Implications of disabling secure boot

Implications of disabling secure boot

Hi, I am curious about the implications of disabling secure boot on a dual boot Manjaro/Windows.Since Manjaro is not supporting secure boot, i was wondering if i am leaving my computer vulnerable to rootkits. As i understand the secure boot protects my computer against rootkit execution outside of the os at a deeper level wich may be hard to detect from the os (I may be wrong here).

Should i be concern about it?

I am aware there is a way to do it with shim package from the aur repo, which i am not willing to use since i am not experienced enough to inspect the package files.

Since i still need Windows for various reasons, should i just look for a distro that supports secure boot: Debian, Ubuntu, Fedora?

That’s one way…

https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot

The installed files come from Fedora…

TBH…if you’re not willing to put in the time it will require for you to set up your system, then yes, a different distro that does it for you would be your better choice.

Follow this guide in order to have Secure Boot in Manjaro:
https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki's_EFI_Install_Guide/Configuring_Secure_Boot

You might want to combine it with AUR’s sbupdate tool, to make the whole process of updating and signing kernels and bootloaders easier.

I am not willing to get this package from the aur for various reasons.

The fact that the package can change maintainers any time without warning and possibly shift to a malicious maintainer makes me unable to trust the aur for that kind of packages. (as arch stated it happened before). I am not willing to start signing package every time i update a kernel or when virtual box update (especially on a rolling distro) kinda a big waste of time. Over configuring is why i left Arch in the first place. The main reason i create this post is to know the implications of disabling it.

How compromising is it to the windows partition and is it really necessary?
Is it worth it to set up the shim packages and signing the kernel?
How often does it break the system?
Is it a concern if i only boot linux and remove windows completly? etc…
(Maybe i did not expressed myself clearly.)

Btw your last comment was kinda rude, a quick dismissal.

Thank you i’l take a look at it.

I’m afraid you’ve got that wrong. First of all, a rootkit is not an intrusion on your system, but a way for an intruder to hide the fact that they already have access on your system. So in order for an attacker to install a rootkit on your system, the attacker must already have root access on your system.

Secondly, the real reason as to why Secure Boot became part of the UEFI specification is that Microsoft is on the UEFI committee, and it was under Steve Ballmer’s leadership of Microsoft that they pushed the Secure Boot feature into the UEFI specification, the reason being that Apple sells computers with an operating system, while Microsoft only sold operating systems and software, but the x86 architecture is an open platform.

Secure Boot was intended to make x86 a Microsoft-controlled platform, because Microsoft is the authority that hands out the Secure Boot keys. So its intent was simply to prevent computers from being able to boot anything other than the Windows version that came installed on them from the factory.

As an actual security precaution, Secure Boot is useless.

2 Likes

It’s never too late to learn something new:

1 Like

It’s the most expected feature out of Manjaro for me, it’s useful. I’d like the distro to be more PRO less gaming/teens eventually, so I care about all boot features.
As i was checking bluetooth, booting behaviour recently, i’ve collected the status of boot features:

  • Fedora - Secure Boot except Nvidia (manual signing), Grub snapshots not available
  • OpenSuse - SecureBoot with Nvidia, TrustedBoot, GrubLock, Grub snapshots, Grub zstd (they got it all, simply)
  • Ubuntu and first derivatives - SecureBoot with Nvidia, Grub snapshots not available
  • Manjaro, Pclinuxos, Mx linux, PopOs, Arch, EndeavorOs, ArcoLinux - not yet, but Grub snapshots possible
1 Like

Thank you, it was an interesting read.

As I understand, secure boot can be useful to protect or reduce the attack vector on the pre boot of the machine (Rootkit/ Bootkit), which would be left vulnerable without the secure boot feature. But it is still a mystery to me to which extent it is true as I’m not really knowledgeable about cyber security.

If I switch to a linux only machine, should I even bother with this since the attacks are more or less present ? (not that they are not present)

Also, I am aware about the the following distro that support it from safer repo than manjaro

Ubuntu, Fedora, Debian, openSUSE, FreeBSD

Still not sure but I heard that Linux Mint has a signed boot loader (grub), I might be wrong about that one.

It would be sad to me to ditch manjaro as I used it for a good while (kde), and really loved it.

If I care about keeping good practice on my end should I switch to a safer distro (for my case)? Or is it the uefi forum just trying to push their own features (as it is rare that a group say hey our products are useless :p).

Same for me with it would be a no brainer for me. Functions and good practices comes first for me. I’m lucky i’m on amd, no worries about my drivers.