What does "Disable secure boot " do to our PCs?

[mrchow19910319]

I am currently using a laptop that has a R95900HX processor + a rtx 3080. 

 

Just a couple of hours ago, I added one more NVME drive and installed mint 21 on it.

 

At 1st I had these screen flickering everytime I boot up the machine, at the log in manager I would have to log in at least 3 times just to see the desktop environment, also system will jump back to login state randomly and especially after I open file manager... 
 

Then when I installed the latest Nvidia Driver, version 520-open, it says because of secure boot I had to Enroll MOK then key in some password i just set. (check the pic below)

 

 

But after reboot inside the menu my keyboard does not work at all, so I could not key in anything. 

 

So I just straight up hard reboot and went into bios disabled secure boot. 

 

Then things seemed fine now. 

 

Is it okay to leave it as it is??? 

[Eigenvektor]

Secure boot basically just checks whether your boot loader is signed with a cryptographic key. If it isn't, then it refuses to boot.

[mrchow19910319]

Just now, Eigenvektor said:

Secure boot basically just checks whether your boot loader is signed with a cryptographic key. If it isn't, then it refuses to boot.

basically means it checks whether theres a hacker whos trying to pretend to be me and use a usb to try to unlock my pc is it?

[mrchow19910319]

1 minute ago, Eigenvektor said:

Secure boot basically just checks whether your boot loader is signed with a cryptographic key. If it isn't, then it refuses to boot.

so leave it off does not ruin anything if my laptop is not stolen right ?

[Eigenvektor]

1 minute ago, mrchow19910319 said:

so leave it off does not ruin anything if my laptop is not stolen right ?

It is primarily supposed to protect you against boot level malware. It does not protect you against theft or people trying to guess your password. It's still possibly to boot from USB, provided the USB stick contains a boot loader that is properly signed.

 

For example when Microsoft creates a boot loader for Windows, they sign it with their cryptographic key. When your start up your PC, your UEFI BIOS checks whether the boot loader is signed and whether the company who created the signature is trusted. If that's not the case, then it'll refuse to boot. So if e.g. a virus modifies the boot loader, it'll no longer match the signature, the UEFI will detect that it's been tampered with and refuse to boot. That's all there is to it, really.

 

If I stole your computer, I could simply place your disks into my own computer, boot up my own OS and read everything on your disks. Secure boot would not protect against that in any way. You'd need full disk encryption to protect against that.

[mrchow19910319]

5 minutes ago, Eigenvektor said:

It is primarily supposed to protect you against boot level malware. It does not protect you against theft or people trying to guess your password. It's still possibly to boot from USB, provided the USB stick contains a boot loader that is properly signed.

 

For example when Microsoft creates a boot loader for Windows, they sign it with their cryptographic key. When your start up your PC, your UEFI BIOS checks whether the boot loader is signed and whether the company who created the signature is trusted. If that's not the case, then it'll refuse to boot. So if e.g. a virus modifies the boot loader, it'll no longer match the signature, the UEFI will detect that it's been tampered with and refuse to boot. That's all there is to it, really.

 

If I stole your computer, I could simply place your disks into my own computer, boot up my own OS and read everything on your disks. Secure boot would not protect against that in any way. You'd need full disk encryption to protect against that.

I see. Thanks. In order to duo boot linux I would just disable it for now... 

[Eigenvektor]

1 minute ago, mrchow19910319 said:

I see. Thanks. In order to duo boot linux I would just disable it for now... 

Yeah, it can be an issue with Linux, when the distribution you're using doesn't have a signed boot loader. There are ways to get it to work, here's an example from Debian:

https://wiki.debian.org/SecureBoot

[ImorallySourcedElectrons]

Keep in mind, if you go as far as disabling UEFI, some other features might also stop working (e.g., resizable bar comes to mind).

[Eigenvektor]

2 minutes ago, ImorallySourcedElectrons said:

Keep in mind, if you go as far as disabling UEFI, some other features might also stop working (e.g., resizable bar comes to mind).

OP is alking about disabling Secure Boot, not disabling UEFI altogether.

[OhioYJ]

51 minutes ago, mrchow19910319 said:

I see. Thanks. In order to duo boot linux I would just disable it for now... 

You're running Mint 21 (Previous versions did too)? It will work fine with secure boot enabled. There really wasn't a reason to disable it. The machine I'm typing this on has Mint 21 (my primary OS) and Windows 11 (for gaming).

 

You create a key, reboot, enroll that key (type in the password you created), done deal.

[ImorallySourcedElectrons]

1 hour ago, Eigenvektor said:

OP is alking about disabling Secure Boot, not disabling UEFI altogether.

Hence the "if you go as far"... I've had to deal with folks who disabled UEFI entirely and then complained that multiple features didn't work anymore.

[Kisai]

Unless you have a good reason to, you should not enable Secure Boot on anything but Windows 11.

 

Enterprise systems should enable Secure Boot because they are running Windows, but only after the OS has been imaged. Part of the tools you get with Dell systems, installs the OS image and sets the BIOS to SecureBoot after the OS has finished being image restored. I'm sure similar processes exist for HP and Lenovo systems.

 

That said, Secure Boot complicates password recovery tools, and if you don't do things correctly when you install the OS, there is no "booting from the install disk" to fix it.

[Sauron]

On 11/13/2022 at 11:54 AM, mrchow19910319 said:

basically means it checks whether theres a hacker whos trying to pretend to be me and use a usb to try to unlock my pc is it?

No, it's checking that you're running a "trusted" operating system, i.e. windows. Irrelevant for personal use.

[mrchow19910319]

On 11/13/2022 at 8:15 PM, OhioYJ said:

You're running Mint 21 (Previous versions did too)? It will work fine with secure boot enabled. There really wasn't a reason to disable it. The machine I'm typing this on has Mint 21 (my primary OS) and Windows 11 (for gaming).

 

You create a key, reboot, enroll that key (type in the password you created), done deal.

the reason I disabled it is because when I try to key in the key, my laptop's keyboard does not respond, nor does the mouse. So I just disabled it all together. 

 

Also, i switched from mint to xubuntu, I need to use snapd as a service. I'm still learning.

 

Also also, having a 2560x1600 monitor is kind of a pain point for using linux, it does not let me scale my resolution/UI. Uhhhh.

[OhioYJ]

58 minutes ago, mrchow19910319 said:

the reason I disabled it is because when I try to key in the key, my laptop's keyboard does not respond, nor does the mouse. So I just disabled it all together. 

 

Also, i switched from mint to xubuntu, I need to use snapd as a service. I'm still learning.

 

Also also, having a 2560x1600 monitor is kind of a pain point for using linux, it does not let me scale my resolution/UI. Uhhhh.

There is scale option on Mint? Did you try the proprietary option rather than the open one? I don't know about the keyboard thing, my keyboard just works for entering the password. Perhaps someone using a laptop has run into this. Would be kind of annoying to have to use an external (USB) keyboard for that. 

[RealBACONATOR2]

I always thought disabling secure boot would mean someone could steal my boots.