Hello! I have installed Debian Stable on an Acer Aspire in UEFI mode. The OS is working fine, so I am a bit unsure whether this subforum, or rather the Security subforum would be the best to post this. But anyway:

I am trying to make my Linux compatible with Secure Boot. In order to make that happen, I intend to follow this guide. There, I am told to enter "Setup Mode" in the UEFI firmware, i.e. I probably have to delete the UEFI Platform Key.
Since there is no information given on how to do this, I looked into my BIOS, which happens to be InsydeH20 Rev. 5.0. The attached image shows how the Security tab looks like here. Indeed there are UEFI settings, but they are blacked-out. It's impossible to access them.

What can I do now? Is there a way around having to flash a new BIOS?

Attached Thumbnails

 

On my computer I have installed Opensuse Leap 15.0 and Kubuntu 18.04 in UEFI mode without secure boot.
Secure boot comes from Microsoft.

Of course it does. Still, even though it is proprietary, it makes sense to use this security feature in my book.

if you want security you need to use something else as an intel processor, uefi, secure boot

a good starting point is a cpu without known 20 cpu security bugs (e.g. intel ivybridge), no uefi, and a decent way to setup your box.

secure boot brings exactly nothing on intel boxes, nothing when you don'T use proper setup, e.g. standard installations of many linux isos these days.

Can you elaborate further?

As far as I know, there are only two processor manifacturers you can buy from. Intel and AMD. Both have their underlying management engines, Intel ME and PSP, which make neither fully secure. I am aware of that.
In case you are saying Intel Ivybridge, i.e. the i3/5/7 processors, are free of the 20 security bugs, then that's great, since I own one. If not, then that's certainly tough luck.

Why not use UEFI at all?

I don't understand your last sentence. Why is Secure Boot useless on Intel, but not on AMD? And how does the standard installation of a Linux based OS improve security? And how is it relevant, considering the fact I am using Debian currently?

Just to clarify, I do know total security is not achievable. I am merely trying to make the vector of attacks smaller.

You might have to disable TPM. I think the insyde20 options are protected by it. You probably then need to save the setup to get access to the insyde settings.

Hello!

I've given disabling TPM a try. It didn't work, even after having tried to clear TPM and setting further passwords for user and HDD. So unfortunately, it doesn't seem to have to do with this, since the options remain blacked-out.

"have to delete the UEFI Platform Key" Don't do that yet.

Only a few distros have been made to boot to secure boot by an agreement with suppliers. There are a few web pages that tell how to take a working secure boot and use it.



When using debian go to their web site first. https://wiki.debian.org/SecureBoot https://wiki.debian.org/UEFI

Not sure you have much value in making it secure boot.