Use UEFI Secure Boot NOW! 

I think that secure boot is cool but it sucks that it's a pain to set up if you're using Linux unless your distro specifically supports it

There are a few things I don't like about Secure Boot. For people that use/need hibernation support, that is gone with secure boot. There are patches to use a TPM to sign the image but it will be a pain. Microsoft basically owns the entire Secure Boot space, even the Shim loader has to be signed by Microsoft. (Although I think some UEFI installations allow you to remove factory keys) But the biggest issue is probably that it's benefits are questionable. The Shim loads a OS that is signed by a user installed key (MOK). The key can be installed via a command from the OS, so there is actually not much from stopping malware from adding the attackers key to the MOK storage region (since the OS can install a mok, the storage region is not locked down). Afaik this was already done by the BlackLotus bootkit where part of it's installation process involved adding the attackers MOK to NvRam so that the shim would load that Bootkit. It should also be mentioned that UEFI doesn't really authenticate hardware, there are also a ton of other things like Measured boot via a TPM which doesn't really have much to do with Secure Boot. The Hardware/Firmware image authentication is usually done by things like Intels Boot Guard which is a another layer down, preventing the CPU from initializing if the firmware itself isn't signed. This is actually bad in my opinion because it prevents users from installing open source firmware like coreboot or edk2 based firmware. There is currently no solution to run open source firmware if Boot Guard is enabled which is why manufacturers like System76, StarLabs, Purism don't use it.

I just wanted to say that Secure boot has been mandatory on all my laptops for the past 2 years, secure boot + a password to your bios = good luck on doing whatever on my laptop if you steal it I use Arch btw

I enabled secure boot on my system. It's a dual boot of Windows 11 and KDE Neon, both work with secure boot, altough I did have to run 'dpkg-reconfigure nvidia-dkms', because I have an Nvidia GPU. Then I could reboot and enroll the key for it, so that the nvidia driver would boot successfully. I also had to enroll a key for HackBGRT, because I modified the Windows boot logo.

Secure boot is great but what are the chance you get infected with a rootkit

You have some good points but I think you (vastly) overestimate Secure Boot's actual efficiency, and understimate how easy it is to bypass. Realistically, considering I will myself make a lot of modifiications to my boot code and how trivial the process of enrolling new keys is anyway, I can't see Secure Boot reducing my attack surface enough to justify the pain of managing it in a responsible way. Especially since your solution is to advice people to force-inject the signature everytime you need to, which would eventually lead the unaware user to validating malicious code himself anyway just to get their computer to boot. At least you need to explain that signing your own kernel builds without proper and educated review of the modifications made totally undermines its point, before leaving people to tinker with a wrongful feeling of security ^^"

Could we see a tutorial of how to enable Secure Boot with Arch Linux?

Secure boot is a headache because I couldn't get arch installed with it enabled (wouldn't even boot from usb) the reason? idk but disabling secure boot fixed it, I also don't have tpm 2, not even in software mode because my mb just doesn't have it, while they are meant as security measures they're most of the time just an awful waste of time (either you work by default or be opt in), the best security measure is not being a dumbass on the internet. I recommend disabling secure boot because unlike your video says it's still a problem to this day if you're not using windows and some distros (most that aren't ubuntu and fedora) require manual implementation from the user.

I will say this. Setting up Secureboot can be a nightmare. I have setup Fedora + Nvidia proprietary drivers + secureboot in the past, and at least at that point, the process with mokutils etc wasn't documented properly at all. I had to stitch together a few guides for much older Fedora versions and other guides to make it work. These days I've got a Framework laptop with an Archbased distro, and I can just use 'sbctl' to manage secureboot. Its SO MUCH EASIER than mokutil was. Just not sure if this would work on any Laptop. I think this goes into what you were talking about. The framework as great Linux Support, and it's UEFI supports setting the platform keys (? Or one of these, the one that has Microsoft keys by default). But still that setup, while at least nicely documented, wasn't without issues. I set this up with other stuff, and then realized that my docking station and ethernet adapter were not working. Turns out you better install the Microsoft keys too if you want support of much of these things, after I did that on a hunch, they suddenly started working again.

Great job! Thank you!

Hey Trafotin...what are your thoughts on the recent changes to the RedHat universe? Think we can trust RHEL/IBM to keep putting out a good Fedora DE??

Hey thanks for the contribution! That's something that i really wanted to do for my Linux. And after some study of the scripts. Which is the execution order for the scripts? Because I can't find it on the GitLab repo. Thanks.

Great job yet again Mr Matt but what Game Emulators do you use on your Linux Pcs Hope you can make a video about them sometime in the future

I dual boot windows 11 and Fedora 37 (I haven’t upgraded to 38 yet). On Fedora I haven’t installed any extra drivers (for WiFi). So can I turn on Secure Boot and expect no issues?

I also enable TPM as well.

You had some pretty crazy opinions but I don't remember what they were. I did subscribe because you made pretty good videos though.

I don't think that an OS interacts with hardware through BIOS. The only role of BIOS is to do POST operation and then hand over the control of HW to OS.

As a archlinux user, secure boot is a bit hard 1 of 2 reboot or shutdown it possible that your system don't boot at all with a great led on while boot on my motherboard. so yes i want to know how it possible to add mok key to bios for every OS that i use on my computer depend on my need it's really annoying because i use esxi vmware for server case, archlinux for more day to day workload and finally an tailOS to do some osint stuff and forensics and also truenas to move like 1Tb of data oven networking while keep a great speed. one general script that work for all could be good in my case as this 3 OS work completly diffetrent even in their file system and syscall.

Thanks

I have been using secure boot with Garuda Linux and I have had no issues.

Hey Trafotin will be making a short video of your recent live video " fedora silverblue and distrobox"

I use MBR boot (no uefi and no efi) if possible.

Good video.

I like how you are making that "villager noise" after sentence.. cute.. anyways I struggle making secure boot to work after I modified my vbios on my amd card *sadge*

If turned on, I cannot install debian, so I turned it off

Hello, thank for your video you gain a new subscriber and do you know how do add secure boot for kali and parrot Linux I need them but i need to disable secure boot so is there to add for kali and parrot Linux?

People are told to disable secure boot because secure boot is simply an annoying obstacle to work around. The security benefits are slim to none on a system that isn't completely locked down like these freakish modern windows kernels are.

Secure boot doesn’t run with arch based os but ubuntu can run with secure boot

Thank you for this video. I've struggled to get Linux users to understand why secure boot is important and that distros that say to disable it are unsafe.

Understood. The channel is backed by Microsoft

Hell no, Arch, most Linux distros and the BSDs does not come with secure boot enabled by default or supported at all.

Not if you use Linux, secure boot can and will cause problems. Better way just update BIOS and have at least setup if not admin password for uefi/BIOS.

It makes sense in one way but its also a lame solution in another. It's good if you use a normie operating system where its just a product and what you get is what you get. But making it so i have to do stupid script bs in order to install third party kernel stuff or even modify my own kernels is stupid. This is a constant game of manufacturers trying to add encryption to every process of computing. Its defence by locking everything down. In a way its kind of lazy. This is why Apple are "ahead" in this space. Their philosophy is to lock down their devices as much as possible. So much of this security shit is smokescreen for taking power away from the user.

Great info! But hackers can hack into my computer if they really want to. I make sure that I don't have anything SUPER important or SUPER private. So hack away..I think they will get bored very soon. Or maybe not..they might find some of my downloaded movies entertaining. No system is hack proof. Hope that you don't get hacked. But if you assume that you will get hacked, then you should keep the important stuff offline and off the internet.

No

This is a really important vid for Linux newcomers like myself. Thank you. How well does Debian handle self-signed secure boot keys? Ubuntu sounds like the convenient option

Nightmare nightmare nightmare

Garuda Linux does not have secure boot

Mostly I did not understand anything , only a little bit on the last part of your video... So , generally is good to have UEFI and Secure Boot enabled, this I understood. Regarding UEFI this I think is depending on your hardware. If you have an old laptop/PC , you don't have UEFI and Secure Boot .... If it is newer hardware , is good to have CSM option in BIOS disabled and Secure Boot enabled. If you install only Windows 10/11 on your computer, ENABLE ! Secure Boot and DISABLE ! CSM on BIOS. Then install Windows and .... finish with / can forget about Secure Boot ... The problems appear when you DUAL BOOT , Windows 10 and Linux on an UEFI with Secure Boot ENABLED ! computer , and on the same SSD / HDD ( Windows 10 + Q4OS Linux my case ...) Maybe you can do some videos in this regard .... on a REAL computer, not on a VM ..... I like your "hmmm"-s after a sentence .... Kind of original 🙂

Microsoft shill 🤓🤓

Good video. Why are Linux and Windows so far behind Mac and mobile devices? How could Linux and Windows improve so that they are not so far behind Mac and mobile devices?

This RU-vid video could never be more wrong. Windows has been shown numerous times to have countless more vulnerabilities than Linux despite having secure boot enabled making it the most useless piece of security device on your system. If signing your drivers using boot keys is the only way to get your gpu to work, then all that takes is malware to go inside and replicate that making that entire concept useless. It's all about practicing hygiene when surfing the web and not trusting corporations to do everything for us. And yes I mean not entrusting Microsoft to automatically install updates. But if we don't do that, they block admin privileges because "it's for your own safety." It is merely just to get out of responsibility while trying to control how we operate our devices. Not only that, people that don't have TPM enabled have reported performance improvements and less headaches when installing distros. Telling Linux users that secure boot have security benefits is like telling others that spaghetti can cure cancer. There's always going to be that one person to fall for it. But in the end, it's just snake oil. Btw If Linux is playing catch up, why are people switching to it from Windows?

WTF is "Thrid-party operating systems like Linux" xddd like why microsoft's bullshit should be the "first party"

My WiFi driver doesn't work with secure boot, so there's not much I can do.

metaverse avatars are fucking creepy

Great job yet again Mr Matt but what Game Emulators do you use on your Linux Pcs Hope you can make a video about them sometime in the future