Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > alt.os.linux.mint > #47096 > unrolled thread

Secure boot

Back to article view | Back to alt.os.linux.mint

Contents

  Secure boot Axel <none@not.here> - 2026-03-22 06:02 +1100
    Re: Secure boot "Alan K." <alan@invalid.com> - 2026-03-21 15:35 -0400
      Re: Secure boot Axel <none@not.here> - 2026-03-22 17:23 +1100
      Re: Secure boot Axel <none@not.here> - 2026-03-24 06:48 +1100
        Re: Secure boot rbowman <bowman@montana.com> - 2026-03-24 01:14 +0000
    Re: Secure boot rbowman <bowman@montana.com> - 2026-03-22 04:05 +0000
      Re: Secure boot Axel <none@not.here> - 2026-03-22 17:23 +1100
    Re: Secure boot Lawrence D’Oliveiro <ldo@nz.invalid> - 2026-03-22 05:18 +0000
      Re: Secure boot Axel <none@not.here> - 2026-03-22 17:25 +1100
    Re: Secure boot Paul <nospam@needed.invalid> - 2026-03-22 02:03 -0400
      Re: Secure boot Axel <none@not.here> - 2026-03-24 06:10 +1100
        Re: Secure boot Paul <nospam@needed.invalid> - 2026-03-23 17:02 -0400
          Re: Secure boot Axel <none@not.here> - 2026-03-25 10:37 +1100

#47096 — Secure boot

Should I have it on or off? at present I have it off.

-- 
Linux Mint 22.3

[toc] | [next] | [standalone]

#47099

On 3/21/26 3:02 PM, Axel wrote:
> 
> Should I have it on or off? at present I have it off.
> 
I have found it's less problematic with it off.

This (not being the defacto answer) gives you a bit of background if you're interested in 
reading.
https://www.siberoloji.com/managing-secure-boot-with-cinnamon-desktop-on-linux-mint/

Short answer is:  Turn it off.   The article explains it can be done but I have 4 systems 
booting and I sometimes replace one with a new one and I just don't want to fight who 
signs and who doesn't.

-- 
Linux Mint 22.3,  Mozilla Thunderbird 140.8.1esr,  Mozilla Firefox 148.0.2
     Alan K.

[toc] | [prev] | [next] | [standalone]

#47103

Alan K. wrote:
> On 3/21/26 3:02 PM, Axel wrote:
>>
>> Should I have it on or off? at present I have it off.
>>
> I have found it's less problematic with it off.
>
> This (not being the defacto answer) gives you a bit of background if 
> you're interested in reading.
> https://www.siberoloji.com/managing-secure-boot-with-cinnamon-desktop-on-linux-mint/ 
>
>
> Short answer is:  Turn it off.   The article explains it can be done 
> but I have 4 systems booting and I sometimes replace one with a new 
> one and I just don't want to fight who signs and who doesn't.
>

thanks for that

-- 
Linux Mint 22.3

[toc] | [prev] | [next] | [standalone]

#47110

Alan K. wrote:
> On 3/21/26 3:02 PM, Axel wrote:
>>
>> Should I have it on or off? at present I have it off.
>>
> I have found it's less problematic with it off.
>
> This (not being the defacto answer) gives you a bit of background if 
> you're interested in reading.
> https://www.siberoloji.com/managing-secure-boot-with-cinnamon-desktop-on-linux-mint/ 
>

would it be different with other distros?

>
> Short answer is:  Turn it off.   The article explains it can be done 
> but I have 4 systems booting and I sometimes replace one with a new 
> one and I just don't want to fight who signs and who doesn't.
>


-- 
Linux Mint 22.3

[toc] | [prev] | [next] | [standalone]

#47112

On Tue, 24 Mar 2026 06:48:47 +1100, Axel wrote:

> Alan K. wrote:
>> On 3/21/26 3:02 PM, Axel wrote:
>>>
>>> Should I have it on or off? at present I have it off.
>>>
>> I have found it's less problematic with it off.
>>
>> This (not being the defacto answer) gives you a bit of background if
>> you're interested in reading.
>> https://www.siberoloji.com/managing-secure-boot-with-cinnamon-desktop-
on-linux-mint/
>>
>>
> would it be different with other distros?

Some distros are signed, some aren't. With secure boot turned off you 
don't have to wonder.

[toc] | [prev] | [next] | [standalone]

#47100

On Sun, 22 Mar 2026 06:02:52 +1100, Axel wrote:

> Should I have it on or off? at present I have it off.

Leave it off. It doesn't do anything for Linux and if you need to 
reinstall or want to try another distro you'll probably need to turn it 
off again. 

[toc] | [prev] | [next] | [standalone]

#47104

rbowman wrote:
> On Sun, 22 Mar 2026 06:02:52 +1100, Axel wrote:
>
>> Should I have it on or off? at present I have it off.
> Leave it off. It doesn't do anything for Linux and if you need to
> reinstall or want to try another distro you'll probably need to turn it
> off again.

thanks

-- 
Linux Mint 22.3

[toc] | [prev] | [next] | [standalone]

#47101

On Sun, 22 Mar 2026 06:02:52 +1100, Axel wrote:

> Should I have it on or off? at present I have it off.

Depends on whom you’re having it off with. ;)

Seriously, the official recommendation from the likes of Microsoft,
and even some Linux folks, is to have it enabled. But I like to apply
the princple that weak security is worse than no security at all,
because it lulls you into believing you’re secure when you’re not. And
“secure boot” most certainly falls into the category of “weak
security”.

[toc] | [prev] | [next] | [standalone]

#47105

Lawrence D’Oliveiro wrote:
> On Sun, 22 Mar 2026 06:02:52 +1100, Axel wrote:
>
>> Should I have it on or off? at present I have it off.
> Depends on whom you’re having it off with. ;)

LOL

>
> Seriously, the official recommendation from the likes of Microsoft,
> and even some Linux folks, is to have it enabled. But I like to apply
> the princple that weak security is worse than no security at all,
> because it lulls you into believing you’re secure when you’re not. And
> “secure boot” most certainly falls into the category of “weak
> security”.


-- 
Linux Mint 22.3

[toc] | [prev] | [next] | [standalone]

#47102

On Sat, 3/21/2026 3:02 PM, Axel wrote:
> 
> Should I have it on or off? at present I have it off.
> 

See "Secure Boot", about 30% down the page.

   https://en.wikipedia.org/wiki/UEFI

Examples of security features.

   Secure Boot     A secure enclave CPU, "measures" the boot process and checks
                   the signing of the UEFI Boot Files. It "attests" that the
                   boot files have not been modified. The BIOS has a certificate
                   chain, and items can be "revoked" when stored in there so they
                   are no longer trusted as certificates.

Not Secure Boot    Whatever you boot with, is implicitly trusted and is not measured.
                   A Boot Kit which has taken over the boot materials, can then be
                   a persistent threat, living on the machine.

  Automatic        When you don't have to enter your password at Linux startup,
authentication     this gives the visitor to your household, access to your home
                   directory and your email Inbox. It does not give elevation
                   as a "sudo" command still requires typing in a password.

   Entry           Having to enter a password right after the OS boots, ensures
Authentication     that getting access to your home directory, requires knowing a secret.
                   Using "sudo" still requires typing the password too.

*******

As for device implementations, there can be a 14 pin or a 20 pin header
for manual insertion of a device. The device can sit on SPI or LPC
(in other words, more than one bus type is supported).

The BIOS also can have a firmware implementation of TPM. The processor
must have a secure enclave, as part of that firmware. A TPM physical chip has
a secure enclave, which is how older processors could have a root of trust.
Newer processors have a core which does nothing but function as a secure
enclave. On Intel this might be "TXT". On AMD, there are the regular x86
cores, but there is one ARM core inside the AMD processor, which is not
intended for, say, running a smartphone in there, that core is used
to make a TPM via BIOS firmware. One laptop with a particular AMD
processor, has a Pluton prototype inside it, which sank like a rock
from a public relations point of view. The processor likely has at
least one ARM core plus the Pluton (in case the Pluton sank like a rock).

In Windows, it's easy to check your TPM status. There are two lines in
the interface.

    Status

    Attestation  Ready  <=== both some sort of TPM is present, plus code that
                             interfaces with the results

    Storage      Ready  <=== presumably, holds a BitLocker key or similar

My Dell Optiplex 780 claims to have a TPM, but Attestation is not ready
and the machine does not Secure Boot. It might be a TPM 1.4 module, soldered
to the motherboard. The storage is likely Ready (as storing a key is pretty easy).

A motherboard that supported TPM 1.4, is unlikely to receive a BIOS update
to make it TPM 2.0 ready, nor is it likely the manufacturer will make
a TPM 2.0 module for it. If they do make a TPM module, they would then
be on the hook for issuing a new motherboard BIOS file (which is not
going to happen). This is how perfectly good motherboards get frozen out
of this nonsense.

The topic is migraine-inducing, just like the maintenance web page
for Intel Management Engine and all its versions. You really as a human,
could not read to the end of that filth. I had to stop. The TPM topic
is just as bad, as virtually every discussion thread is incomplete,
the people who know what they're doing, are not writing 100 page
missives to help anyone. If you knew everything about it, you
could likely exploit it and beat the crap out of it. That's why we
have Boot Kits out there. Some keys, via db/dbx may already
have been revoked. And Microsoft is in the process of installing
PCA 2023 and eventually, revoking PCA 2011 (which means some older
Linux DVDs, if started in Secure Boot mode on a 2026 laptop,
will not boot -- DVDs which depend on PCA 2011 will eventually
expire for 2026 laptops). Since PCA 2011 is expiring in July,
officially its days are numbered anyway, but there is a claim
that some boot processes do not trust nor check the time clock
(as a user could just dial the clock back to "make" PCA 2011 work).

I informed people a couple of years ago, that they should
enjoy the opportunity to buy UEFI/CSM motherboards and
computers, as 2026 was coming, and the plan was to have
only UEFI and no CSM any more. A machine with both, can boot
Knoppix 5.3, if you use "noacpi" on the boot line. A 2026 laptop
is unlikely to boot Knoppix 5.3 (as a test of the flexibility
of boot). I don't know if a 2026 laptop has a Secure Boot ON/OFF
or not. It might be Secure Boot only, raising the possibility
of bricking it.

   Paul

[toc] | [prev] | [next] | [standalone]

#47109

Paul wrote:
> On Sat, 3/21/2026 3:02 PM, Axel wrote:
>> Should I have it on or off? at present I have it off.
>>
> See "Secure Boot", about 30% down the page.
>
>     https://en.wikipedia.org/wiki/UEFI
>
> Examples of security features.
>
>     Secure Boot     A secure enclave CPU, "measures" the boot process and checks
>                     the signing of the UEFI Boot Files. It "attests" that the
>                     boot files have not been modified. The BIOS has a certificate
>                     chain, and items can be "revoked" when stored in there so they
>                     are no longer trusted as certificates.
>
> Not Secure Boot    Whatever you boot with, is implicitly trusted and is not measured.
>                     A Boot Kit which has taken over the boot materials, can then be
>                     a persistent threat, living on the machine.
>
>    Automatic        When you don't have to enter your password at Linux startup,
> authentication     this gives the visitor to your household, access to your home
>                     directory and your email Inbox. It does not give elevation
>                     as a "sudo" command still requires typing in a password.
>
>     Entry           Having to enter a password right after the OS boots, ensures
> Authentication     that getting access to your home directory, requires knowing a secret.
>                     Using "sudo" still requires typing the password too.
>
> *******
>
> As for device implementations, there can be a 14 pin or a 20 pin header
> for manual insertion of a device. The device can sit on SPI or LPC
> (in other words, more than one bus type is supported).
>
> The BIOS also can have a firmware implementation of TPM. The processor
> must have a secure enclave, as part of that firmware. A TPM physical chip has
> a secure enclave, which is how older processors could have a root of trust.
> Newer processors have a core which does nothing but function as a secure
> enclave. On Intel this might be "TXT". On AMD, there are the regular x86
> cores, but there is one ARM core inside the AMD processor, which is not
> intended for, say, running a smartphone in there, that core is used
> to make a TPM via BIOS firmware. One laptop with a particular AMD
> processor, has a Pluton prototype inside it, which sank like a rock
> from a public relations point of view. The processor likely has at
> least one ARM core plus the Pluton (in case the Pluton sank like a rock).
>
> In Windows, it's easy to check your TPM status. There are two lines in
> the interface.
>
>      Status
>
>      Attestation  Ready  <=== both some sort of TPM is present, plus code that
>                               interfaces with the results
>
>      Storage      Ready  <=== presumably, holds a BitLocker key or similar
>
> My Dell Optiplex 780 claims to have a TPM, but Attestation is not ready
> and the machine does not Secure Boot. It might be a TPM 1.4 module, soldered
> to the motherboard. The storage is likely Ready (as storing a key is pretty easy).
>
> A motherboard that supported TPM 1.4, is unlikely to receive a BIOS update
> to make it TPM 2.0 ready, nor is it likely the manufacturer will make
> a TPM 2.0 module for it. If they do make a TPM module, they would then
> be on the hook for issuing a new motherboard BIOS file (which is not
> going to happen). This is how perfectly good motherboards get frozen out
> of this nonsense.
>
> The topic is migraine-inducing, just like the maintenance web page
> for Intel Management Engine and all its versions. You really as a human,
> could not read to the end of that filth. I had to stop. The TPM topic
> is just as bad, as virtually every discussion thread is incomplete,
> the people who know what they're doing, are not writing 100 page
> missives to help anyone. If you knew everything about it, you
> could likely exploit it and beat the crap out of it. That's why we
> have Boot Kits out there. Some keys, via db/dbx may already
> have been revoked. And Microsoft is in the process of installing
> PCA 2023 and eventually, revoking PCA 2011 (which means some older
> Linux DVDs, if started in Secure Boot mode on a 2026 laptop,
> will not boot -- DVDs which depend on PCA 2011 will eventually
> expire for 2026 laptops). Since PCA 2011 is expiring in July,
> officially its days are numbered anyway, but there is a claim
> that some boot processes do not trust nor check the time clock
> (as a user could just dial the clock back to "make" PCA 2011 work).
>
> I informed people a couple of years ago, that they should
> enjoy the opportunity to buy UEFI/CSM motherboards and
> computers, as 2026 was coming, and the plan was to have
> only UEFI and no CSM any more. A machine with both, can boot
> Knoppix 5.3, if you use "noacpi" on the boot line. A 2026 laptop
> is unlikely to boot Knoppix 5.3 (as a test of the flexibility
> of boot). I don't know if a 2026 laptop has a Secure Boot ON/OFF
> or not. It might be Secure Boot only, raising the possibility
> of bricking it.

thanks for that. I'll just leave it off. computing was much simpler 
before all this crap.

>
>     Paul


-- 
Linux Mint 22.3

[toc] | [prev] | [next] | [standalone]

#47111

On Mon, 3/23/2026 3:10 PM, Axel wrote:

> 
> thanks for that. I'll just leave it off. computing was much simpler before all this crap.

You never know what the future holds.

1) A person standing in your room, can bypass lots of the "trivial security".
2) Having a BIOS level password, will slow them down. Consumer machines, 20 seconds to bypass.
   Business machines, maybe 5-10 minutes to fit a programming clip to the 2KB password chip
   and flash the null image into it. For the "merely curious", a BIOS password will keep
   them out for a good while, before they get to boot their LiveDVD with sudo.

3) Given your security posture in the room is typically poor (I know mine is),
   you want a disaster recovery plan. That's what backups are for. The disk
   storing the backups, should be offline when the machine is being operated
   normally. It is up to you to decide how quickly you need to tip the machine
   upright again (assuming there isn't a persistent pest onboard). It can be
   almost impossible to tip a room upright, with the right pest onboard.
   That's why, in an "emergency situation", don't be surprised that
   the modern machines aren't coming back up.

I've probably told the story about the guy who got wiped out by ransomware.
He posted a question "my Excel files have .osirus extensions added to them".
That was Osirus Ransomware, which encrypted data files such as .xlsx and .docx
and so on. It goes for the high value files, first.

The OP in that case, didn't have backups. He had OS CD/DVD install media in the room, but
he didn't know which license key went with which machine.

It took around three months, before he dropped in one day, and said the room
was more or less upright again. Sans whatever data loss from the lost files.
He had a small business, and I think he closed up shop. He no longer
drops into USENET, as he is "functionally retired".

Even your backups can be ruined. Some ransomware hides for a month, to give
time to discover and monitor your backup pattern. Maybe it takes a chance
and ruins every backup image you made. Then when the "red dialog" appears
on your screen, your Disaster Recovery Plan is already ruined.

For people without a profile, they have little to worry about in terms
of "focused campaigns". But if someone "wants to drop the big one",
that will be a test of everyones Disaster Recovery Plan.

Remember, that most malwares today, are reversible or "clean-able".
They don't have to be. Wipers like Sality still exist, and BleepingComputer
would "tell you to reinstall" if such is detected. It seems a lot of
these pests have worm capability, or at least, they are armed with
exploits which a lot of people have not patched up for. Like, say you
had SMB1 enabled on a machine, how "worm-able" are you ? I don't know.
Couldn't give an estimate.

Rather than being worried about your Secure Boot setting, I would
advise some more general principles about running a computer room.
"Bring your umbrella, because it looks like rain." Consider what
you'd do in an emergency.

   Paul

[toc] | [prev] | [next] | [standalone]

#47113

Paul wrote:
> On Mon, 3/23/2026 3:10 PM, Axel wrote:
>
>> thanks for that. I'll just leave it off. computing was much simpler before all this crap.
> You never know what the future holds.
>
> 1) A person standing in your room, can bypass lots of the "trivial security".
> 2) Having a BIOS level password, will slow them down. Consumer machines, 20 seconds to bypass.
>     Business machines, maybe 5-10 minutes to fit a programming clip to the 2KB password chip
>     and flash the null image into it. For the "merely curious", a BIOS password will keep
>     them out for a good while, before they get to boot their LiveDVD with sudo.
>
> 3) Given your security posture in the room is typically poor (I know mine is),
>     you want a disaster recovery plan. That's what backups are for. The disk
>     storing the backups, should be offline when the machine is being operated
>     normally.

i have the timeshift disk and the files disk permanently in the machine 
for convenience. guess I should remove them and connect them only via 
usb as necessary

> It is up to you to decide how quickly you need to tip the machine
>     upright again (assuming there isn't a persistent pest onboard). It can be
>     almost impossible to tip a room upright, with the right pest onboard.
>     That's why, in an "emergency situation", don't be surprised that
>     the modern machines aren't coming back up.
>
> I've probably told the story about the guy who got wiped out by ransomware.
> He posted a question "my Excel files have .osirus extensions added to them".
> That was Osirus Ransomware, which encrypted data files such as .xlsx and .docx
> and so on. It goes for the high value files, first.

was he using Linux? and he wouldn't he have had to click on some file he 
shouldn't have to install the ransomware?

>
> The OP in that case, didn't have backups. He had OS CD/DVD install media in the room, but
> he didn't know which license key went with which machine.
>
> It took around three months, before he dropped in one day, and said the room
> was more or less upright again. Sans whatever data loss from the lost files.
> He had a small business, and I think he closed up shop. He no longer
> drops into USENET, as he is "functionally retired".
>
> Even your backups can be ruined. Some ransomware hides for a month, to give
> time to discover and monitor your backup pattern. Maybe it takes a chance
> and ruins every backup image you made. Then when the "red dialog" appears
> on your screen, your Disaster Recovery Plan is already ruined.

in that case wouldn't even backups to a USB hard drive be corrupted?

>
> For people without a profile, they have little to worry about in terms
> of "focused campaigns". But if someone "wants to drop the big one",
> that will be a test of everyones Disaster Recovery Plan.
>
> Remember, that most malwares today, are reversible or "clean-able".
> They don't have to be. Wipers like Sality still exist, and BleepingComputer
> would "tell you to reinstall" if such is detected. It seems a lot of
> these pests have worm capability, or at least, they are armed with
> exploits which a lot of people have not patched up for. Like, say you
> had SMB1 enabled on a machine, how "worm-able" are you ? I don't know.
> Couldn't give an estimate.
>
> Rather than being worried about your Secure Boot setting, I would
> advise some more general principles about running a computer room.
> "Bring your umbrella, because it looks like rain." Consider what
> you'd do in an emergency.

I have Timeshift, Backup Tool saves, and regular Foxclone image and the 
files disk copies

>
>     Paul


-- 
Linux Mint 22.3

[toc] | [prev] | [standalone]

Back to top | Article view | alt.os.linux.mint

csiph-web