Secure Boot actually doesn’t have anything to do with security. That’s just a marketing ploy.
Secure Boot is a feature of the UEFI firmware as per the UEFI specification, which is drawn up by a committee that includes Microsoft. Their influence on the UEFI committee is enormous — for instance, UEFI executables are in the same binary format as Microsoft Windows itself, and the UEFI shell uses the same command syntax as the Windows command line.
The true purpose of Secure Boot was simply to allow Microsoft to seize control of the x86-64 and aarch64 platforms, given that unlike Microsoft’s historical rival Apple, Microsoft did not produce any hardware of its own. So it was Bill Gates’ intent to, by way of Secure Boot, force the x86-64 or aarch64 platform into becoming Windows machines and cut off the “competition” from GNU/Linux and other operating systems.
Security-wise, Secure Boot has already been bypassed several times at hacking contests. So it’s not actually secure, and the Free Software Foundation prefers referring to it as “Restricted Boot”. Because that’s what it is and has always been all about — it’s another anti-competitive measure from Microsoft, and it’s intended to support the corporate proprietary software industry while cutting out the Free & Open Source Software movement.
There is nothing to gain from having Secure Boot enabled, and all the more to lose from it, because it’s a lot of unnecessary trouble to get it to work properly in any distribution. Some distributions like Ubuntu and RedHat have yielded to the scaremongering tactics from Microsoft’s lawyers, but there is no technical nor any legal need to have Secure Boot enabled, and especially not since it’s Microsoft that’s constantly breaking the law on account of copyrights, patent infringements, et al.
That’s quite the bashing you’ve given Microsoft – not that I disagree. However, you did omit mentioning that the underpinning fat32 filesystem of every ESP (aka EFI System Partition) is/was also a proprietary Microsoft format.
True, that. And I could have said even more, such as the fact that the only authority that hands out Secure Boot certificates/keys is Microsoft, and that one therefore has to buy a key from them.
On the other hand, the ESP on Apple-branded computers is not vfat but hfsplus. In other words, Apple is the only computer manufacturer with a UEFI that allows for a non-Microsoft ESP filesystem format. But then again, Apple’s macOS is also an officially branded UNIX®, even though it’s the least UNIX-like of all UNIX-family operating systems — its filesystems aren’t even case-sensitive.
Yes, but Apple have had their own share of like-minded misgivings; for example the 32bit boot (on a 64bit platform), effectively preventing multiboot functionality; in the early days of UEFI; clear cut artificial manipulation.
While I respect your opinion I can’t agree that your post is a solution of OP’s question in any way. It just explains your point of view on the nature of Secure Boot and solves no problem and rather tries to persuade everyone there’s no problem at all. Still, you’re sure free to think this way, no objections, let’s just get to the point where we actually suggest a solution right.
In short, @JohnnyKarate should probably just disable SB in UEFI settings and that’s it. Since he only uses Manjaro. And intends to use Linux only. And never ever ever would download and use a cool “Rescue boot CD” from some questionable / hijacked source. And would never ever boot from random USB sticks put in his PC. If so, he’d probably better to disable SB for good.
Another option would be enrolling MOK or signing Manjaro’s bootloader with own key like described here. I also happen to have my own write-up on how to achieve “Verified Boot” on Manjaro using god damned Secure Boot and TPM – these diabolic pieces of M$ crap every “true” (c) Linux user should curse and ditch (and write about it proudly), of course.
Seems like a enormous amount of work for no useful return.
@ Aragorn is correct, Secure Boot has nothing to do with Security, even though both it and the TPM chip, which it depends on, were marketed as such. It is about control of the hardware, by one company… and they nearly succeeded.
Again, this topic is not about someone’s opinion – right or wrong – about the nature of Secure Boot.
You can happily think of it whatever you want – why using this thread for this?
How come? The issue discussed it this thread is a perfect example of a security mechanism triggered by the UEFI considering some random unsinged unverified and untrusted Linux distro (Manjaro) being a threat according to current UEFI settings. Change settings – and you can set Windows or anything else considered untrusted (forbidden to boot on your machine), except your distro of choice.
This is why company-backed distros like Ubuntu, Fedora and openSUSE done that for their users. I doubt they are dumb enough to ditch the vast amount of their userbase saying something that @Aragorn says. Probably a matter of business, but could be a better awareness?
Yeah, he’s so right. No software in this world has ever been pwned, only Secure Boot, sure it is not actually secure right. RSA is safe, SHA1 is too aha… Only SB was bypassed, nobody done anything about that since… Jokes aside! Seriously, M$ wants our hardware!
OK here’s how you can understand how SB is a security actor: disable it (or, you did it already right) and boot from a USB stick with some known EFI malware / rootkit / etc thingie on it.
Or better follow e.g. CodeRush to get better idea on UEFI security.
Heck, I wasn’t going to argue on this but congrats you made me do it. Now I’d better leave the above sarcastic sentences here and leave this topic too as I’ve already done my suggestions to OP’s issue.
No, just sufficient control of x86-64 and aarch64 so as to maintain their Monopoly on the Desktop.
You are no longer actually arguing the point. Just making sarcastic comments
I’ve disable it, have had it disabled on every computer I’ve owned, since it was introduced, because I understood it’s true purpose,long before it was introduced.
…not going to make the next move. Let me guess. You never faced a situation where SB prevents you from booting something malicious? Availability bias and prejudice?
Microsoft, and other players, would have you believe it is.
If you are the only user, and you’re not likely to attempt booting with a foreign and untested boot cd/dvd/usb or OS, then there is no security risk in leaving Secure Boot disabled.
This is not an opinion; it’s simply true. Subscribing to any other school of thought is paramount to drinking the Kool-Aid.
MSI mainboards had an effectively broken UEFI implementation throughout a wide range of their product line. While I don’t have the specifics readily available, your preferred search engine should reveal something about it.
This is purely for the sake of interest, not intended to either add or subtract from your comment.
In fact, the comments from @Aragorn were moreover an historical account of the emergence of Secure Boot, rather than being simply one-man’s-take on the topic; albeit presented in a highly opiniated fashion.
Your general anti-anyone’s-opinion-but-thine-own theme begins to quickly become tiresome.
There is a technical term for this – false positive – a condition that Security industries seem to actively exploit as a part of ongoing marketing strategy.
Yes, that was an opinion; based on non-reactive observation.
If you don’t like it, I do have others.
My suggestion is to change your moniker; openminded, you clearly are not. I, like other readers of your comments, could probably think of more apt terms; but, I digress.
I got a similar feeling when I read posts of people like you. Feels like I’m talking to conspiracy theory believers or never grown up kids accusing corporations whenever they can. Time goes by, nobody took over bootloaders as you guys feared of, users are even allowed to enroll whatever keys they want, but you still say what you used to say more than 10 years ago – “scary M$ wants to take over the platform”. I remember when it started very well. I remember viruses destroying BIOS. And I’m glad M$ tries to hunt down nasty !@#$ trying to brick chips or encrypt user’s disks. You want me change my moniker lol, but I have a better idea: what about changing your CD since it’s stuck in your CD changer and been playing the same track over and over for >10 years already.
You still haven’t booted a malicious thingie with SB off (or on, it would be even better – I don’t want any harm done to your PC), so your suggestions are neglected and denied as moot.
Damn, what a comedy. Well, I had enough. Sorry for offence if you felt any – it was not intended.
And I’m glad M$ does commit to Linux kernel – without them, Linux would never be as usable as it is now. This is what open-minded-ness is, not what you think of it.
The invention of Secure Boot - more correctly labelled as Restricted Boot is generally perceived as a hostile takeover attempt - simply because it fits into the narrative.
While I don’t like anything forced onto me - the narrative that Microsoft is using it to lock out other use and proprietise the x86 architecture is most likely wrong.
Yes - there is valid reasons to restrict boot
Yes - FAT32 is used - but the fact that FAT16 works equally well - is taking the air out of that argument - so there is that.
Yes - Microsoft initiated a method of restriction
Yes - After all their systems is used billions computer systems
Yes - They require a restricted loader to protect the operating system
Yes - Microsoft created the initial certificate
Yes - they created a system which you needed to cough up a fee - but that is more likely due to prevent malicious parties from getting a certificate for they malicious loaders.
As per forum rules
bashing of other operating systems
or ridiculing them is frowned upon.
I have emphasised the phrase or any other operating systems is prohibited so you understand it includes Microsoft Windows.
Respect Other Distributions and Operating Systems
Discussion of the pros and cons of other GNU/Linux distributions and operating systems is allowed. Maligning other GNU/Linux distributions, or any other operating systems is prohibited. The entire Manjaro team is happy to volunteer their time and energy to provide you with the Manjaro Linux distribution, documentation and forums.
Kindly show respect toward the developers and volunteers of other distributions and operating systems as well.
Views, experiences and opinions are always welcome, but unproductive slander is not.
– Forum Rules - Manjaro
Availability bias and prejudice?
