Secure Boot
- Thread starter meetdilip
- Start date
- Status
If you boot a secure boot enabled os , i.e. win 10/11 or Linux mint or Ubuntu it's best to leave the setting enabled . Some os ( older Linux versions ) do not support secure boot . Hence the option in bios to leave it off for these os to boot and run successfully .
dvader
Galvanizer
On a personal system you can disable it. Secure boot restricts system boot from random bootable drives, only a signed EFI binary will be booted if enabled. You can however add a custom key and sign all your EFI binaries with it but that's extra work for no gain on a personal system. DC servers on the other hand enforce secure boot without fail.
If you're on Arch, you can automate it.
GitHub - andreyv/sbupdate: Generate and sign kernel images for UEFI Secure Boot on Arch Linux
Generate and sign kernel images for UEFI Secure Boot on Arch Linux - GitHub - andreyv/sbupdate: Generate and sign kernel images for UEFI Secure Boot on Arch Linux
github.com
dvader
Galvanizer
Not using Arch. Thanks
he/she is just excited to share.Yup, good to know you are learning about Arch/Use Arch. However, you can automate this in any Linux distro (BSDs and Windows too for that matter) it's a simple signing process.
With security, one needs to think what one is securing against. Which threat are you protecting against? Typical threats to secure against are :
1. Loss of hardware : secure boot doedn't protect against it, theft can still happen.
2. Data becoming unavailable to oneself : someone can overwrite the disk drives by taking out of PC case/laptop. Secure boot doesn't help.
3. Data being read by unauthorised persons : disk encryption helps with it, not secure boot.
4. Install a Trojan in your regular OS: this can be prevented by disk encryption. Secure boot doesn't help particularly with it.
4a. A Trojan, completely replacing our original OS, but pretending to be the original OS: the criminal needs to be extremely smart and familiar to the victim to pull it off. And again, decide not doesn't help because it would include replacement of hardware.
5. Unauthorised use of resources e.g. network : a thief can abuse our home network by bringing in their own laptop, so secure boot doesn't help much.
1. Loss of hardware : secure boot doedn't protect against it, theft can still happen.
2. Data becoming unavailable to oneself : someone can overwrite the disk drives by taking out of PC case/laptop. Secure boot doesn't help.
3. Data being read by unauthorised persons : disk encryption helps with it, not secure boot.
4. Install a Trojan in your regular OS: this can be prevented by disk encryption. Secure boot doesn't help particularly with it.
4a. A Trojan, completely replacing our original OS, but pretending to be the original OS: the criminal needs to be extremely smart and familiar to the victim to pull it off. And again, decide not doesn't help because it would include replacement of hardware.
5. Unauthorised use of resources e.g. network : a thief can abuse our home network by bringing in their own laptop, so secure boot doesn't help much.
It's official: BlackLotus malware can bypass secure boot
The myth 'is now a reality'
BlackLotus, a UEFI bootkit that's sold on hacking forums for about $5,000, can now bypass Secure Boot, making it the first known malware to run on Windows systems even with the firmware security feature enabled.
Secure Boot is supposed to prevent devices from running unauthorized software on Microsoft machines. But by targeting UEFI the BlackLotus malware loads before anything else in the booting process, including the operating system and any security tools that could stop it.
- Status