Does anybody know how to install Pop! Os and re enable secure boot? I have instructions, but don't understand.
18 hours ago, IdidAthing said:I'm worried if I got malware and I had secureboot off it could infect my motherboard.
What UEFI Secure Boot protects is the part of the boot process that comes after loading your motherboard's firmware. It ensures the integrity of the UEFI images your motherboard hands the system over to after you select a boot device. Those UEFI images are typically a piece of software called a bootloader, but they can also be an operating system kernel that boots directly, without using a bootloader. Those files mentioned in the instructions you linked, e.g., loader.efi and systemd-bootx64.efi, are UEFI images.
Turning on UEFI Secure Boot just means that your motherboard will refuse to boot UEFI images which are not cryptographically signed by some trusted key. The idea is that whatever party (e.g., Microsoft, Red Hat, Canonical) builds your bootloader and operating system kernel marks it with a secure seal which says ‘I made this, and this how I intended to make it’. If an attacker tries to modify or replace your bootloader, they'll be unable to reproduce that seal (cryptographic signature) because they don't have your OS creator's keys, and so the motherboard will say ‘wait a minute, this is unsigned!’ and refuse to boot the bootloader that has been tampered with by the attacker. Similarly, when you enable secure boot on most Linux distributions, the kernel then enforces the same kind of signing for all kernel modules, so the operating system will, for example, refuse to load unsigned drivers.
systemd-bootx64.efi is the bootable UEFI image for systemd-boot, which is the bootloader Pop_OS uses to load Linux. Systemd-boot is the program that presents you with a boot menu so you can choose whether to boot in failsafe mode or whatever. Your motherboard loads it, then it loads the Linux kernel. The mucking about these instructions have you do with this file is something that lets you sign those files yourself.
All of that is to say: Secure Boot is about ensuring the integrity of the lowest-level parts of your operating system, not your motherboard itself. It doesn't protect your motherboard, and in fact if your motherboard were infected with malware, that malware could probably covertly disable or bypass your Secure Boot configuration.
On 10/24/2021 at 10:56 AM, IdidAthing said:I've only ever used linux from the gui, I don't really know stuff about non windows file systems and boot partitions.
If Secure Boot is important to you but you're still kinda getting your feet wet with the command line and you're not comfortable following written instructions using the terminal, you should consider using a Linux distribution that supports Secure Boot natively. Boot systems can be tricky, and when they're misconfigured it really sucks, because then you can't boot your damn system.
Fedora and openSUSE both support Secure Boot out of the box. Maybe give each a try and go with whatever you think looks the best or has the most active forums (or whatever— both are good).
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now