this post was submitted on 07 Jul 2025
590 points (100.0% liked)
linuxmemes
26122 readers
329 users here now
Hint: :q!
Sister communities:
Community rules (click to expand)
1. Follow the site-wide rules
- Instance-wide TOS: https://legal.lemmy.world/tos/
- Lemmy code of conduct: https://join-lemmy.org/docs/code_of_conduct.html
2. Be civil
- Understand the difference between a joke and an insult.
- Do not harrass or attack users for any reason. This includes using blanket terms, like "every user of thing".
- Don't get baited into back-and-forth insults. We are not animals.
- Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
- Bigotry will not be tolerated.
3. Post Linux-related content
- Including Unix and BSD.
- Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of
sudoin Windows. - No porn, no politics, no trolling or ragebaiting.
4. No recent reposts
- Everybody uses Arch btw, can't quit Vim, <loves/tolerates/hates> systemd, and wants to interject for a moment. You can stop now.
5. π¬π§ Language/ΡΠ·ΡΠΊ/Sprache
- This is primarily an English-speaking community. π¬π§π¦πΊπΊπΈ
- Comments written in other languages are allowed.
- The substance of a post should be comprehensible for people who only speak English.
- Titles and post bodies written in other languages will be allowed, but only as long as the above rule is observed.
6. (NEW!) Regarding public figures
We all have our opinions, and certain public figures can be divisive. Keep in mind that this is a community for memes and light-hearted fun, not for airing grievances or leveling accusations. - Keep discussions polite and free of disparagement.
- We are never in possession of all of the facts. Defamatory comments will not be tolerated.
- Discussions that get too heated will be locked and offending comments removed. Β
Please report posts and comments that break these rules!
Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't remove France.
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Does "Secure Boot" actually benefit the end user in any way what so ever? Genuine question
For you? No. For most people? Nope, not even close.
However, it mitigates certain threat vectors both on Windows and Linux, especially when paired with a TPM and disk encryption. Basically, you can no longer (terms and conditions apply) physically unscrew the storage and inject malware and then pop it back in. Nor can you just read data off the drive.
The threat vector is basically βour employees keep leaving their laptops unattended in publicβ.
(Does LUKS with a password mitigate most of this? Yes. But normal people canβt be trusted with passwords and need the TPM to do it for them. And that basically requires SecureBoot to do properly.)
With LUKS, your boot/efi partition is still unencrypted. So someone could install a malicious bootloader, and you probably wouldn't know and would enter your password. With secure boot, the malicious bootloader won't boot because it has no valid signature.
Exactly. The malware can do whatever, but as long as the TPM measurements donβt add up the drive will remain encrypted. Given stringent enough TPM measurements and config you can probably boot signed malware without yielding access to the encrypted data.
In my view, SecureBoot is just icing on the cake that is measured boot via TPM. Nice icing though.
Thatβs only one use of secure boot. Itβs also supposed to prevent UEFI level rootkits, which is a much more important feature for most people.
True. Personally, Iβm hoping for easier use of SecureBoot, TPM and encryption on Linux overall. People are complaining about BitLocker, but try doing the same on Linux. All the bits and pieces are there, but integrating everything and having it keep working through kernel upgrades isnβt fun at all.
Well yes, assuming that:
With this you can make your laptop very tamper resistant. It will be basically impossible to tamper with the bootloader while the laptop is off. (e.g install keylogger to get disk-encryption password).
What they can do, is wipe the bios, which will remove your custom keys and will not boot your computer with secure boot enabled.
Something like a supply-side attack is still possible however. (e.g. tricking you into installing a malicious bootloader while the PC is booted)
Always use security in multiple layers, and to think about what you are securing yourself from.
It prevents rootkit malware that loads before the OS and therefore is very difficult to detect. If enabled, it tells your machine to only load the OS if it's signed by a trusted key and hasn't been tampered with.
Yes, as long as you get the option to disable it. And use custom keys.
It's uh, more secure.
I enrolled custom keys and bricked my motherboard π
Same. Should've listened to securebootctl telling me the key was malformed.
My keys were fine, I'd used them on a previous system. My best guess is boot failed because GPU firmware wasn't signed with my keys, only Microsoft's keys. And of course, I can't just CMOS clear, and I don't have an iGPU. It's crazy that an OS can brick my motherboard; I'd be a lot more forgiving if a BIOS option bricked it, but exposing a "brick me" option in efivars for any ring 0 software to press??
OpROMs?
It's so secure that the first thing under Wikipedia's entry for Secure boot is Secure boot criticism
Yes this is a real, I'm not joking.
It's not the first thing, it's in the middle.
Click the link, you'll see it is indeed the first heading under Criticism
What's the first thing under the "Secure boot" section? The section that it automatically scrolls to when clicking my link?
....
....
...
...
...
And finally
It's right there under the header
You can set it to run only specifically signed binaries on boot.
Specifically signed by anyone with a key - which, considering multiple where leaked over time - is everyone.