Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Since buying this new computer I have left Secure Boot on.
Ubuntu, Fedora and a few others have signed shims.
But Arch among others do not, so its a pain working with Secure Boot. In fact I just don't install them because I don't understand Moky or whatever it is.
My question is anyone else have Secure Boot turned off and have Windows installed on a partition. I have no desire to use a VB.
Right now is the first time I turned it off, and Windows 10 boots up okay, just concerned about security.
I've read that hackers have a work around regarding Secure Boot.
Nothing Inspired really. I have a 2013 laptop, which came with windoze 8 and was an absolute PITA over secure boot. Windows booted, but linux at the time was still at the "Sh%&@! What is this?…" stage with UEFI development and there was some alpha stuff out there where you got lost in the instructions. My solution was to buy an ssd, junk the windows 8 which had committed Hari-Kari trying to update to 8.1, partition the ssd with fdisk because my bios defaulted to UEFI with a gpt disk and go. I think there's a 2TB limit on MBR, but that doesn't freak me. I kept the windows disk for a few years but never went back.
UEFI reminds me of bluetooth. Both are supposed to be ultra-secure, and both provide massive difficulties for users. And as they are stationary sitting ducks for hackers, you can bet they have found ways in.
UEFI is a good preventative for windows boot viruses, but it's a long time since I did much with windows except run it in a vm.
Since buying this new computer I have left Secure Boot on.
Ubuntu, Fedora and a few others have signed shims.
But Arch among others do not, so its a pain working with Secure Boot. In fact I just don't install them because I don't understand Moky or whatever it is.
My question is anyone else have Secure Boot turned off and have Windows installed on a partition. I have no desire to use a VB.
Right now is the first time I turned it off, and Windows 10 boots up okay, just concerned about security.
I've read that hackers have a work around regarding Secure Boot.
Any thoughts on the subject?
Honestly. Long term it is way better to only run GNU/Linux from your boot and then run Windows10 or whatever version in a virtual machine.
I ran multi boot for many years, first windows with second boot linux, then linux with second boot windows. Then I just skipped Windows alltogether. Whenever I use Windows I use it in a virtual machine. It works the same as a regular boot, sometimes faster, and sometimes slower. I rarely use Windows.
Anyways, as I said, it's probably well worth skipping the multi boot period and just jump in the water and only run GNU/Linux and have Windows in virtual machine if needed.
Can't run Windows in VB. Need the hardware to run certain programs. VB won't work. I keep hearing the same advice about VB. If I didn't need the hardware, which VB doesn't work, I wouldn't use Windows.
I have secure boot turned off on all my machines. It's only useful if an attacker has physical access to your machine, and at that point, IMO, it's already too late even if you DO have secure boot turned on. So since I like to distro-hop and several distro's don't (or didn't) supply signed shims by default, secure boot is off and I've never run into issues.
IMO, encrypted /home > secure boot. Though neither is unbeatable.
I have secure boot turned off on all my machines. It's only useful if an attacker has physical access to your machine, and at that point, IMO, it's already too late even if you DO have secure boot turned on. So since I like to distro-hop and several distro's don't (or didn't) supply signed shims by default, secure boot is off and I've never run into issues.
IMO, encrypted /home > secure boot. Though neither is unbeatable.
Do you also have Windows installed? Thanks for the thought though.
Right now is the first time I turned it off, and Windows 10 boots up okay, just concerned about security.
As far as I know, Secure Boot just protects you from malware modifying the kernel. But malware can already do all sorts of bad things without modifying the kernel, so I don't think there is a huge security advantage to Secure Boot.
As far as I know, Secure Boot just protects you from malware modifying the kernel. But malware can already do all sorts of bad things without modifying the kernel, so I don't think there is a huge security advantage to Secure Boot.
Thanks. I never even thought about turning it off, until now. I don't use Windows much of browsing just some hardware related stuff. Just curious why Ubuntu, debian , Fedora and the like have spent the time effort and money to pay to get Windows okay on signed kernel, if not needed.
I have secure boot turned off on all my machines. It's only useful if an attacker has physical access to your machine, and at that point, IMO, it's already too late even if you DO have secure boot turned on. So since I like to distro-hop and several distro's don't (or didn't) supply signed shims by default, secure boot is off and I've never run into issues.
IMO, encrypted /home > secure boot. Though neither is unbeatable.
I guess also, the less you use Windows the smaller the attack surface is. My personal experience is that the less you use Windows, the better it holds up in the long run. Less errors, less problems etc. It's one of the main differences with GNU/Linux and Windows in my book, over time GNU/Linux is stable and remain the same (or whatever you change it to) while Windows tends to live its own life and do its own thing which is often very bad over time.
I think if you only use Windows for a very few things and rarely, the risk of using the system is quite low in general. It's the daily use it can't handle well. What I mean to say is that you don't have such a big need for things like secure boot then. You can also partly secure Windows from physical attacks by securing your Grub and Bios boot with a password.
Apart from physical access, I'm not aware of an attack vector attacking /boot That's root:root anyhow. To do anything from boot you'd surely need some way of seeing the peripherals, which is hardly achievable without root access. If you have root, I imagine you'd have better things to do with your time .
The big day of this was back in the 90s when every system read and acted on the MBR, and you had viruses like form, cih, or ping-pong (which was actually pretty harmless). CIH overwrote the system bios on April 26th, and that was nasty. I got it through my kids on irc, and one year I deleted 175 copies between 2 machines on April 23rd! That's what got me into Linux.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.