Disable secure boot
- Thread starter meetdilip
- Start date
If you are in an enterprise environment where there is a possibility of data theft by booting your computer from a Live operating system USB, then yes, secure boot does make a difference. If you are a home user who does not have sensitive information on computer, then no. It does not help.
With Secure Boot enabled, your firmware verifies the bootloader programs against pre-loaded keys before letting them proceed. This basically means that any other blob (the Linux bootloader, for instance) that doesn't match these keys (initially set by the manufacturer and almost always including keys from Microsoft, that enable you to boot Windows) would be unable to boot your machine.
And while this is designed to protect your hardware against malicious bootloading programs, chances are that you are fairly unlikely to run into such scenarios. And if you keep your data encrypted (which you absolutely must, if you are in a position to even consider Secure Boot seriously), chances are quite slim that your data is at risk - unless of course you are a target of a state-sponsored actor or a formidable business rival.
Depending on your firmware, there are ways to add your own keys and dual boot Linux with Secure Boot enabled. This usually is not worth the pain - and needless to say, the risk of corrupting existing keys in your firmware.
Please also see:
And while this is designed to protect your hardware against malicious bootloading programs, chances are that you are fairly unlikely to run into such scenarios. And if you keep your data encrypted (which you absolutely must, if you are in a position to even consider Secure Boot seriously), chances are quite slim that your data is at risk - unless of course you are a target of a state-sponsored actor or a formidable business rival.
Depending on your firmware, there are ways to add your own keys and dual boot Linux with Secure Boot enabled. This usually is not worth the pain - and needless to say, the risk of corrupting existing keys in your firmware.
Please also see:
You can use Ubuntu, it supports secure boot. On Ubuntu, all pre-built binaries intended to be loaded as part of the boot process, with the exception of the initrd image, are signed by Canonical's UEFI certificate, which itself is implicitly trusted by being embedded in the shim loader, itself signed by Microsoft. Ubuntu Secure boot docs.