LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-08-2019, 12:43 PM   #1
verndog
Member
 
Registered: Oct 2007
Posts: 162

Rep: Reputation: 24
Secure Boot on or off ?


Since buying this new computer I have left Secure Boot on.
Ubuntu, Fedora and a few others have signed shims.

But Arch among others do not, so its a pain working with Secure Boot. In fact I just don't install them because I don't understand Moky or whatever it is.

My question is anyone else have Secure Boot turned off and have Windows installed on a partition. I have no desire to use a VB.

Right now is the first time I turned it off, and Windows 10 boots up okay, just concerned about security.

I've read that hackers have a work around regarding Secure Boot.

Any thoughts on the subject?
 
Old 08-09-2019, 06:37 AM   #2
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 10,599

Rep: Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179
Nothing Inspired really. I have a 2013 laptop, which came with windoze 8 and was an absolute PITA over secure boot. Windows booted, but linux at the time was still at the "Sh%&@! What is this?" stage with UEFI development and there was some alpha stuff out there where you got lost in the instructions. My solution was to buy an ssd, junk the windows 8 which had committed Hari-Kari trying to update to 8.1, partition the ssd with fdisk because my bios defaulted to UEFI with a gpt disk and go. I think there's a 2TB limit on MBR, but that doesn't freak me. I kept the windows disk for a few years but never went back.

UEFI reminds me of bluetooth. Both are supposed to be ultra-secure, and both provide massive difficulties for users. And as they are stationary sitting ducks for hackers, you can bet they have found ways in.

UEFI is a good preventative for windows boot viruses, but it's a long time since I did much with windows except run it in a vm.
 
Old 08-09-2019, 11:57 AM   #3
verndog
Member
 
Registered: Oct 2007
Posts: 162

Original Poster
Rep: Reputation: 24
Secure Boot and UEFI are completely different things.
If you have GPT drives you need an esp installed.

My question was on Secure Boot only. I have Windows installed on a partition along with several Linuxes.
 
Old 08-09-2019, 12:17 PM   #4
zeebra
Member
 
Registered: Dec 2011
Distribution: Mageia, Slackware
Posts: 831
Blog Entries: 7

Rep: Reputation: 204Reputation: 204Reputation: 204
Quote:
Originally Posted by verndog View Post
Since buying this new computer I have left Secure Boot on.
Ubuntu, Fedora and a few others have signed shims.

But Arch among others do not, so its a pain working with Secure Boot. In fact I just don't install them because I don't understand Moky or whatever it is.

My question is anyone else have Secure Boot turned off and have Windows installed on a partition. I have no desire to use a VB.

Right now is the first time I turned it off, and Windows 10 boots up okay, just concerned about security.

I've read that hackers have a work around regarding Secure Boot.

Any thoughts on the subject?
Honestly. Long term it is way better to only run GNU/Linux from your boot and then run Windows10 or whatever version in a virtual machine.

I ran multi boot for many years, first windows with second boot linux, then linux with second boot windows. Then I just skipped Windows alltogether. Whenever I use Windows I use it in a virtual machine. It works the same as a regular boot, sometimes faster, and sometimes slower. I rarely use Windows.

Anyways, as I said, it's probably well worth skipping the multi boot period and just jump in the water and only run GNU/Linux and have Windows in virtual machine if needed.
 
Old 08-09-2019, 04:26 PM   #5
verndog
Member
 
Registered: Oct 2007
Posts: 162

Original Poster
Rep: Reputation: 24
Can't run Windows in VB. Need the hardware to run certain programs. VB won't work. I keep hearing the same advice about VB. If I didn't need the hardware, which VB doesn't work, I wouldn't use Windows.
 
Old 08-09-2019, 04:33 PM   #6
Timothy Miller
Moderator
 
Registered: Feb 2003
Location: Arizona, USA
Distribution: Debian, KDE Neon, Arch, Void
Posts: 3,161

Rep: Reputation: 980Reputation: 980Reputation: 980Reputation: 980Reputation: 980Reputation: 980Reputation: 980Reputation: 980
I have secure boot turned off on all my machines. It's only useful if an attacker has physical access to your machine, and at that point, IMO, it's already too late even if you DO have secure boot turned on. So since I like to distro-hop and several distro's don't (or didn't) supply signed shims by default, secure boot is off and I've never run into issues.

IMO, encrypted /home > secure boot. Though neither is unbeatable.
 
Old 08-09-2019, 08:15 PM   #7
verndog
Member
 
Registered: Oct 2007
Posts: 162

Original Poster
Rep: Reputation: 24
Quote:
Originally Posted by Timothy Miller View Post
I have secure boot turned off on all my machines. It's only useful if an attacker has physical access to your machine, and at that point, IMO, it's already too late even if you DO have secure boot turned on. So since I like to distro-hop and several distro's don't (or didn't) supply signed shims by default, secure boot is off and I've never run into issues.

IMO, encrypted /home > secure boot. Though neither is unbeatable.
Do you also have Windows installed? Thanks for the thought though.
 
Old 08-09-2019, 08:27 PM   #8
Timothy Miller
Moderator
 
Registered: Feb 2003
Location: Arizona, USA
Distribution: Debian, KDE Neon, Arch, Void
Posts: 3,161

Rep: Reputation: 980Reputation: 980Reputation: 980Reputation: 980Reputation: 980Reputation: 980Reputation: 980Reputation: 980
On one system, yes. Most of my systems are linux only. But I do have Windows 10 dual booting with Debian 10 (was 9 when it was installed).
 
Old 08-09-2019, 09:43 PM   #9
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,511

Rep: Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813
Quote:
Originally Posted by verndog View Post
Right now is the first time I turned it off, and Windows 10 boots up okay, just concerned about security.
As far as I know, Secure Boot just protects you from malware modifying the kernel. But malware can already do all sorts of bad things without modifying the kernel, so I don't think there is a huge security advantage to Secure Boot.
 
Old 08-09-2019, 11:28 PM   #10
verndog
Member
 
Registered: Oct 2007
Posts: 162

Original Poster
Rep: Reputation: 24
Quote:
Originally Posted by ntubski View Post
As far as I know, Secure Boot just protects you from malware modifying the kernel. But malware can already do all sorts of bad things without modifying the kernel, so I don't think there is a huge security advantage to Secure Boot.
Thanks. I never even thought about turning it off, until now. I don't use Windows much of browsing just some hardware related stuff. Just curious why Ubuntu, debian , Fedora and the like have spent the time effort and money to pay to get Windows okay on signed kernel, if not needed.
 
Old 08-10-2019, 02:59 AM   #11
zeebra
Member
 
Registered: Dec 2011
Distribution: Mageia, Slackware
Posts: 831
Blog Entries: 7

Rep: Reputation: 204Reputation: 204Reputation: 204
Quote:
Originally Posted by Timothy Miller View Post
I have secure boot turned off on all my machines. It's only useful if an attacker has physical access to your machine, and at that point, IMO, it's already too late even if you DO have secure boot turned on. So since I like to distro-hop and several distro's don't (or didn't) supply signed shims by default, secure boot is off and I've never run into issues.

IMO, encrypted /home > secure boot. Though neither is unbeatable.
I guess also, the less you use Windows the smaller the attack surface is. My personal experience is that the less you use Windows, the better it holds up in the long run. Less errors, less problems etc. It's one of the main differences with GNU/Linux and Windows in my book, over time GNU/Linux is stable and remain the same (or whatever you change it to) while Windows tends to live its own life and do its own thing which is often very bad over time.

I think if you only use Windows for a very few things and rarely, the risk of using the system is quite low in general. It's the daily use it can't handle well. What I mean to say is that you don't have such a big need for things like secure boot then. You can also partly secure Windows from physical attacks by securing your Grub and Bios boot with a password.
 
Old 08-10-2019, 05:22 AM   #12
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 10,599

Rep: Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179Reputation: 1179
Apart from physical access, I'm not aware of an attack vector attacking /boot That's root:root anyhow. To do anything from boot you'd surely need some way of seeing the peripherals, which is hardly achievable without root access. If you have root, I imagine you'd have better things to do with your time .

The big day of this was back in the 90s when every system read and acted on the MBR, and you had viruses like form, cih, or ping-pong (which was actually pretty harmless). CIH overwrote the system bios on April 26th, and that was nasty. I got it through my kids on irc, and one year I deleted 175 copies between 2 machines on April 23rd! That's what got me into Linux.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: OpenPOWER secure and trusted boot part 2 - Protecting system firmware with OpenPOWER secure boot LXer Syndicated Linux News 0 06-09-2017 01:04 AM
If you disable Secure Boot, is UEFI still more secure than BIOS boot? Ulysses_ Linux - Security 4 05-30-2017 10:08 AM
Secure network boot, Secure NFS alternative? Lop3 Linux - Security 1 07-21-2015 11:55 AM
disabling secure boot when secure boot is not an option in BIOS? chexmix Slackware 10 05-28-2015 06:13 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration