Should I have it on or off? at present I have it off.
Should I have it on or off? at present I have it off.
Should I have it on or off? at present I have it off.
On 3/21/26 3:02 PM, Axel wrote:
I have found it's less problematic with it off.
Should I have it on or off? at present I have it off.
This (not being the defacto answer) gives you a bit of background if
you're interested in reading. https://www.siberoloji.com/managing-secure-boot-with-cinnamon-desktop-on-linux-mint/
Short answer is:ÿ Turn it off.ÿÿ The article explains it can be done
but I have 4 systems booting and I sometimes replace one with a new
one and I just don't want to fight who signs and who doesn't.
On Sun, 22 Mar 2026 06:02:52 +1100, Axel wrote:
Should I have it on or off? at present I have it off.Leave it off. It doesn't do anything for Linux and if you need to
reinstall or want to try another distro you'll probably need to turn it
off again.
On Sun, 22 Mar 2026 06:02:52 +1100, Axel wrote:
Should I have it on or off? at present I have it off.Depends on whom you?re having it off with. ;)
Seriously, the official recommendation from the likes of Microsoft,
and even some Linux folks, is to have it enabled. But I like to apply
the princple that weak security is worse than no security at all,
because it lulls you into believing you?re secure when you?re not. And ?secure boot? most certainly falls into the category of ?weak
security?.
On Sat, 3/21/2026 3:02 PM, Axel wrote:
Should I have it on or off? at present I have it off.See "Secure Boot", about 30% down the page.
https://en.wikipedia.org/wiki/UEFI
Examples of security features.
Secure Boot A secure enclave CPU, "measures" the boot process and checks
the signing of the UEFI Boot Files. It "attests" that the
boot files have not been modified. The BIOS has a certificate
chain, and items can be "revoked" when stored in there so they
are no longer trusted as certificates.
Not Secure Boot Whatever you boot with, is implicitly trusted and is not measured.
A Boot Kit which has taken over the boot materials, can then be
a persistent threat, living on the machine.
Automatic When you don't have to enter your password at Linux startup,
authentication this gives the visitor to your household, access to your home
directory and your email Inbox. It does not give elevation
as a "sudo" command still requires typing in a password.
Entry Having to enter a password right after the OS boots, ensures
Authentication that getting access to your home directory, requires knowing a secret.
Using "sudo" still requires typing the password too.
*******
As for device implementations, there can be a 14 pin or a 20 pin header
for manual insertion of a device. The device can sit on SPI or LPC
(in other words, more than one bus type is supported).
The BIOS also can have a firmware implementation of TPM. The processor
must have a secure enclave, as part of that firmware. A TPM physical chip has a secure enclave, which is how older processors could have a root of trust. Newer processors have a core which does nothing but function as a secure enclave. On Intel this might be "TXT". On AMD, there are the regular x86 cores, but there is one ARM core inside the AMD processor, which is not intended for, say, running a smartphone in there, that core is used
to make a TPM via BIOS firmware. One laptop with a particular AMD
processor, has a Pluton prototype inside it, which sank like a rock
from a public relations point of view. The processor likely has at
least one ARM core plus the Pluton (in case the Pluton sank like a rock).
In Windows, it's easy to check your TPM status. There are two lines in
the interface.
Status
Attestation Ready <=== both some sort of TPM is present, plus code that
interfaces with the results
Storage Ready <=== presumably, holds a BitLocker key or similar
My Dell Optiplex 780 claims to have a TPM, but Attestation is not ready
and the machine does not Secure Boot. It might be a TPM 1.4 module, soldered to the motherboard. The storage is likely Ready (as storing a key is pretty easy).
A motherboard that supported TPM 1.4, is unlikely to receive a BIOS update
to make it TPM 2.0 ready, nor is it likely the manufacturer will make
a TPM 2.0 module for it. If they do make a TPM module, they would then
be on the hook for issuing a new motherboard BIOS file (which is not
going to happen). This is how perfectly good motherboards get frozen out
of this nonsense.
The topic is migraine-inducing, just like the maintenance web page
for Intel Management Engine and all its versions. You really as a human, could not read to the end of that filth. I had to stop. The TPM topic
is just as bad, as virtually every discussion thread is incomplete,
the people who know what they're doing, are not writing 100 page
missives to help anyone. If you knew everything about it, you
could likely exploit it and beat the crap out of it. That's why we
have Boot Kits out there. Some keys, via db/dbx may already
have been revoked. And Microsoft is in the process of installing
PCA 2023 and eventually, revoking PCA 2011 (which means some older
Linux DVDs, if started in Secure Boot mode on a 2026 laptop,
will not boot -- DVDs which depend on PCA 2011 will eventually
expire for 2026 laptops). Since PCA 2011 is expiring in July,
officially its days are numbered anyway, but there is a claim
that some boot processes do not trust nor check the time clock
(as a user could just dial the clock back to "make" PCA 2011 work).
I informed people a couple of years ago, that they should
enjoy the opportunity to buy UEFI/CSM motherboards and
computers, as 2026 was coming, and the plan was to have
only UEFI and no CSM any more. A machine with both, can boot
Knoppix 5.3, if you use "noacpi" on the boot line. A 2026 laptop
is unlikely to boot Knoppix 5.3 (as a test of the flexibility
of boot). I don't know if a 2026 laptop has a Secure Boot ON/OFF
or not. It might be Secure Boot only, raising the possibility
of bricking it.
Paul
On 3/21/26 3:02 PM, Axel wrote:
I have found it's less problematic with it off.
Should I have it on or off? at present I have it off.
This (not being the defacto answer) gives you a bit of background if
you're interested in reading. https://www.siberoloji.com/managing-secure-boot-with-cinnamon-desktop-on-linux-mint/
Short answer is:ÿ Turn it off.ÿÿ The article explains it can be done
but I have 4 systems booting and I sometimes replace one with a new
one and I just don't want to fight who signs and who doesn't.
thanks for that. I'll just leave it off. computing was much simpler before all this crap.
On Mon, 3/23/2026 3:10 PM, Axel wrote:
thanks for that. I'll just leave it off. computing was much simpler before all this crap.You never know what the future holds.
1) A person standing in your room, can bypass lots of the "trivial security". 2) Having a BIOS level password, will slow them down. Consumer machines, 20 seconds to bypass.
Business machines, maybe 5-10 minutes to fit a programming clip to the 2KB password chip
and flash the null image into it. For the "merely curious", a BIOS password will keep
them out for a good while, before they get to boot their LiveDVD with sudo.
3) Given your security posture in the room is typically poor (I know mine is),
you want a disaster recovery plan. That's what backups are for. The disk
storing the backups, should be offline when the machine is being operated
normally.
It is up to you to decide how quickly you need to tip the machine
upright again (assuming there isn't a persistent pest onboard). It can be
almost impossible to tip a room upright, with the right pest onboard.
That's why, in an "emergency situation", don't be surprised that
the modern machines aren't coming back up.
I've probably told the story about the guy who got wiped out by ransomware. He posted a question "my Excel files have .osirus extensions added to them". That was Osirus Ransomware, which encrypted data files such as .xlsx and .docx
and so on. It goes for the high value files, first.
The OP in that case, didn't have backups. He had OS CD/DVD install media in the room, but
he didn't know which license key went with which machine.
It took around three months, before he dropped in one day, and said the room was more or less upright again. Sans whatever data loss from the lost files. He had a small business, and I think he closed up shop. He no longer
drops into USENET, as he is "functionally retired".
Even your backups can be ruined. Some ransomware hides for a month, to give time to discover and monitor your backup pattern. Maybe it takes a chance
and ruins every backup image you made. Then when the "red dialog" appears
on your screen, your Disaster Recovery Plan is already ruined.
For people without a profile, they have little to worry about in terms
of "focused campaigns". But if someone "wants to drop the big one",
that will be a test of everyones Disaster Recovery Plan.
Remember, that most malwares today, are reversible or "clean-able".
They don't have to be. Wipers like Sality still exist, and BleepingComputer would "tell you to reinstall" if such is detected. It seems a lot of
these pests have worm capability, or at least, they are armed with
exploits which a lot of people have not patched up for. Like, say you
had SMB1 enabled on a machine, how "worm-able" are you ? I don't know. Couldn't give an estimate.
Rather than being worried about your Secure Boot setting, I would
advise some more general principles about running a computer room.
"Bring your umbrella, because it looks like rain." Consider what
you'd do in an emergency.
Paul
| Sysop: | Jacob Catayoc |
|---|---|
| Location: | Pasay City, Metro Manila, Philippines |
| Users: | 5 |
| Nodes: | 4 (0 / 4) |
| Uptime: | 493851:53:54 |
| Calls: | 146 |
| Files: | 547 |
| D/L today: |
6 files (97K bytes) |
| Messages: | 76,953 |