UEFI, Secure Boot, TMP 2.0

[hanouzz]

What's the difference between UEFI and Secure Boot?
Also, is it necessary to enable Secure Boot and TPM 2.0 on Linux, like on Windows? Or am I fine without?
Also, if I do need this stuff enabled, how would I go about doing that? I know Windows automatically configures it, but afaik Linux doesn't.

Here is my PCPartPicker list: https://pcpartpicker.com/user/Hanouzz/saved/xP4s8d

If it helps anyone's answer, jus so y'all kno, I will be using Void Linux

[Eigenvektor]

UEFI is the successor to BIOS, basically the computer's firmware (unified extensible firmware interface)

 

Secure Boot is one specific BIOS/UEFI feature that only allows the computer to boot if the operating system's boot loader is signed by a valid (Microsoft) key.

 

It is a somewhat controversial feature on Linux, because it was developed my MS and they are the ones who have to sign the boot loader. Which they don't do for open source implementations.

 

TPM (Trusted Platform Module) is a hardware module that is used to securely store credentials/encryption keys in a way that should make them unrecoverable by an unauthorized third party.

 

It is needed for features such as Bitlocker, to store the encryption keys used when you encrypt your disk.

[CosmicEmotion]

Secure Boot needs to be disabled for Void Linux and TPM 2.0 is not required.

[hanouzz]

52 minutes ago, Eigenvektor said:

UEFI is the successor to BIOS, basically the computer's firmware (unified extensible firmware interface)

 

Secure Boot is one specific BIOS/UEFI feature that only allows the computer to boot if the operating system's boot loader is signed by a valid (Microsoft) key.

 

It is a somewhat controversial feature on Linux, because it was developed my MS and they are the ones who have to sign the boot loader. Which they don't do for open source implementations.

 

TPM (Trusted Platform Module) is a hardware module that is used to securely store credentials/encryption keys in a way that should make them unrecoverable by an unauthorized third party.

 

It is needed for features such as Bitlocker, to store the encryption keys used when you encrypt your disk.

Alrighty. So is it difficult to enable TPM 2.0 on Linux, or do I just have to enable it in the BIOS/UEFI?

[hanouzz]

3 minutes ago, CosmicEmotion said:

Secure Boot needs to be disabled for Void Linux and TPM 2.0 is not required.

hmm alright. Def won't use secure boot, might still be nice to use TPM 2.0 tho

[CosmicEmotion]

19 minutes ago, hanouzz said:

hmm alright. Def won't use secure boot, might still be nice to use TPM 2.0 tho

You can enable it in BIOS and it should work just fine.

[Eigenvektor]

3 hours ago, hanouzz said:

Alrighty. So is it difficult to enable TPM 2.0 on Linux, or do I just have to enable it in the BIOS/UEFI?

Both Secure Boot and TPM 2.0 are enabled/disabled in BIOS/UEFI. Without workarounds Windows 11 requires both of them to be enabled, or it refuses to install. Likewise some anti-cheat software (e.g. Vanguard) enforces Secure Boot to be enabled on Win 11. So if you want to dual boot Windows and you want to play certain multiplayer games, you may have to enable it.

 

Some Linux distributions (e.g. Ubuntu) should support Secure Boot out of the box. Basically they include a small  binary (shim) that is signed by Microsoft. That binary is responsible for loading the actual boot loader, like grub. You can get it working for other distributions (for example Arch instructions), but it's not necessarily simple.

 

TPM 2.0 on the other hand shouldn't be an issue. Whether any Linux software actually makes use of it to store credentials is another question.

 

It's not without its pitfalls though. For example if you use full disk encryption (e.g. Bitlocker on Windows) and the TPM gets wiped by a broken BIOS update or your hardware has a defect, the encryption keys and therefore your encrypted data may become unrecoverable. That is why a recovery key for Bitlocker is an absolute must.