Hi, after a long long time I am building a new computer. My last one was sometime in 2011 - 2012 and used the old bios. I only use Linux. In fact there isnt a Windows computer in my house.
I am just wondering if its worth it to mess around getting Secure Boot working, or just use legacy mode.
Hi @Jim.B,
I think you’d be able to disable it in BIOS/UEFI if the mainboard’s not Windows-only.
I have a Gigabyte with it disabled, and I don’t need to use legacy mode.
2 Likes
As I understand it, Secure Boot merely ties a drive to a machine, making it so the drive can’t be transplanted to different machine and still boot.
Again, as I understand it, the drive can still be read while transplanted in another machine, just not booted from.
So security theater, not actual security.
I’m happy to be corrected, but that’s how I understand it now.
There may also be some Windows licensing thing going on, to enforce their one licen$e for each machine policy. Just dressing up revenue enforcement as a security feature.
In any event, it’s just fine to disable it and forget about it. If you want real security, look into other measures, like encryption.
1 Like
You don’t need to use legacy BIOS support in order to not use Secure Boot. Any decent UEFI allows you to disable Secure Boot.
My computer here is from a shop-built series that was sold without a preinstalled Windows. It boots in native UEFI mode, but Secure Boot is off.
As for whether there is any value in enabling Secure Boot, the answer is a short and sweet “no”.
It isn’t even secure — it has already been compromised several times — and a more appropriate name for it (as used by the Free Software Foundation) would be “Restricted Boot”. Because that’s exactly what it is, i.e. a way to restrict your computer to the booting of operating systems that have been signed with a key supplied (for a small fee) by Microsoft.
It was actually more insidious than that. It was introduced under the reign of Steve Ballmer, and was intended to prevent people from installing GNU/Linux on a machine that comes preinstalled with Windows.
5 Likes
Revenue enforcement, then. 
Ah. The chair smasher…
1 Like
Well, Ubuntu got a key as a Secure Boot shim for their version of grub, so that their users didn’t have to pay. And Canonical could certainly afford the few hundreds of USD to cover their entire distribution.
I believe RedHat did a similar thing, and the RedHat-sponsored kernel developers were even looking for a way to include the Microsoft key in the kernel itself. But that didn’t go quite as they were hoping. It resulted in one of Linus Torvalds’ (in)famous tirades, and the RedHat guys had to eat crow.
2 Likes
Eaten plenty in my time. Best if roasted on an open flame and served with hot sauce.
3 Likes
I think you should do a little reading.
1 Like
Thanks. So it seems I have aspects of Secure Boot mentally cross-linked with TPM?
I just saw yesterday a info, that secure boot On/Off no longer is a requirement on some newer Mainboard Vendor’s. (I wasn’t even aware about it 
)
I would inform myself (with downloading the MB manual.pdf) before you buy a new PC, if your new mainboard allows to disable secure boot or not. Its possible that your UEFI don’t even have this option to control it.
Microsoft trying destroy Linux, they just do it slowly with shady tactics.
I recommend to stay away from TPM 2.0 and Secure Boot as far as possible.
1 Like
That seems about right (if you add encryption).
I imagine you’re thinking of Windows using Bitlocker and the TPM to encrypt filesystems. If you move the drive to another computer - the keys are still stored in the TPM of the old computer, so you shouldn’t have any access.
You may still be able to access it using the recovery password - I assume there’s no way of using the password for booting - which would explain why you can’t boot but you can access the files.
1 Like
Secure Boot is a method to ensure the integrity of the operating systems initial component(s).
No more and no less - and Secure Boot is worth nothing if the system is not encrypted.
1 Like
Thanks, I looked into it, and disabling it is an option for the Motherboard. It is a new computer made with mostly new components (reusing an RX 570 8gb for now), but is older tech. I went with a AM4 build. My budget was limited, and it will likely run rings around my best current computer (Optiplex 5040).
Thats what I figured, but it didnt hurt to ask. It may be helpful in the virus laden world of Windows where your getting software from all over. For a Linux user downloading software from a repository, not so much.
3 Likes
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.