Does TPM mess with Linux?

[Edward78]

I have Linux on a 2nd drive if I turn TPM on it will be fine right?

[BlueChinchillaEatingDorito]

27 minutes ago, Edward78 said:

I have Linux on a 2nd drive if I turn TPM on it will be fine right?

In theory, no if it was disabled when Linux was installed. 

[Biohazard777]

2 minutes ago, Edward78 said:

I have Linux on a 2nd drive if I turn TPM on it will be fine right?

You can turn on TPM.
Secure boot on the other hand will depend on your Linux distro... For example, Ubuntu will work with secure boot out of the box, but if you are on Arch you will have to mess around with manual signing... hence why I didn't bother with secure boot on my dual boot system, I have TPM enabled, secure boot disabled:

And TPM works fine:

 

[Edward78]

4 minutes ago, BlueChinchillaEatingDorito said:

In theory, no if it was disabled when Linux was installed. 

Hmmm'

[Eigenvektor]

Enabling TPM shouldn't mess with anything, it just provides secure storage for keys. Secure boot is the one that could prevent you from booting, since it requires a signed bootloader.

[BlueChinchillaEatingDorito]

Just now, Edward78 said:

Hmmm'

If it was the other way around, where Linux might have utilized it to store encryption keys, then you would have a problem if you disable it. The same thing would happen in Windows if you had BitLocker enabled with the TPM chip. 

[Edward78]

Just now, Eigenvektor said:

Enabling TPM shouldn't mess with anything, it just provides secure storage for keys. Secure boot is the one that could prevent you from booting, since it requires a signed bootloader.

Even if Linux is on another drive?

[Eigenvektor]

Just now, Edward78 said:

Even if Linux is on another drive?

Doesn't matter which drive Linux is on. Secure boot means the UEFI will refuse to run a boot loader that isn't signed with a trusted key. And since that isn't usually the case, it'll refuse to boot into Linux. If you use Grub as the boot loader to load both Windows and Linux, then you'll have a problem booting at all.

[Edward78]

Just now, Eigenvektor said:

Doesn't matter which drive Linux is on. Secure boot means the UEFI will refuse to run a boot loader that isn't signed with a trusted key. And since that isn't usually the case, it'll refuse to boot into Linux. If you use Grub as the boot loader to load both Windows and Linux, then you'll have a problem booting at all.

I know Solus has a issue with it, wonder if Manjaro does?

[Eigenvektor]

Just now, Edward78 said:

I know Solus has a issue with it, wonder if Manjaro does?

Afaik Ubuntu is about the only exception, because they got Microsoft to sign their boot loaders. https://forum.manjaro.org/t/is-it-possible-to-enable-secure-boot/16156

[Edward78]

15 minutes ago, Eigenvektor said:

Afaik Ubuntu is about the only exception, because they got Microsoft to sign their boot loaders. https://forum.manjaro.org/t/is-it-possible-to-enable-secure-boot/16156

Man, I love rolling releases, crap. Hmmm, seems like this would be wrong somehow, not allowing most other OSs to boot up.

[RONOTHAN##]

59 minutes ago, Eigenvektor said:

Afaik Ubuntu is about the only exception, because they got Microsoft to sign their boot loaders. https://forum.manjaro.org/t/is-it-possible-to-enable-secure-boot/16156

Fedora and OpenSUSE also work with it out of the box. 

 

But yeah, enabling TPM shouldn't affect anything. Enabling secure boot might affect some things. Going from enabled to disabled on either one can cause issues.

[RONOTHAN##]

48 minutes ago, Edward78 said:

Man, I love rolling releases, crap. Hmmm, seems like this would be wrong somehow, not allowing most other OSs to boot up.

You can get arch-based stuff to work with a little bit of elbow grease, but usually it's not worth the effort.

 

If you do want to use secure boot and have a rolling release distro, try out OpenSUSE Tumbleweed. It's a bit behind Arch in package version, but it's very stable for a rolling model and is a very pleasant distro to use. Plus it supports secure boot out of the box

[Guest]

6 hours ago, Eigenvektor said:

Afaik Ubuntu is about the only exception, because they got Microsoft to sign their boot loaders. https://forum.manjaro.org/t/is-it-possible-to-enable-secure-boot/16156

Ubuntu uses a signed shim loader, that any Distro should be capable of shipping.

Ubuntu, Fedora, and OpenSuSe used to all ship this shim by default, not sure if that is still the case.

The shim for Arch in the AUR still pulls from the Fedora Project.

 

For Manjaro you can follow this guide from the Arch Wiki.

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#shim

 

I Dual boot Windows 11 and Arch with this shim.

[Edward78]

5 hours ago, Nayr438 said:

Ubuntu uses a signed shim loader, that any Distro should be capable of shipping.

Ubuntu, Fedora, and OpenSuSe used to all ship this shim by default, not sure if that is still the case.

The shim for Arch in the AUR still pulls from the Fedora Project.

 

For Manjaro you can follow this guide from the Arch Wiki.

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#shim

 

I Dual boot Windows 11 and Arch with this shim.

Woah that link makes me a little scared. Maybe I should try tumbleweed if it supports it by defaulr.

[Eigenvektor]

6 minutes ago, Edward78 said:

Woah that link makes me a little sdcared. Maybe I should try tumbleweed if it supports it by defaulr.

Alternatively you could leave secure boot disabled. Windows 11 should still work. I think it requires a PC that supports secure boot, but doesn't require for it to be enabled.

[Edward78]

1 minute ago, Eigenvektor said:

Alternatively you could leave secure boot disabled. Windows 11 should still work. I think it requires a PC that supports secure boot, but doesn't require for it to be enabled.

Cool ok, kind of odd though.

[Matthew Miller]

16 hours ago, Nayr438 said:

Ubuntu uses a signed shim loader, that any Distro should be capable of shipping.

Ubuntu, Fedora, and OpenSuSe used to all ship this shim by default, not sure if that is still the case.

The shim for Arch in the AUR still pulls from the Fedora Project.

 

For Manjaro you can follow this guide from the Arch Wiki.

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#shim

 

I Dual boot Windows 11 and Arch with this shim.

shim is a solution devised and created by Matthew Garrett working on Fedora for Red Hat, and made open source so that everyone can benefit.