attacker will need physical access to it twice: first to swap out the bootloader, then to harvest the password you unsuspectingly passed to their freshly installed malware.
For most targets (i.e. you, probably), this would all be far too much trouble. But technically it closes a loophole: it means that you can go to Russia as a spy or a journalist and not have to carry your laptop on your person at all times.
Its main purpose is to prevent malware from booting. In my experience its main purpose seems to be preventing me from booting things I want like ventoy flash drives, nvidia drivers, and Linux distros that don’t support it. Same goes for tpm module. Its main purpose seemed to be the switch keeping win 10 from upgrading. I turned them both off and haven’t felt the strong need to turn them back on yet.
That said, and my bad computing habits aside, you probably should turn them ON. I’m not sure they will do all that much realistically speaking, but if it isn’t getting in your way (and it shouldn’t), then ON isn’t a bad default state to be in.
I was looking for an official documentation entry on this matter to share with OP, ideally something centralized like Fedora’s RPM Fusion or the comprehensive Arch Wiki. While I found various user-created resources, I was surprised not to locate a centralized official documentation page addressing this topic. I’m quite familiar with Linux Mint’s user-friendly approach, so perhaps I’ve overlooked something? I’d be genuinely delighted if someone could point me to such a resource, as it would be tremendously helpful not just for OP but for the community as a whole.
Debian has a good page on it and how their set up works:
https://wiki.debian.org/SecureBoot
Edit: Ubuntu is derived from Debian and then Mint from Ubuntu, but they may have their own differing approachsnto secure boot.
I turn it off during OS install then turn it on after usually. If you want to run VMs sometimed youll have to sign your own keys and annoying stuff like that but you can always just go into BIOS and turn it off anytime anyway.
It’s a layer of security. Keep it on when you can. If you have issues doing something, then turn it off (and see if you can turn it back on afterward).
If your linux OS supports secure boot then it does help improve security.
The differing opinions on it are often because it can cause issues in some set ups and in a default set up its only a marginal security gain.
It will add a layer of security at boot by preventing 3rd party unauthenticated processes / software from running and creates a secure boot chain from your BIOS up to the OS. But the default set up also means other authenticated OSes like Windows can be run, so its not as secure as it could be.
To really secure it you could create your own keys and then only your OS could boot. But as a linux newbie thats likely way more than you need and there are risks if you fuck up, to the point of accidentally locking you out of your own machine
So your choice is really just the default set up being on or off. On is a bit more secure but if you experience any issues then turn it off and don’t worry about it.
If you want extra security turn it on or you want windows or any game (looking at you vanguard)to shutup about security boot being off
The only problem with security boot if you care about this is that it’s managed by Microsoft(most of the time)If you’re not actually going to be engaging in securing anything with it, just leave it off to avoid issues.
Linux supports secure boot so if a distro supports it it’s worth using it.
Linux can use a key signed by Microsoft in a preboot loader and then itself perform its own key authentications for all other processes and software (a shim), forming a secure chain from the BIOS up during boot. You dont have to play with creating your own keys.
So if your OS supports secure boot it is worth using it for added security at boot. Its far from perfect in this set up (as there are plenty of windows OS that also have permission to boot) but it is better than a free for all without it even if the risk is low for most desktop users.
You can go further and generate your own keys and use secure boot and TPM together to lock down the system further but you dont have to to get some benefits from secure boot.
That’s not the question though. This is an average user installing Mint. They’re probably not enrolling disk encryption with TPM values or SB certs, they’re literally asking if it’s going to help them by default, and the answer is no. Now, if they were asking how they could increase system security with Secure Boot, I’d answer differently.
deleted by creator
Lol, explain how? Are you using TPM values to actually secure anything? If not, then it’s literally doing nothing for you.
Tpm is for crypto and secure generation and storage of values for use in encryption generally. Secureboot is just firmware verification of loaded binaries from boot on out, they’re 2 different pieces and are not really relevant to each other, unless you’re like me and have a fully customized bootloader with keys in TPM and an EFI module with support for the TPM and unlocking your boot drive.
You are quite mistaken. TPM is used as a key pair, and not just generation.
Let give you a specific example: built a hardware platform for a company, and they wanted to make sure that the storage and device were secure on their own, as well as being separated to prevent somebody pulling it apart to try and channel attack all the different things.
On install, the encrypted disk generates a signature. TPm has its own clean keys set to verify that it’s paired at various levels with various pieces of onboard hardware. Then you pair a bootloader combination of those signatures to generate a three-part signature to make sure that what is in TPM matches both the onboard signatures of what is hardwired in, along with the key generated by the new encrypted volume on the drive.
Anyone takes that drive out, it’s mostly useless, because it can’t boot without the signatures verified by TPM, and they’ll never be able to match the combination of the other 15 keys stored there for the hardwired components.
That’s how it’s intended for use. Not just for signature generation and verification. It’s more of a key/value store than anything, like a physical hardware token device.
Its not doing nothing. Linux uses a Microsoft provided key for initial BIOS authentication and then has its own tree of keys that it uses for security. So it does have the benefits of locking out malicious code/processes even in a default set up.
Using your own secure boot and TPM keys is certainly more secure, but it doesnt follow that secure boot with the default set up is doing nothing to help secure your system at boot.
No idea where you got this understanding from, but it’s not accurate. In your example, if a distro has signed binaries, then it will work to verify code loaded during the boot process to help to verify system integrity. As OP asked about Mint, yes it technically does have signed pre boot and boot signed modules.
No, this will not prevent all code/processes that aren’t signed from running. That’s a ludicrous statement. It will prevent unsigned kernel modules from being loaded (see Nvidia’s MOK process), and it will prevent a disk from being hit with sideload attacks perhaps (it should be encrypted anyway), but it absolutely does not prevent a user from running unsigned code, or even using root privs to run harmful code (like running random scripts from GitHub).
So at the end of the day does it help a standard user with security? I would argue no. As I said elsewhere, if this question were about HOW to improve security with SB, I’d have a different answer, but that’s not the question OP asked.
You don’t know what you are talking about
@ArchmageAzor secure boot is very low on your priorities. Start with FDE (full disk encryption). This should be the default in all Linux distros
