I always make this one BIOS change on all my PC builds

2 weeks ago 3

There are countless security measures baked into your motherboard's software that help keep your entire PC safe from harm. One of these features is called Secure Boot, and it's something that can prove invaluable or troublesome depending on what the device is and how you plan to use it. Unfortunately, Secure Boot can get in the way of trying to install certain software on your system and can often interfere where it's not wanted. That's why I always disable it on all my systems.

What is Secure Boot?

It's a great feature ... for less tech-savvy users

Secure Boot is designed to add yet another layer of protection to your PC, only allowing digitally signed and trusted software and components to initiate past the boot stage. This prevents any malicious or unauthorized software from making any changes to the system, which is handy as personal computers have been warring against viruses and other malware for decades. Although most malicious software will infect an operating system from other sources, thanks to the Internet, it's still possible to have your PC infected at the boot stage.

With Secure Boot enabled, the motherboard will check for an encrypted signature within an EFI program when executed. If this isn't present, is a mismatch, or blacklisted, the program will not run. The EFI bootloader must continue to boot in a "secure manner," and the operating system should be inherently safe for the entire process to complete. This feature was first introduced on PCs running Windows 8 in 2012 and caused issues with other operating systems, namely Linux distros. Since then, some distros have worked in support of Secure Boot.

It's now possible to boot, install, and launch Ubuntu with Secure Boot enabled within the UEFI BIOS, although other distros will encounter issues with even booting into a live environment, such as Arch Linux. Then there are drivers and other unsigned software that may not run with Secure Boot enabled. It's handy for helping secure a system that could otherwise be infected at the low level, which could cause irreversible damage, but Secure Boot can also be a real pain in the rear end when you wish to do something not signed by Microsoft or one of its partners.

Most of the binaries loaded by Ubuntu are signed by Canonical's UEFI certificate, which is implicitly trusted by being embedded in the shim loader, signed by Microsoft. A shim binary signed by Microsoft and a grub binary signed by Canonical are provided in the Ubuntu main archive. But even with Secure Boot enabled, you can encounter problems with malicious code elsewhere within the OS.

Asus ROG Strix B850-F Gaming WiFi rear I/O angle

Related

5 myths about PC BIOS updates you need to forget about

Updating your PC's BIOS should be free of misinformation

I always disable Secure Boot

It simply gets in the way

Check if Secure Boot is enabled on Linux

I don't view Secure Boot as some evil attempt by Microsoft to maintain as much control over the PC market as possible. It's more of a security feature that can be more problematic than useful, especially on a system where the user is at least tech-savvy enough to install and run an operating system that's not some version of Windows. Like anti-virus software, it's better suited to those who cannot be trusted not to visit dodgy websites or download and install software from untrusted sources. I believe Secure Boot to be a great idea, just poorly executed.

I have often switched between Linux distros on my primary rig, and having Secure Boot enabled would make this more of a pain simply because I would have to ensure everything is signed before moving through the install process. And even then, any software I want to install on top of the distro would have to be signed. I could manually achieve this and get everything to work, but it takes up too much time and isn't something I particularly wish to do. I'd love to see us reach a point where Secure Boot is more useful without getting in the way of everything.

Should you disable Secure Boot? That depends on what you use the system for and what you plan to install as an OS. If you're running Windows or the OS that comes with your hardware, I recommend leaving it on. If a Linux distro you plan to use supports Secure Boot, leave it on. For everything else, it may be worth disabling Secure Boot to provide you more freedom in what you can run on the PC. Just remember that Secure Boot is a useful addition to your motherboard's security arsenal and can protect your lower systems from infection.

A laptop booting up with the Windows logo overlaid on the display

Related

Read Entire Article