Jump to content

Sooooo, secure boot? (w11/Linux)

Mark Kaine
 Share
Posted
On 3/7/2026 at 6:50 PM, Donut417 said:

From my understanding Secure boot is suppose verify the boot loaders and stop rootkits and malicious code that can run at startup. Where as TPM is more for security purposes of the OS, such as disk encryption and such. 

 

That's exactly what Secure Boot is for.

On 3/7/2026 at 6:20 PM, Mark Kaine said:

Did Titus just made a pretty huge mistake or what? 

I wouldn't fault him personally if he said to disable Secure Boot when installing Linux. It's a 15 year old kneejerk anti-Microsoft thing that's persisted in Linux discussions since Secure Boot was first standardized. Has to do with how Microsoft owns a lot of the Secure Boot infrastructure, and how Linux only argued with each other instead of building their own Secure Boot infrastructure to compete.

If you're trying to install Linux, I know that most of the mainstream OSes (Ubuntu, Fedora, RHEL, SUSE) should support it out of the box. Anything Arch based is where you'd run into some issues. Nvidia GPUs can cause even more issues than that, but they're really fixed in Ubuntu specifically now.

But yeah, don't turn it off. It's old, outdated, and frankly stupid advice.

lttstore.com

Link to post
Share on other sites
Posted
  • Author
17 hours ago, dabockster said:

That's exactly what Secure Boot is for.

I wouldn't fault him personally if he said to disable Secure Boot when installing Linux. It's a 15 year old kneejerk anti-Microsoft thing that's persisted in Linux discussions since Secure Boot was first standardized. Has to do with how Microsoft owns a lot of the Secure Boot infrastructure, and how Linux only argued with each other instead of building their own Secure Boot infrastructure to compete.

If you're trying to install Linux, I know that most of the mainstream OSes (Ubuntu, Fedora, RHEL, SUSE) should support it out of the box. Anything Arch based is where you'd run into some issues. Nvidia GPUs can cause even more issues than that, but they're really fixed in Ubuntu specifically now.

But yeah, don't turn it off. It's old, outdated, and frankly stupid advice.

That's what Microsoft would say...

 

Seems really not adequate advice, when I for example want to install CachyOS (which I do... it's either that or bazzite)?

 

Secure Boot and CSM must be disabled in the BIOS/UEFI settings when installing in UEFI mode.

 

https://wiki.cachyos.org/installation/installation_on_root/

 

 

Additionally, I do NOT want secure boot on even in windows... it's only on rn because I'm unsure how to disable it and as said don't want to lose access to my current windows install (that has all Asus apps and drivers etc installed and runs *perfectly fine*...)

 

So I'm kinda guessing it's all just fearmongering and secure boot *can* be turned off without losing access to your system (as long no encryption is used) but yeah... I wish I knew for sure...

 

Step-by-Step Instructions
  • Access UEFI/BIOS Settings:
    • Navigate to Settings > System > Recovery.
    • Next to Advanced startup, click Restart now.
    • Select Troubleshoot > Advanced options > UEFI Firmware Settings.
    • Alternative: Turn off the computer, turn it on, and immediately press the manufacturer's BIOS key (F10, F2, F12, etc.) repeatedly.
  • Disable Secure Boot:
    • Navigate to the Boot or Security tab using arrow keys.
    • Find the Secure Boot option and select it.
    • Change the setting to Disabled.
    • Note: If you cannot change the setting, you may need to set a BIOS password first or switch to "Custom" mode to clear keys.
  • Save and Exit:
    • Press F10 to save changes and exit.
    • Select "Yes" to confirm. The computer will restart.
  • Verify Status:
    • In Windows, press Win + R, type msinfo32, and press Enter.
    • Check the "Secure Boot State" item to confirm it is now "Off". 
 
Important Considerations
  • Security Risk: Disabling Secure Boot reduces system security, making it easier for rootkits or unauthorized bootloaders to infect the system.
  • Alternative Support: Some systems may require you to enable "Legacy Support" or "CSM" (Compatibility Support Module) to fully disable UEFI security features.
  • Reactivation: If you need to re-enable it later, follow the same steps and select "Enabled". 

 

So yeah, it's all designed to take a system hostage and to make it as hard as possible to install an alternative OS, and that's exactly why people recommend to turn this off... it would seem! 

 

 

The direction tells you... the direction

-Scott Manley, 2021

 

 

Link to post
Share on other sites
  • 1 month later...
Posted
On 3/24/2026 at 11:55 PM, dabockster said:

That's exactly what Secure Boot is for.

I wouldn't fault him personally if he said to disable Secure Boot when installing Linux. It's a 15 year old kneejerk anti-Microsoft thing that's persisted in Linux discussions since Secure Boot was first standardized. Has to do with how Microsoft owns a lot of the Secure Boot infrastructure, and how Linux only argued with each other instead of building their own Secure Boot infrastructure to compete.

If you're trying to install Linux, I know that most of the mainstream OSes (Ubuntu, Fedora, RHEL, SUSE) should support it out of the box. Anything Arch based is where you'd run into some issues. Nvidia GPUs can cause even more issues than that, but they're really fixed in Ubuntu specifically now.

But yeah, don't turn it off. It's old, outdated, and frankly stupid advice.

Fedora has the commands listed on their wiki to enable an Nvidia GPU with secure boot.  Just a few extra steps that you do once.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Operating Systems

×