Jump to content

Is there actually any use for secure boot?

18358414
 Share
Posted

Recently I was having some issues installing NVidia drivers and the resulting fix was to disable UEFI secure boot.  Surprisingly, disabling secure boot was very easy to do in the bios leading me to wonder why it's even used to begin with.

 

Secure boot is supposed to prevent 'untrusted' software from running on the machine, but if you can just disable it in the bios with a few clicks then is there really any point to it at all?

If I have to explain every detail, I won't talk to you.  If you answer a question with what can be found through 10 seconds of googling, you've contributed nothing, as I assure you I've already considered it.

 

What a world we would be living in if I had to post several paragraphs every time I ask a question.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 minute ago, 7he404guy said:

Recently I was having some issues installing NVidia drivers and the resulting fix was to disable UEFI secure boot.  Surprisingly, disabling secure boot was very easy to do in the bios leading me to wonder why it's even used to begin with.

 

Secure boot is supposed to prevent 'untrusted' software from running on the machine, but if you can just disable it in the bios with a few clicks then is there really any point to it at all?

Secure boot is made to stop any non-microsoft software to boot from USB key.

 

It's a safety.

 

You can put a password on the BIOS to avoid people going in and turn it off. 

CPU: Intel i7 6700K 4.5 ghz / CPU Cooler: Corsair H100i V2 / Board: Asus Z170-A / GPU: Asus Rog Strix GTX 1070 8GB / RAM: Corsair Vengeance LPX 16GB DDR4 3000 mhz / SSD: Samsung 850 Evo 500 GB / PSU: Corsair RMx 850w / Case: Fractal Design Define S / Keyboard: Corsair MX Silent / Mouse: Logitech G403 / Monitor: Dell 27" TN 1ms 1440p/144hz Gsync

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

You can't disable it on a system where UEFI settings are behind an administrator password and you can't disable it remotely, someone who's hacked your system can't make it boot their compromised OS.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

I used secure boot for all my Linux distos. I am security paranoid, which is why I used Linux in the first place. I had some first hand experiences witnessing how easily it is to break into others system.

 

i used lvm encryptions to encrypt all my Linux partitions, use a password to lock down my bios, and secure boot to prevent booting from another OS.

Sudo make me a sandwich 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
25 minutes ago, gbergeron said:

Secure boot is made to stop any non-microsoft software to boot from USB key.

 

It's a safety.

 

You can put a password on the BIOS to avoid people going in and turn it off. 

Hilariously, you can actually set it to stop windows boot and trust boot from Linux systems as well. Although that is quite pointless because anyone can download the Linux source code and insert malicious codes into it. Best practice is just lock down third party boot in the bios and set a password to restrict bios access.

Sudo make me a sandwich 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
30 minutes ago, wasab said:

I used secure boot for all my Linux distos. I am security paranoid, which is why I used Linux in the first place. I had some first hand experiences witnessing how easily it is to break into others system.

 

i used lvm encryptions to encrypt all my Linux partitions, use a password to lock down my bios, and secure boot to prevent booting from another OS.

I thought LVM was so you can shrink/enlarge volumes more easily?

 

[edit] - nevermind I know what you mean now  https://security.stackexchange.com/questions/39080/ubuntu-lvm-encryption

Please quote my post, or put @paddy-stone if you want me to respond to you.

Spoiler
  • PCs:- 
  • Main PC build  https://uk.pcpartpicker.com/list/2K6Q7X
  • ASUS x53e  - i7 2670QM / Sony BD writer x8 / Win 10, Elemetary OS, Ubuntu/ Samsung 830 SSD
  • Lenovo G50 - 8Gb RAM - Samsung 860 Evo 250GB SSD - DVD writer
  •  
  • Displays:-
  • Philips 55 OLED 754 model
  • Panasonic 55" 4k TV
  • LG 29" Ultrawide
  • Philips 24" 1080p monitor as backup
  •  
  • Storage/NAS/Servers:-
  • ESXI/test build  https://uk.pcpartpicker.com/list/4wyR9G
  • Main Server https://uk.pcpartpicker.com/list/3Qftyk
  • Backup server - HP Proliant Gen 8 4 bay NAS running FreeNAS ZFS striped 3x3TiB WD reds
  • HP ProLiant G6 Server SE316M1 Twin Hex Core Intel Xeon E5645 2.40GHz 48GB RAM
  •  
  • Gaming/Tablets etc:-
  • Xbox One S 500GB + 2TB HDD
  • PS4
  • Nvidia Shield TV
  • Xiaomi/Pocafone F2 pro 8GB/256GB
  • Xiaomi Redmi Note 4

 

  • Unused Hardware currently :-
  • 4670K MSI mobo 16GB ram
  • i7 6700K  b250 mobo
  • Zotac GTX 1060 6GB Amp! edition
  • Zotac GTX 1050 mini

 

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

I think secure boot has it's uses in situation where a potentially malicious user (schools students?) has access to a computer, or if the computer is on the go and it can not be guaranteed it is under the eyes of the owner all the time (and a malicious user might have time to boot some other OS).

 

Granted, if a user has physical access, he can do whatever with the computer provided he/she has enough time. But secure boot makes it more difficult, and often non-feasible to boot another OS. But if it is the data that needs (malicious read) protection, encryption is a way better protection (and a separate thing from secure boot).

 

But then again, on computers without secure boot, you could lock down BIOS with a password, and set it to boot only from a single source / hard disk (which is good enough for schools etc.).

 

I guess secure boot could allow booting from some other media which has boot entries signed with trusted keys?

 

TL;DR: it certainly has some uses, but a home user usually has little. Some conspiracy theorists say it was invented by Microsoft to prevent booting Linux, but I think that is mostly baloney ?

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 hour ago, Wild Penquin said:

I think secure boot has it's uses in situation where a potentially malicious user (schools students?) has access to a computer, or if the computer is on the go and it can not be guaranteed it is under the eyes of the owner all the time (and a malicious user might have time to boot some other OS).

 

Granted, if a user has physical access, he can do whatever with the computer provided he/she has enough time. But secure boot makes it more difficult, and often non-feasible to boot another OS. But if it is the data that needs (malicious read) protection, encryption is a way better protection (and a separate thing from secure boot).

 

But then again, on computers without secure boot, you could lock down BIOS with a password, and set it to boot only from a single source / hard disk (which is good enough for schools etc.).

 

I guess secure boot could allow booting from some other media which has boot entries signed with trusted keys?

 

TL;DR: it certainly has some uses, but a home user usually has little. Some conspiracy theorists say it was invented by Microsoft to prevent booting Linux, but I think that is mostly baloney ?

I think the bigger problem is not about preventing boot but rather what happens if someone simply takes your hard drive out of your computer, plug it into his own computer, mount it on whatever operating system he uses? Lo and behold, all your bios protection, secure boot, and user login password are completely bypass.

 

Bottom line, you gotta encrypt your drive. Else if your computer is stolen, all your privacy and data go out the window 

 

 

Sudo make me a sandwich 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

it is a 'safety feature' by microshit basically to stop the computer from booting to anything that isnt a UEFI version of windows, which basically means you cant run old windows or linux. it is required to be part of all computers that ship with windows preinstalled as part of the contracts with microshit, and for the contracts for windows 10, there doesent actually have to be a way for the end user to disable the 'feature' but the only reason why you still can disable it is because no manufacturer wants to be the first to deny people the right to install windows on their machines. 

Sadness is the one true emotion, and happiness, well, that's just a lie, sadness is all many of us feel, and is all we need to feel, because having it any other way, would just be wrong, why be happy when you can just be miserable like myself. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted (edited)

@wasab Agreed, that's why I mentioned encryption

 

@Shoe_Eater Now that you put it that way .... I don't think it is that far fetched that implementing secure boot could not have some motivations aiming at some kind of monopoly on the OS market. Granted, it can be easily disabled currently on most computers. But, that does not necessarily need to be so in the future! "Embrace, Extend, Extinquish" as someone said at M$; and in this case they are at Embrace or Extend -stage, slowly moving to Extinquish (I certainly hope that is not the future)....

Edited by Wild Penquin
spurious negative
Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Linux, macOS and Everything Not-Windows

×