[SOLVED] Me and this "secure boot" do not get along, at all.
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Me and this "secure boot" do not get along, at all.
My most recent computer had this SECURE BOOT nonsense. It seems to me that maybe the Windows-people might like it, in my Linux-worldview, I hate this crap!
I would just to get rid of this nonsense PERMANENTLY.
Question: Is there any way possible to just RIP this nonsense from the computer, and just use the computer freely.
My last version of Windows was version 3.1
I started using Linux in 1995, when all this hype of Windows 95, and I was thinking that if I EVER use Windows, I would be buying in to Bill Gates wet-dream!
So, please, is it possible to irrevocably get rid of this secure boot crap?
Since I keep a computer for YEARS, as I just change the things that need to be replaced, in the future is there ANY way to buy a computer system WITHOUT Secure Boot.
Since I become 60 Years Old near the end of 2024, I guess I can be "lucky" and die before my computer screams and dies, in about ten years.
Thank you for answering my question, and have yourself a wonderful day!
{PS: I had a stroke in 2011, and am "Brain-damaged"}
I believe you have two options ( may be 3 ). On any new hardware, x64 that windows will run on, will come with UEFI bios.
So, option 1 is to turn on Legacy mode in the BIOS. There are lots of hits online on how to do that. Install a linux system in Legacy mode. Legacy mode operates as the olld BIOS's you are familiar with. Been there, done it, it works. I upgraded the system board on my desktop to a new UEFI bios, and kept my old legacy installed hard drive. Enabled legacy mode, and ran it for over a year, just like before.
Option 2. Look for a used older high end system board, with only legacy bios. Replace the system board. The reason for 'high end' is simple. There are 10 year old boards that still give you decent performace. I have a Alienware ( Dell ) 4 core processor system that I put an SSD in, and it is still nice and snapy.
Well, here is option3. Some of the latest single board arm boards are at the point they will run a linux system, once installed very nicley. There is no 'Secure Boot windblows infection'. Be for warned, it takes some new skill to install and set one up. The install process differs from a typical linux install. I would suggest you look at
this link https://sarpi.penthux.net/ and look through the install process. Its well documented, and gives you a running Slackware system. There are other distros available for arm boards.
So, please, is it possible to irrevocably get rid of this secure boot crap?
No.
Secure Boot is enforced by the UEFI BIOS, which in turn is cryptographically signed and verified by the motherboard chipset.
The idea is to create a chain of trust from UEFI via the bootloader all the way into the OS.
This is designed to protect the customer against unauthorized tampering by outsiders. And just to be clear, the "customer" is the OS vendor and the media industry, and the "outsider" in this scenario would be you.
Quote:
Originally Posted by kevinbenko
Since I keep a computer for YEARS, as I just change the things that need to be replaced, in the future is there ANY way to buy a computer system WITHOUT Secure Boot.
Intel have committed themselves to making UEFI-only systems. AMD systems with CSM (Compatibility Support Module) support are still available, although many OEMs (like Lenovo) use custom BIOSes without CSM.
On all of my machines (so far) that have a secure mode you can enter the hardware/BIOS settings and turn it off.
UEFI support is a separate setting, and changing one does not change the other.
That said, these are HP and DELL models that are somewhat old. YMMV
Since you are not double booting Windows 11, you don't need secure boot. How you get rid of it depends on how you installed Debian. If it was installed without secure boot, you can just reboot into the BIOS and disable secure boot support. But it's more likely that you have Debian with the secure boot shim. Removing it is then more complicated, but it can be done — see the Debian Wiki for how to find out your situation (section 5) and how to remove an enabled secure boot (section 7.10).
If this is a new install, reinstalling with Secure Boot off in the BIOS might be the simpler solution. Many computers will still allow a Legacy install as suggested above. Take a look at the options avaialble to you in your BIOS. If you posted specific information on the computer, someone here may be familiar with it and be able to give more specific instructions.
I would make a record of the the installed package list and settings in text files in my home folder, then make two or three backups of the home folder, change the bios and reinstall from scratch. Then restore the home folder, restore the settings manually, and install any missing packages.
I rarely mess around with making major changes in place that I must clean up after because they break the install. A fresh install is just way to fast and easy for me, and avoids no END of problems.
UEFI machines can have one of the following "classes", which were used to help ease the transition to UEFI. Intel has ended Legacy BIOS in 2020.
Class 0: Legacy BIOS
Class 1: UEFI in CSM-only mode (i.e. no UEFI booting)
Class 2: UEFI with CSM
Class 3: UEFI without CSM
Class 3+: UEFI with Secure Boot Enabled
OK, I was messing with my computer with the whole UEFI/Secure-boot nonsense.
I noticed that I am already in "Legacy Mode".
But it still {urinates} me off that I have to disable it.
This is all about the Microsoft-based computer is inherently flawed.
When it existed, I was a developer for Sun Microsystems. The brain-damage I suffered in 2011 really ruined my life. Now I am perpetually a "newbie".
Hell... I wrote my own VPN pre-stroke.
{laugh} I have a half-brother, my blood-clotting disorder is genetic, I have tried to get him to be tested. But he hasn't.... {sigh} I did try.
Anyway, thank you and the Linux Questions community to give me answers. This community is a blessing to the "newbies".
Disabling secure boot in UEFI BIOS is not permanent. Don't let your CMOS battery voltage get too low. It will most likely cause corruption and/or need to reset CMOS. Any time BIOS is corrupted and/or reset, whether intentional or not, risk is high that secure boot gets re-enabled. It's happened here a bunch of times. Some PCs used little and plugged in only when in use are capable of wasting a 2032 CMOS battery in less than a year.
As I am an "old fart" I might just "up and die". BUT if I do live long enough to have to buy another computer, what do I look for to make certain that I DO NOT buy a damnable UEFI/secure boot based computer?
I guess I am done with this question, and will call it SOLVED.
We can just blame for Microsoft-nonsense to mess up everyone's computers
Assuming that you are looking for a desktop PC in the future, I would search for a new one which is supplied without an OS, such as this example: https://www.newegg.com/p/1VK-0003-1R0J1
I am not familiar with the US market, but I am sure that Newegg is not the only supplier of such items.
I was able to purchase the HP Z420 Work Station that I'm currently writing this post on right now from unfortunately tI think that I couldn't find the companies web site from which I purchased my HP Z 420Work Station through may shut down operations.
Yeah, the LAST time I got a system from New Egg was 2013.
Even worse, though in 2020 I did the STUPIDEST thing I could do me buying a system at {shudder} Best Buy.
{Friends don't let friends buy anything from Best Buy}
The next system I get I will have my "Computer Guy" build it with my specifications.
{for example a pair of two PS2 ports, one for keyboard and one for mouse,
at least three 4TB hard drives and 1 15TB backup drive,
and NO STUPID SSD drives!}
Yeah, the LAST time I got a system from New Egg was 2013.
Even worse, though in 2020 I did the STUPIDEST thing I could do me buying a system at {shudder} Best Buy.
{Friends don't let friends buy anything from Best Buy}
To be fair, it is not just Best Buy. I have, in the last 40 years, only twice walked into a store offering computer equipment or systems where I did not know more about the device and technology than the sale staff and manager. The trick is to know exactly what you want, exactly why, and not believe what the sales staff says if their only source of information is what the manager told them because he read it in a magazine.
Quote:
The next system I get I will have my "Computer Guy" build it with my specifications.
{for example a pair of two PS2 ports, one for keyboard and one for mouse,
at least three 4TB hard drives and 1 15TB backup drive,
and NO STUPID SSD drives!}
I liked those PS2 ports, but USB (USB 3C in particular, and USB4 when available) has SO many advantages! And what is your issue with SSD drives? They save power, run quiet, are faster (depending upon the bus behind them), and look like they will last longer than rotational drives.
As for backups, If your data is worth it I would build a NAS and station it in another room and use it for a BURP backup server. I might back that up to a portable drive or offsite storage. The thing is if your local machine goes up in smoke and takes all internal drives with it, you want the backup data somewhere else: out of danger.
If your data is not worth that, one or two portable drives that you store offsite when they are not in use is an affordable option.
Quote:
Everybody, have yourself a fantastic day!
You have a fine day as well. I have not lived in North Dakota since '97. I hope all is well there.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.