Being beholden to Microsoft doesn't sound like something anyone needs.
Until that ends I'm doing best to avoid secure boot. I don't want to.
this post was submitted on 20 Jul 2025
131 points (99.2% liked)
Linux
57064 readers
784 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 6 years ago
MODERATORS
You can self-sign and self-enroll secure boot keys. Can’t say it’s an easy process, though - I had a lot of misery with it on my Surface Go 1st Gen. Might be better on my Thinkpad.
I thought it was a Microsoft centric thing in that the certificate authority was either Microsoft or signed by Microsoft?
Maybe I need to read about it more? Can you direct me to the general area?
Microsoft's keys are pre-installed to all motherboards, so boot binaries signed by Microsoft are trusted by default. afaik Microsoft keys often can't be removed, but not because it's not possible, but because it can brick devices. you can create your own MOK or Machine Owner Keys and set up your linux system to sign your bootloader and kernel with it, but that is in addition to Microsoft keys.
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
Thank-you. Recently rebuilt my Arch Rescue build and saw that section in doing the UKI dance.
I don't mind the Microsoft keys being there at all. I just don't think tying myself to them is particularly clever.
From your final part. I think I need to go back and reread it. Thank-you again.
Here
https://en.m.wikipedia.org/wiki/UEFI#Secure_Boot_criticism
is a list of problems and criticism on Secure Boot.
Oh. Thank-you. I'll read through.
As commenters on the LWN thread said, I doubt that many firmwares even bother to check anyway. My motherboard happens to have had a bug where you can corrupt the RTC and end up in 2031 if you overclock it wrong. I didn't use secure boot then though so I don't know if it would have still booted Windows. But I imagine it would.
That said, I've always just enrolled my own keys. I know some other distros that make you enroll their keys as well like Bazzite. At least that way you don't depend on Microsoft's keys and shim or anything, clean proper secure boot straight into UKI.
As commenters on the LWN thread said, I doubt that many firmwares even bother to check anyway. My motherboard happens to have had a bug where you can corrupt the RTC and end up in 2031 if you overclock it wrong.
Seems it compares the expiration date of the UEFI key with the signature date of the bootloader / OS keys. (See the comments on the LWN article, some are far more knowledgeable than I am.) So, no, it does not require a working on-board clock to lock you out if you are not extremely careful and fully understand each part.
That said, I've always just enrolled my own keys.
That is far more complex than a firmware update and also depends on a correct implementation of the spec in the BIOS - which, given the experiences with ACPI for Linux, is not at all something one can rely on.
It has nothing to do with ACPI whatsoever. And firmwares this broken are the exception not the rule.
ACPI, especislly as it was at the beginning, is a good example that formally having a spec does not guarantee interoperability: You might get running Linux on some Laptop, but this does not guarantee that essential things like power management work.
load more comments
(12 replies)
So... microsoft has positioned itself between common users and Linux... and as an authority of sorts.
The details are complex; it has humorously been called "security by security".
Hobby Linux users could, as far as I understand , simply disable UEFI secure boot (after weigthing carefully what secure boot provides to them, and what it does not provide). Otherwise, they'll need a firmware upgrade before any upgrade to a new OS / bootloader chain.
Small companies which use old laptops with Windows might be bitten hard by this because they can become locked out of their hardware with no way to update it, or even make a backup!
And by the way, Intel motherboards which are running your Linux system may contain a copy of Minix - yes, the Minix from the historic Tanenbaum vs. Torvalds debate - which runs below the OS in the system management mode engine and is controlled by the vendor, which can e.g. update firmware via the network. SMM is normally not visible by the user but it can cause problems e.g. for real-time applications because it has higher privileges than the kernel and can interrupt all of the kernel at any time.
I think this already bites people, it has started, it's not in September but now?: https://x.com/rogerioperdiz/status/1946873449537798582
I just tried to distro-hop and found my BIOS had been locked with a password. Assuming I didn't set a password that I subsequently forgot (and that isn't one of the many I have memorized), I figured this might have something to do with the age of the laptop (I have a HP 4540s). If certificate expiration is already affecting people then this might be it.
EDIT: I just forgot I set a password, and it took me 2 days to realize that I was stupid enough to have set the password that I used for everything when I was 12 years old.
How did you bypass the password?
Not OP, but BIOSes often give you a specific error code after a few wrong password attempts. You can put the code in here to recover the password: https://bios-pw.org/
I didn't. And apparently you can't without trying to short-circuit the motherboard. I just assumed, and assumed wrong.
For a home desktop that's never left unattended with anyone untrustworthy, I don't see that Secure Boot is worth the effort in setting up.
Given that you have to re-sign the boot image every time you upgrade, any malware already running with root privileges on the machine could easily slip itself into the new signed image.
The best security is not running untrusted software to begin with.
If secure boot is off, and you run malware on your pc, it can change the boot process to escalate privileges.
This probably requires root or admin in the first place, but if they can install a malware loader, they can establish persistence so that even if you remove the os-level components, they'll be reinstalled on reboot.
Yeah, but the malware can just wait for a system upgrade where you sign a new boot image and slip itself in then.
It works for Windows because theoretically only Microsoft would have the signing key and it's not just sitting on disk somewhere. But then you're just trusting Microsoft, and also subject to vendor lock-in.
If secure boot is off, and you run malware on your pc, it can change the boot process to escalate privileges.
This is technically correct, but on a desktop system, malware executing in user space is normally already game over. It can exfiltrate and send your passwords or ssh private keys, change browser certificates or browser software, add user systemd sessions or crontab entries and can generally e.g. do everything a banking trojan would like to do.
Funny how Microsoft does this just before the October EOL deadline for Windows 10, when a whole bunch of hardware is being forcibly obsoleted...