Sooooo, secure boot? (w11/Linux)

[Mark Kaine]

So I just watched Chris Titus reaction video about LTT "Linux challenge" and I'm confused... He said several times, if you disable secure boot you can't load into windows anymore... Does that make any sense? Like it would erase some "keys"...

 

Isn't that what TPM is for?  

But either way, I really want to install Linux on my laptop, no dual booting no virtual machine no live usb, just plain install Linux on a new 4TB drive... And I definitely want TPM and secure boot off, but I also want to be able to just go back to my w11 install (which is on an entirely different not connected drive as mentioned) if I don't like Linux or there are issues I can't resolve... 

 

So will this work? (my w11 is *not* encrypted btw, but even then I don't understand how that would be an issue even though I can see how windows may just delete encryption keys when you switch off TPM or secure boot)

 

Did Titus just made a pretty huge mistake or what?  That would be pretty funny ... But leaves me confused... I'd really hate not being able to go back to my win 11 install...

[Donut417]

24 minutes ago, Mark Kaine said:

sn't that what TPM is for?  

From my understanding Secure boot is suppose verify the boot loaders and stop rootkits and malicious code that can run at startup. Where as TPM is more for security purposes of the OS, such as disk encryption and such. 

 

 

29 minutes ago, Mark Kaine said:

'd really hate not being able to go back to my win 11 install...

Ive heard of Windows updates breaking dual booting in the past. So....... how well it will work really depends on Microslop. 

[GT710 Connoisseur]

1 hour ago, Mark Kaine said:

So I just watched Chris Titus reaction video about LTT "Linux challenge" and I'm confused... He said several times, if you disable secure boot you can't load into windows anymore... Does that make any sense? Like it would erase some "keys"...

 

Isn't that what TPM is for?  

But either way, I really want to install Linux on my laptop, no dual booting no virtual machine no live usb, just plain install Linux on a new 4TB drive... And I definitely want TPM and secure boot off, but I also want to be able to just go back to my w11 install (which is on an entirely different not connected drive as mentioned) if I don't like Linux or there are issues I can't resolve... 

 

So will this work? (my w11 is *not* encrypted btw, but even then I don't understand how that would be an issue even though I can see how windows may just delete encryption keys when you switch off TPM or secure boot)

 

Did Titus just made a pretty huge mistake or what?  That would be pretty funny ... But leaves me confused... I'd really hate not being able to go back to my win 11 install...

I just tried this a few days ago. I dual boot my home pc, and my Ubuntu was being really finnicky with NVidia drivers and secure boot, so I turned it off. I thought for sure that windows won't boot, but it does. I does not break anything in windows. It just wakes up like nothing happened. I do think thay you should keep TPM on though. For me, personally, it has not caused any problems in linux. Besides, I am 99% sure that windows will not boot without TPM.

[Mark Kaine]

1 hour ago, Donut417 said:

Ive heard of Windows updates breaking dual booting in the past. So....... how well it will work really depends on Microslop

Yeah but I don't want to dual boot for that reason, and while he wasn't entirely clear about that, he mentioned it several times that turning this off will make windows not boot anymore...

 

I really kinda think he meant tpm (in which case that would only be true if encryption was enabled, otherwise it shouldn't do anything to my understanding)

 

 

12 minutes ago, GT710 Connoisseur said:

I just tried this a few days ago. I dual boot my home pc, and my Ubuntu was being really finnicky with NVidia drivers and secure boot, so I turned it off. I thought for sure that windows won't boot, but it does. I does not break anything in windows. It just wakes up like nothing happened. I do think thay you should keep TPM on though. For me, personally, it has not caused any problems in linux. Besides, I am 99% sure that windows will not boot without TPM.

 

I had that idea to just leave both on, even before it was mentioned in this way but I really don't want to lol, I'm not sure about TPM either it's definitely off on my win 10 install.

 

And yeap, exactly it's actually recommended to turn secure boot off, but still the situation is rather unclear (as it's also worth noting actually both "features" are mainly designed around preventing people to install different OS's... all that security nonsense is just ms gaslighting everyone, I think that's not a conspiracy theory, it's pretty well known actually - not saying it's the only purpose but the main purpose for sure, it's why everyone hated it when these things got introduced )

[GT710 Connoisseur]

2 minutes ago, Mark Kaine said:

Yeah but I don't want to dual boot for that reason, and while he wasn't entirely clear about that, he mentioned it several times that turning this off will make windows not boot anymore...

 

I really kinda think he meant tpm (in which case that would only be true if encryption was enabled, otherwise it shouldn't do anything to my understanding)

 

 

 

I had that idea to just leave both on, even before it was mentioned in this way but I really don't want to lol, I'm not sure about TPM either it's definitely off on my win 10 install.

 

And yeap, exactly it's actually recommended to turn secure boot off, but still the situation is rather unclear (as it's also worth noting actually both "features" are mainly designed around people not installing different OS's... all that security nonsense is just ms gaslighting everyone, I think that's not a conspiracy theory, it's pretty well known actually - not saying it's the only purpose but the main purpose for sure, it's why everyone hated it when these things got introduced )

I still think you should turn just secure boot off, as TPM does not interfere with anything.

[PacketAuditor]

CachyOS makes this very easy. https://wiki.cachyos.org/configuration/secure_boot_setup/

[Eigenvektor]

4 hours ago, Mark Kaine said:

He said several times, if you disable secure boot you can't load into windows anymore... Does that make any sense? Like it would erase some "keys"...

Secure Boot verifies that the system's boot loader is signed with a valid (Microsoft issued) certificate. Disabling it should not erase anything. He seems to be confusing it with TPM. TPM is a chip that's designed to securely store credentials, such as Bitlocker encryption keys.

 

My system is dual boot (Manjaro/W11). I have Secure Boot disabled, which works just fine. Windows 11 does not require it to be enabled. It requires a system that is Secure Boot capable, but it doesn't actually need to be turned on (see System Requirements). However, some multiplayer titles such as Battlefield 6 may require you to enable it, or they will refuse to start.

 

If I recall correctly, I just enabled TPM, then updated from Windows 10 to Windows 11 and that was it. My Linux installation kept working as before. I did try enabling Secure Boot at one point, but (obviously) that blocked me from booting back into my system since Manjaro does not have a signed boot loader. I simply disabled it again and my system booted as before.

[OhioYJ]

6 hours ago, GT710 Connoisseur said:

my Ubuntu was being really finnicky with NVidia drivers and secure boot

I'm surprised this should just work. Secure boot and Mint works fine for me, four computers here in the house run secure boot and nVidia. You should be able to just use the drivers ubuntu supplies and it should just work. Now if you download them from nvidia it's more work. 

 

 

[Nayr438]

7 hours ago, Mark Kaine said:

And yeap, exactly it's actually recommended to turn secure boot off, but still the situation is rather unclear (as it's also worth noting actually both "features" are mainly designed around preventing people to install different OS's... all that security nonsense is just ms gaslighting everyone, I think that's not a conspiracy theory, it's pretty well known actually

Not really.
Secureboot is there to ensure only binaries that are signed get loaded, you can enroll your own key and sign your own binaries.
TPM is mostly used for storing cryptographic keys which can be used for unlocking bitlocker or luks for instance. It has some other features such as rng as well.

Both of these can be combined for additional security by binding keys in the TPM to PCR values which require the machine to be in a specific state, so if you bind to PCR7 and then the SecureBoot state changes from On to Off that key is invalidated.

 

If a system itself prevents you from modifying the secureboot state or enrolling keys that's a different issue.
Some hardware also depends on Microsoft's certificate, but again that's a different issue.

Depending on the device you may be able to remove Microsoft's keys all together.

The only reason people recommend disabling secureboot for linux is because most distros just don't support it ootb.

Major distributions like RedHat, Ubuntu, and SUSE use a shim signed by Microsoft's Third Party CA for ease of use, though some devices in the enterprise/business space don't ship with Microsoft's Third Party keys or disable them by default.

[Mark Kaine]

8 hours ago, GT710 Connoisseur said:

I still think you should turn just secure boot off, as TPM does not interfere with anything.

 

5 hours ago, Eigenvektor said:

Secure Boot verifies that the system's boot loader is signed with a valid (Microsoft issued) certificate. Disabling it should not erase anything. He seems to be confusing it with TPM. TPM is a chip that's designed to securely store credentials, such as Bitlocker encryption keys.

 

My system is dual boot (Manjaro/W11). I have Secure Boot disabled, which works just fine. Windows 11 does not require it to be enabled. It requires a system that is Secure Boot capable, but it doesn't actually need to be turned on (see System Requirements). However, some multiplayer titles such as Battlefield 6 may require you to enable it, or they will refuse to start.

 

If I recall correctly, I just enabled TPM, then updated from Windows 10 to Windows 11 and that was it. My Linux installation kept working as before. I did try enabling Secure Boot at one point, but (obviously) that blocked me from booting back into my system since Manjaro does not have a signed boot loader. I simply disabled it again and my system booted as before.

Yeah that's what I was thinking, I mean he did improvise the whole thing, but that's a pretty big mistake to make and really scared me, and I still don't trust my w11 install to not f up after I install Linux (and again I don't plan on dual booting for now)

 

As for TPM I thought I have this off on win 10, I definitely did on my previous motherboard, but they apparently sneak this in as a default setting now...

 

 

I guess I'll leave it on though because I really want to be able to get back to my w11 install or maybe even dual boot eventually )

 

 

5 hours ago, Eigenvektor said:

simply disabled it again and my system booted as before.

Yeah but the question is what does it do when it was previously turned on during the w11 installation... But yes, I think this should do nothing... but then why is it there...  sus, it could definitely say something "oh we're sorry the secure boot keys are not verified/signed, because we deleted them!" ... which will probably happen in June anyways because they "expire" then

[Mark Kaine]

16 minutes ago, Nayr438 said:

Not really.
Secureboot is there to ensure only binaries that are signed get loaded, you can enroll your own key and sign your own binaries.
TPM is mostly used for storing cryptographic keys which can be used for unlocking bitlocker or luks for instance. It has some other features such as rng as well.

Both of these can be combined for additional security by binding keys in the TPM to PCR values which require the machine to be in a specific state, so if you bind to PCR7 and then the SecureBoot state changes from On to Off that key is invalidated.

 

If a system itself prevents you from modifying the secureboot state or enrolling keys that's a different issue.
Some hardware also depends on Microsoft's certificate, but again that's a different issue.

Depending on the device you may be able to remove Microsoft's keys all together.

The only reason people recommend disabling secureboot for linux is because most distros just don't support it ootb.

Major distributions like RedHat, Ubuntu, and SUSE use a shim signed by Microsoft's Third Party CA for ease of use, though some devices in the enterprise/business space don't ship with Microsoft's Third Party keys or disable them by default.

Yeah as said, it's mostly to lock you into their ecosystem, the "security" features are mostly nefarious, just like the HVCI thing (which only caused issues on my laptop) kernel level anti cheat and who knows how many backdoors... I know because that's exactly what's preventing me (and probably millions of others) from installing Linux, it's not "Linux may suck" it's "will my windows stuff still work, even though I *disconnected* the drive..." >.<

[Eigenvektor]

1 hour ago, Mark Kaine said:

Yeah that's what I was thinking, I mean he did improvise the whole thing, but that's a pretty big mistake to make and really scared me, and I still don't trust my w11 install to not f up after I install Linux (and again I don't plan on dual booting for now)

So you'll be physically swapping back and forth between separate drives? Could always just toggle the UEFI options at that point.

 

1 hour ago, Mark Kaine said:

As for TPM I thought I have this off on win 10, I definitely did on my previous motherboard, but they apparently sneak this in as a default setting now...

On my motherboard it was auto-enabled at some point by a BIOS update. Which makes some sense, since it's a requirement for Windows 11. They simply wanted to make it easier for people to upgrade to Windows 11.

 

1 hour ago, Mark Kaine said:

Yeah but the question is what does it do when it was previously turned on during the w11 installation... But yes, I think this should do nothing... but then why is it there...  sus, it could definitely say something "oh we're sorry the secure boot keys are not verified/signed, because we deleted them!" ... which will probably happen in June anyways because they "expire" then

Secure Boot doesn't do anything other than check the boot loader's cryptographic signature against a public key stored in UEFI. If the check fails, it prevents your system from booting, that's it. It shouldn't affect anything once the system is running. Disabling it again shouldn't do anything other than skip this check at boot time.

 

~edit: https://superuser.com/questions/1689067/can-disabling-secure-boot-affect-windows

 

The primary reason it's there is to prevent malware from modifying your boot loader. As a side effect it also stops Linux boot loaders that aren't officially signed by Microsoft and/or don't use a shim signed by Microsoft.

 

Some multiplayer games want it enabled because some low level cheats rely on modified boot loaders. Those effectively run the whole system in a virtual environment to make it harder for anti-cheat software to detect them, since they're then executed on a layer the game code/kernel-level anti-cheat can't access.

 

The public key stored in the UEFI is set to expire (as is normal for any kind of certificate/private key based stuff). It'll simply be replaced with a renewed version.

[Nayr438]

1 hour ago, Eigenvektor said:

Secure Boot doesn't do anything other than check the boot loader's cryptographic signature against a public key stored in UEFI. If the check fails, it prevents your system from booting, that's it. It shouldn't affect anything once the system is running. Disabling it again shouldn't do anything other than skip this check at boot time.

 

~edit: https://superuser.com/questions/1689067/can-disabling-secure-boot-affect-windows

Going back to PCR and TPM, this may trip up bitlocker/device encryption if it's being used.
 

Quote

BitLocker and its related technologies depend on specific PCR configurations. Additionally, specific change in PCRs can cause a device or computer to enter BitLocker recovery mode.

https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes

 

Quote

By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement.

https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/countermeasures

https://support.microsoft.com/en-us/windows/device-encryption-in-windows-cf7e2b6f-3e70-4882-9532-18633605b7df

 

PCR7 contains the secure boot policy hash.

 

With that said, this shouldn't prevent Windows from working it just may ask for a recovery key. re-enabling Secure Boot may also allow it to continue to work as normal however. 

I can't confirm this, this is just Microsoft's documentation on the matter. I also don't know if this extends to anything else, bitlocker was just what came to mind.

 

2 hours ago, Eigenvektor said:

It shouldn't affect anything once the system is running. Disabling it again shouldn't do anything other than skip this check at boot time.

This is technically wrong as anything utilizing TPM with a key attached to PCR7 would be affected by this change, this can extend beyond the OS itself.

 

It is possible that in a lot of scenarios that changing the state of Secure Boot wont have an affect on the system outside of checking whether things are signed or not, I am just pointing out that it can.

[Mark Kaine]

1 hour ago, Nayr438 said:

Going back to PCR and TPM, this may trip up bitlocker/device encryption if it's being used.
 

https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes

 

https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/countermeasures

https://support.microsoft.com/en-us/windows/device-encryption-in-windows-cf7e2b6f-3e70-4882-9532-18633605b7df

 

PCR7 contains the secure boot policy hash.

 

With that said, this shouldn't prevent Windows from working it just may ask for a recovery key. re-enabling Secure Boot may also allow it to continue to work as normal however. 

I can't confirm this, this is just Microsoft's documentation on the matter. I also don't know if this extends to anything else, bitlocker was just what came to mind.

 

This is technically wrong as anything utilizing TPM with a key attached to PCR7 would be affected by this change, this can extend beyond the OS itself.

 

It is possible that in a lot of scenarios that changing the state of Secure Boot wont have an affect on the system outside of checking whether things are signed or not, I am just pointing out that it can.

Yeah I get that and maybe that's what Chris meant... so as long I don't have encryption on i should be fine right?

 

Also what happens if I turn TPM and secure boot off now... will windows still boot and how reversible is that?

 

Because I think I should try that instead of getting a nice "surprise" later... 

 

It really kinda sucks that I can't see that laptop working well without all the Asus crap also (so the laptop is being taken hostage twice, potentially, one by ms and two by asus lol...)

 

(I mean you should see it, it runs hot as hell, never drops a beat, no overheating... I bet that's just Asus overriding all normal protections... hence I'm not sure how well Linux will handle all of that, besides the usual issues like nVidia drivers etc >.< ) 

[Nayr438]

Disabling the TPM shouldn't delete the keys as far as I am aware, just make it inaccessible.
So long as the keys remain in the TPM and the hash for whatever PCR values it's attached to remain the same you should be able to just re-enable them without issue.
If something changes and the TPM keys can't be unlocked then they will have to be re-enrolled so it just depends on the software, for windows bitlocker it will just ask for a recovery key in the event it happens, to my understanding.

 

I can't comment much on Windows as I am not that familiar with Windows.

 

There is really no reason to disable TPM, it's a secure place to handle keys and some software going forward may depend on it more.
Secure Boot should be used whenever possible, it can help prevent malicious software from taking over early boot and if you use encryption it gives a good value to bind a key to. If you want to go Linux considering enrolling your own keys and signing your own binaries. sbctl is probably the easiest method to do this.

Windows and Linux can both take advantage of these security mechanisms, there is nothing nefarious with these and they don't impact performance.

[Lurking]

this the video:

And no, I don't know how he thinks secure boot disabling will nuke Windows. 

[Nayr438]

On 3/8/2026 at 5:43 PM, Lurking said:

this the video:

And no, I don't know how he things secure boot disabling will nuke Windows. 

I only watched the part relevant to this thread but I don't think he understands how Secure Boot works at all.

Just to clear up any misinformation on that part.

• Linux and applications on top of it can definitely take advantage of Secure Boot in the same ways Windows does.
• It definitely doesn't reach out to a server, the whole Secure Boot Process is handled locally.
• You don't have to use the shim signed by Microsoft, it's a convenience thing.
• Changing the Secure Boot state should not wipe existing keys.
• In the event Secure Boot keys are wiped, Microsoft's will likely always be enrolled.
  • Windows is the dominant OS on the Desktop so it makes sense to ship Microsoft's keys.
• You do not have to wipe pre-existing keys to install new keys.
• Changing the Secure Boot state does not make pre-existing drives or partitions inaccessible.
  • It may prevent bitlocker or luks from being automatically unlocked as I have mentioned previously but these can still both be unlocked with either a recovery key or password, it can also be re-enrolled into the tpm if needed afterwards.

[Lurking]

7 minutes ago, Nayr438 said:

but I don't think he understands how Secure Boot works at all.

And this is why I don't run "debloating scripts" from him or anyone else. 

 

I give him the benefit of the doubt and assume he mixed something up and meant to say something else. 

[Agons]

Just this weekend I went back to running linux Mint on my main workstation. It had secure boot enabled since I was running win11.
I had forgotten about it, during the install it made me create a password for Secure boot. I just rolled with it, and after install on the first boot it prompted me to import the keys.

I had no idea what the process was, never bothered to read the documentation or an how too ahead of time.
Just randomly clicked thru all the options until I got prompted for the password I made during install. It gave me an successful response and boom. I'm in my desktop and everything's working. I probably should go back and figure out what the right way is, but it's getting fool proof enough to fumble your way thru it. Which is great.

[Mark Kaine]

On 3/9/2026 at 2:31 AM, Agons said:

Just this weekend I went back to running linux Mint on my main workstation. It had secure boot enabled since I was running win11.
I had forgotten about it, during the install it made me create a password for Secure boot. I just rolled with it, and after install on the first boot it prompted me to import the keys.

I had no idea what the process was, never bothered to read the documentation or an how too ahead of time.
Just randomly clicked thru all the options until I got prompted for the password I made during install. It gave me an successful response and boom. I'm in my desktop and everything's working. I probably should go back and figure out what the right way is, but it's getting fool proof enough to fumble your way thru it. Which is great.

... the problem/question is what happens if you go back to windows? (Since you seemingly just replaced the windows keys with linux keys...)

 

Unless I'm misunderstanding what you meant.

 

On 3/9/2026 at 12:37 AM, Lurking said:

I give him the benefit of the doubt and assume he mixed something up and meant to say something else. 

That's what I'm thinking, he might have mixed things up... Like yes, if you have windows bitlocker enabled and then let linux overwrite, delete or otherwise touch those keys I don't think windows will boot anymore...

 

 

On other hand why would windows lock itself down like that without ever giving the user a password?

 

(only reason I could think of is: user didn't create a Microsoft account and therefore is getting screwed (yes, that would be me))

Ie. Windows is just scummy, no two ways around it!

[Nayr438]

4 hours ago, Mark Kaine said:

... the problem/question is what happens if you go back to windows? (Since you seemingly just replaced the windows keys with linux keys...)

They likely enrolled keys/hashes with MOK manager which doesn't affect secure boot keys. It still boots with a shim signed by Microsoft but it adds additional keys and hashes to a MOK database which is enforced by the shim.

 

So the keys for UEFI Secure Boot in this instance are entirely untouched.

This has less configuration on the users end if any and prevents the hash on PCR7 from changing as any additions or deletions is considered a Secure Boot state change.

 

Even if they did enroll new Secure Boot keys they likely wouldn't delete Microsoft's keys for the following reason.

Quote

Warning

Replacing the platform keys with your own can end up bricking hardware on some machines, including laptops, making it impossible to get into the firmware settings to rectify the situation. This is due to the fact that some device (e.g GPU) firmware (OpROMs), that get executed during boot, are signed using Microsoft 3rd Party UEFI CA certificate or vendor certificates. This is the case in many Lenovo Thinkpad X, P and T series laptops which uses the Lenovo CA certificate to sign UEFI applications and firmware.

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_your_own_keys

 

Not all devices are like this but it's enough of a concern that it should never be default behavior to remove any default keys.

 

4 hours ago, Mark Kaine said:

On other hand why would windows lock itself down like that without ever giving the user a password?

 

(only reason I could think of is: user didn't create a Microsoft account and therefore is getting screwed (yes, that would be me))

It should have been presented when Bitlocker was setup, if not then yes it is available via your Microsoft Account.

https://support.microsoft.com/en-us/windows/find-your-bitlocker-recovery-key-6b71ad27-0b89-ea08-f143-056f5ab347d6

 

[Mark Kaine]

43 minutes ago, Nayr438 said:

It should have been presented when Bitlocker was setup

Windows home version, I never set this up and it doesn't have it AFAIK, it did however in fact have some kind encryption enabled by default (thanks Asus?) which I turned off immediately though and it again didn't ask for or show any kind of key or password.

 

43 minutes ago, Nayr438 said:

if not then yes it is available via your Microsoft Account.

I don't have one...

 

 

So basically I can't turn off secure boot or tpm even when my choice of linux doesn't support it?

 

That doesn't really make sense, does it? 

 

In any case i hope Asus will honor the warranty after windows bricked itself?

[xAcid9]

15 hours ago, Mark Kaine said:

Windows home version, I never set this up and it doesn't have it AFAIK, it did however in fact have some kind encryption enabled by default (thanks Asus?) which I turned off immediately though and it again didn't ask for or show any kind of key or password.

Not just Asus, most OEM enabled device encryption by default because "security". That is the basic version of Bitlocker. 

 

Should've no problem turning off Secure Boot after you've disabled Device Encryption.

15 hours ago, Mark Kaine said:

In any case i hope Asus will honor the warranty after windows bricked itself?

Of course. Sue them if they refused to reinstall/reimage your laptop OS. 

[Mark Kaine]

On 3/8/2026 at 1:56 PM, Eigenvektor said:

So you'll be physically swapping back and forth between separate drives? Could always just toggle the UEFI options at that point.

YES, but what UEFI options and will that delete the Windows/boot/ransom keys?

 

 

On 3/8/2026 at 4:24 PM, Nayr438 said:

Going back to PCR and TPM, this may trip up bitlocker/device encryption if it's being used.

Again, no encryption is used currently.

 

On 3/13/2026 at 1:41 PM, xAcid9 said:

Should've no problem turning off Secure Boot after you've disabled Device Encryption.

So guys... I'm still not sure my current windows install will still work if I disable secure boot...  I thought "eh, I'm just gonna try it and turn it off ...". But then I was presented with

 

There's at least minimum 15 different "keys" stored, most of them from MICROSOFT (unsurprisingly)

 

So I could try the "export Secure Boot variables" , but I'm not sure how that works... Export to a USB stick or what?  (If I click on it it gives me two "file system numbers thingies" ... and nothing else, very cryptic... )

[xAcid9]

4 hours ago, Mark Kaine said:

So guys... I'm still not sure my current windows install will still work if I disable secure boot...  I thought "eh, I'm just gonna try it and turn it off ...". But then I was presented with

Try check Boot tab, not Security.
IIRC, In some Asus board the option is call OS Type, change it to Other OS.

Don't remove any keys or disable TPM.