• Pop!_Planet is still very much under development. Data for the wiki is being sourced from the Arch Linux and Ubuntu wikis, along with a bunch of completely unique content specific to Pop!_OS, and sourcing, converting and updating that content takes time; please be patient. If you can't find what you're looking for here, check the Arch Linux and Ubuntu wikis.

Any way of signing for Secure Boot?

Hebgbs

New member
Apr 25, 2019
16
4
4
30
Here's the scene: Someone has a PC with Secure Boot, Windows is installed on it. Typical story; Someone may not first have to disable Secure Boot to install the system, but when it is turned on there's a Secure Boot violation if a message like that is prompted and it boots into Windows instead. To access the system, one must first turn off Secure Boot.

That's stupid.
Ubuntu has a shim module for that, Fedora was the first I believe, and if it wasn't it was probably Arch. So here's my question; what does a user need to do, exactly in order to sign their system and make it so a valuable anti-tamper feature remains enabled? It's a bad look for Linux when you have to tell somebody a thing called Secure Boot needs to be disabled ("Disabling security? What do you mean?!") and it'd be nice to have that feature so people using it don't think they're missing out on something that could be, in certain contexts and use cases a valuable motherboard feature.
 

derpOmattic

Pop!_Muse
Trusted User
Founding Member
Nov 23, 2018
459
121
15
www.patreon.com
It's a bad look for Linux when you have to tell somebody a thing called Secure Boot needs to be disabled
Proprietary security tools are hardly secure! I think any Linux distro allowing code signed by Microsoft and partners for the sake of ease are making a mistake. Microsoft has been at war with Linux for decades, calling it a "cancer" and spending billions to destroy it. Personally, that is one of the things that attracts me to Pop!_OS, and to be clear I'd trust Pop's full-disk-encryption before I'd trust anything from Microsoft! I personally hope System76 never get the Microsoft & Partners signed secure boot shim. Even if they did, I'd disable it anyway, along with a host of other manufacturer's bloatware, crapware and spyware. Every large manufacturer has been caught out illegally spying on users by some hidden BIOS "security feature" sending data home.

Having said, if you are going to use Windows or dual boot with Windows, maybe you should use that "feature" because Windows exists as a broken, unsecured OS held together with bandaids. Microsoft has foreseen it's demise and is the reason they're investing heavily in open-source and Linux technologies now. Linux and the Linux kernel currently do not share the overwhelming amount of vulnerabilities that is present in Windows. I would actually recommend to your friend, if they are security conscious, that Windows itself should not be trusted or used. Trying to "shim" one of Microsoft's bandaids into Linux to make Linux more secure is insane in my opinion.

Most manufacturers are making machines to suit Windows and therefore come with secure boot. However, there are some manufacturers that are using different and much more secure verification tools, like Libreboot https://libreboot.org/ and coreboot https://www.coreboot.org/, which the NSA are investing in heavily because they don't trust secure boot!

That is my opinion, a strong one perhaps, but I'm not alone in not trusting Microsoft to verify my security for me. From Apple's T2 security chip documentation regarding secure boot we read;

NOTE: There is currently no trust provided for the the Microsoft Corporation UEFI CA 2011, which would allow verification of code signed by Microsoft partners. This UEFI CA is commonly used to verify the authenticity of bootloaders for other operating systems such as Linux variants.
Another reason why secure boot is pretty useless anyway is the prevalence of NVIDIA drivers;

The NVIDIA driver isn't compatible with secure boot since it isn't signed by Microsoft. What's happening on other distributions is that installing the NVIDIA driver disables secure boot in your EFI from the OS.
...Michael Murphy - System76 desktop developer.

Also, Pop!_OS uses systemd-boot instead of Grub like almost all other distros;

Also, since we use systemd-boot, and Canonical does not have a signed variant of systemd-boot from Microsoft, secure boot isn't possible at the moment.
Grub has been extremely lacking in security and has only very recently received any kind of security upgrade, so the much more modern systemd-boot and kernelstub was a fantastic choice as far as security is concerned.

In the words of security researcher Joanna Rutkowska from Qubes OS and Invisible Things Lab, It is always a matter of trust because there is no such thing as a secure computer. Your decision will always come down to who you are willing to trust for security, and my money is on System76 and Pop!_OS. I have zero trust in anything Microsoft has it's business in.

Not to mention secure boot has been cracked, and all it really amounts to is Microsoft controlling a monopoly by controlling the ability of millions of machines to not boot anything but Windows, well unless you use the compromising shim and pay them a lot of money for it! System76 on the other hand sell machines that you can put whatever operating system you want to use with no issue.

That's stupid.
It is my opinion that trusting Microsoft to keep your data safe and secure is ... not smart.
 

TeamLinux01

New member
May 5, 2019
19
7
4
34
If the system isn't going to use the Microsoft signed shim, I still think it would be nice if the system was signed by System76 and be able to add their keys to the trusted boot list.

There are many problems and security concerns with UEFI in general and I personally wonder how well Secure Boot protects the boot chain.

I personally disabled Secure Boot on my Galago Pro and Alienware Alpha.

I am looking forward to System76's coreboot rollouts on their machines.
 

Members online

Latest projects

Forum statistics

Threads
384
Messages
1,814
Members
320
Latest member
reclusivescavenger