Making Linux Secure Boot compatible with InsydeH20 BIOS
Linux - Laptop and NetbookHaving a problem installing or configuring Linux on your laptop? Need help running Linux on your netbook? This forum is for you. This forum is for any topics relating to Linux and either traditional laptops or netbooks (such as the Asus EEE PC, Everex CloudBook or MSI Wind).
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Making Linux Secure Boot compatible with InsydeH20 BIOS
Hello! I have installed Debian Stable on an Acer Aspire in UEFI mode. The OS is working fine, so I am a bit unsure whether this subforum, or rather the Security subforum would be the best to post this. But anyway:
I am trying to make my Linux compatible with Secure Boot. In order to make that happen, I intend to follow this guide. There, I am told to enter "Setup Mode" in the UEFI firmware, i.e. I probably have to delete the UEFI Platform Key.
Since there is no information given on how to do this, I looked into my BIOS, which happens to be InsydeH20 Rev. 5.0. The attached image shows how the Security tab looks like here. Indeed there are UEFI settings, but they are blacked-out. It's impossible to access them.
What can I do now? Is there a way around having to flash a new BIOS?
As far as I know, there are only two processor manifacturers you can buy from. Intel and AMD. Both have their underlying management engines, Intel ME and PSP, which make neither fully secure. I am aware of that.
In case you are saying Intel Ivybridge, i.e. the i3/5/7 processors, are free of the 20 security bugs, then that's great, since I own one. If not, then that's certainly tough luck.
Why not use UEFI at all?
I don't understand your last sentence. Why is Secure Boot useless on Intel, but not on AMD? And how does the standard installation of a Linux based OS improve security? And how is it relevant, considering the fact I am using Debian currently?
Just to clarify, I do know total security is not achievable. I am merely trying to make the vector of attacks smaller.
Last edited by MrLinuxUser12; 06-02-2018 at 09:38 AM.
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,524
Rep:
You might have to disable TPM. I think the insyde20 options are protected by it. You probably then need to save the setup to get access to the insyde settings.
I've given disabling TPM a try. It didn't work, even after having tried to clear TPM and setting further passwords for user and HDD. So unfortunately, it doesn't seem to have to do with this, since the options remain blacked-out.
"have to delete the UEFI Platform Key" Don't do that yet.
Only a few distros have been made to boot to secure boot by an agreement with suppliers. There are a few web pages that tell how to take a working secure boot and use it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.