Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

[SOLVED] Should I enable secure boot

New to Debian (Or Linux in general)? Ask your questions here!
Post Reply
Message
Author
User avatar
ticojohn
Posts: 1284
Joined: 2009-08-29 18:10
Location: Costa Rica
Has thanked: 21 times
Been thanked: 44 times

[SOLVED] Should I enable secure boot

#1 Post by ticojohn »

When I first installed Debian (Stretch) on my Intel NUC I had to disable Secure Boot because the secure boot shim was not yet available. Having read a number of articles about the security benefits of using secure boot, along with some negative issues I am wondering if I should now enable secure boot. If so, what are the steps that I need to follow. Hopefully it is very straight forward. Currently running Debian 11 amd64.

I was trying to do a forum search and was unable to find anything. The search function is either temporarily not working or there are so many entries that it is taking a long time to bring up the search results (search for secure boot over 2 minutes and no results shown).

EDIT: I thought I put this in General Questions but it ended up in Beginners Questions. Go figure.
EDIT 2: I am booting in EFI mode, just not secure boot.
Last edited by ticojohn on 2022-10-03 19:28, edited 1 time in total.
I am not irrational, I'm just quantum probabilistic.

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: Should I enable secure boot

#2 Post by p.H »

If you want to enable secure boot, make sure that
- shim-signed and grub-efi-amd64-signed are installed before installing GRUB;
- if you have a locally built kernel image or modules (nvidia, virtualbox, r8168...), you signed them and registered the signature in the secure boot infrastructure.

cynwulf

Re: Should I enable secure boot

#3 Post by cynwulf »

Are you're asking "should I enable secure boot" and want opinions?

Or are you asking how to enable secureboot?

You can refer to the Debian wiki, but unfortunately it contains a Microsoft apologist opinion piece from someone with a clear agenda, which should be removed: https://wiki.debian.org/SecureBoot#What ... oot_NOT.3F

My alternative view to that expressed in the Debian wiki is as follows.

Secureboot is absolutely a device of Microsoft and it's x86 OEM "partners" to control the x86 boot process - excluding Linux et al from the desktop market - which has been a success. WSL/WSL2 are the latest machinations of this very same strategy to ensure that Windows remains the main OS.

Secureboot was developed during the era of Steve "Linux is a cancer" Ballmer and was orchestrated to coincide with the Windows 8 release. You can actually forget all of the apologist rhetoric on that basis and assume that it was conceived with malicious intent.

Secureboot is passed off as "security", by many apologists, even many Linux users (especially those in Red Hat or Canonical circles, and especially those mouthpieces on the corporate payroll), whereas it's faux security at best. If someone has physical access to your machine, to boot a different OS (we need examples of where anyone has carried out such an attack - we also need to question why Microsoft focused on such an obscure vector, rather than it's infamous malware problem and poor security record over all), it's already game over. What secure boot "secures" is the installation of an insecure Windows OS, in preference to it's replacement with a secure one. The intent of secureboot, was lock in.

It certainly has nothing to to with servers in data centres and some hypothetical "evil maid attack" - Secureboot was developed and primarily targeted at ordinary x86 laptop/desktop PCs and tablets running Windows 8 (Now known as "Windows 10/11") - this has only been watered down over time, as MS have to avoid the gaze of lawyers at home and the EU, etc, elsewhere. A change of strategy, does not mean that the goals have changed.

The UEFI Forum (responsible for Secureboot) is a "collaborative" body made up of several "Big Tech" corporations - in some contexts, this is what amounts to a "cartel". It is made up of Microsoft, Apple, AMD, Intel, ARM, major x86 OEMs and the BIOS vendors. There are several sets of major competitors in that mix - here all are involved in an "alliance" which collaborates to develop new means of locking down the x86 PC hardware platform to suit proprietary OS - particularly Microsoft - and exclude alternatives.

Microsoft has secret, "exclusionary" deals with these OEMs, to ensure that their hardware is never sold without preinstalled Windows. Fact. That means no sales of bare ("NO OS") machines. This has been the case for decades and virtually nothing has changed.

User avatar
ticojohn
Posts: 1284
Joined: 2009-08-29 18:10
Location: Costa Rica
Has thanked: 21 times
Been thanked: 44 times

Re: Should I enable secure boot

#4 Post by ticojohn »

cynwulf wrote: 2022-10-03 10:30 Are you're asking "should I enable secure boot" and want opinions?

Or are you asking how to enable secureboot?
Hey @cynwulf, I appreciate the rant. :lol: I am aware of all the MS issues, but it was kind of fun reading your views.
Yes, I was basically looking for legitimate reasons for either enabling secure boot, or not. Unfortunately I didn't see any technical issues addressed that might help me with a logical reason for going through the process of enabling secure boot.

If secure boot is not necessary for security purposes, then it is not worth my time to go through the process.
I am not irrational, I'm just quantum probabilistic.

cynwulf

Re: Should I enable secure boot

#5 Post by cynwulf »

Always ready to oblige with a good rant.

You can certainly enable Secureboot and go through the needed steps to boot a Linux kernel with it enabled - but the most you might get from that would be some "feelgood" security vibes...

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: Should I enable secure boot

#6 Post by p.H »

What you theoretically get from secure boot (modulo vulnerabilies in these elements):

- the UEFI firmware will only execute a boot loader with a trusted signature (usually from Microsoft)
- the boot loader will only boot a kernel with a trusted signature (usually from the distributor)
- the kernel will only load kernel modules with a trusted signature (usually from the distributor)

and that's about it. Secure boot will not protect against any threat not based on tampering with any of these elements. You can still load any boot loader config file, any initramfs, run any userland program...

User avatar
ticojohn
Posts: 1284
Joined: 2009-08-29 18:10
Location: Costa Rica
Has thanked: 21 times
Been thanked: 44 times

Re: Should I enable secure boot

#7 Post by ticojohn »

Thanks for the feedback from @cynwulf and @p.H . You have both made it pretty clear that enabling secure boot on my Debian machine would be a fairly useless endeavor. I kind of thought that, but having read a number of articles I just wanted to be sure I wasn't missing something. Actually, I did miss something. Most of the articles were MS centric. I should have known. :oops:
I am not irrational, I'm just quantum probabilistic.

Post Reply