secure boot

Questions about other topics - please check if your question fits better in another category before posting here
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
Calle

secure boot

Post by Calle »

I am like a lot of other people concerned about privacy, it almost became an obsession at some point.

I know free sofware does not support secure boot[1] shall I been concerced about this? Is it supported by some packages?

[1]https://fsfe.org/campaigns/generalpurpo ... is.en.html
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 2 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
User avatar
xenopeek
Level 25
Level 25
Posts: 29459
Joined: Wed Jul 06, 2011 3:58 am

Re: secure boot

Post by xenopeek »

Out of the box, Linux Mint does not yet work with secure boot. You can disable secure boot in your computer's UEFI, which you can access as you start your computer. Your computer manual will have more information for doing that. Computers that come preloaded with Windows 8 will have secure boot enabled by default, older computers are unlikely to have secure boot enabled (or have it at all).
Image
srs5694
Level 6
Level 6
Posts: 1386
Joined: Mon Feb 27, 2012 1:42 pm

Re: secure boot

Post by srs5694 »

There are definitely open source programs, and entire Linux distributions, that do support Secure Boot. The two individual programs available at the moment are:
  • Shim -- This program was developed by Matthew Garrett at Red Hat and is currently used by Ubuntu 12.10 and Fedora 18 (although Ubuntu's version is older and less flexible). Shim works by doing its own Secure Boot checks using cryptographic signatures, similar to the way secure Web sites work. EFI boot loaders, and often kernels, must be signed with a cryptographic key in order to be booted.
  • PreBootloader -- This program was written by James Bottomley of the Linux Foundation. AFAIK, it's not currently used by any Linux distribution. It works by enabling the end user to manually add CRCs of binaries to a "whitelist" of programs that are approved. This is simpler for an individual to do than the signing used by shim, but it requires the end user to take that action once for each binary, unlike shim, which can be configured in a way that requires no special actions on the part of the user.
As a practical matter, it's best for a Linux distribution, such as Mint, to include one or the other program in its package set. In this capacity, shim makes more sense but it takes more effort by the developers to set it up, and it works best if the developer is willing to shell out $100 for the right to get a custom-signed version of shim. PreBootloader is easier for a cash-strapped mini-distribution to use, and it's also likely to be easier for an individual to use with a distribution that doesn't support Secure Boot "out of the box." In such a case, it's necessary to temporarily disable Secure Booot in order to install Linux and either shim or PreBootloader. Once everything is installed, you can then re-enable Secure Boot.

In the long run, Secure Boot is likely to be nothing more than an annoying bump in the road for Linux; distributions are already beginning to include Secure Boot support (although Mint doesn't yet do so), and with a good implementation, you might not even realize that you're using Secure Boot unless you need to do something advanced like compile your own kernel. As the tools mature, Secure Boot will become more transparent even to such advanced operations.
Locked

Return to “Other topics”