If you disable Secure Boot, is UEFI still more secure than BIOS boot?
 

Got a system with Secure Boot enabled by default and just discovered there is a way to disable Secure Boot in the settings, which is needed to install some distros. Paradoxically some security-oriented ones like tails need Secure Boot to be disabled. In any distro there is always the possibility that the system gets infected or pawned temporarily or even permanently depending on what you do with it.

If Secure Boot is disabled, how does UEFI compare to BIOS in terms of security and security only? Just as bad?

Only thing that comes to mind is that BIOS settings can't be modified by software without special tools from the vendor. UEFI variables can be.

The concept behind "secure boot" is simply that a rogue night-operator can't easily reboot your hardware with nothing more than a USB-stick of his own making. But UEFI also assumes that the rogue night-op can't reach the firmware settings either.

In reality, the firmware of most systems has been reverse-engineered to the point where the settings necessary to disable (and then, re-enable) UEFI are well known, and the switch can be flipped (so to speak) without ever touching the firmware screens.

But it was such a nice idea . . . :rolleyes:

So an install of ubuntu plus the necessary software can flip the switch for Secure Boot with an assembler instruction?

Would that instruction be a write to memory or an output to an i/o port?

As the original author of the thread you should be able to go into advance edit and
change the title. It depends on how long it has been since you started the thread.