Is it safe to disable Secure Boot?

16.04 windows-10 acer secure-boot
93,506

Solution 1

Secure boot forces both Windows and Ubuntu to require that all system level drivers are "signed", proving that they approved as authentic software. The idea is fairly good, and on Windows, Microsoft signs most of the drivers.

However, on Ubuntu, the user may require special drivers for their wireless card, video card, or specialty hardware. These drivers are normally unsigned, as they can come from a number of different sources. If secure boot is enabled, and the drivers are not signed, these drivers will not load. In order for them to load, each driver must be "signed". This process of signing the drivers is not extremely difficult, but it can be a hassle... especially if you change/update the driver, or change/update the kernel software that is a part of Ubuntu. Each change will require that you resign the driver.

So, imagine this... your system is running fine... you have secure boot enabled... your drivers are all properly signed... and you use Ubuntu's Software Updater and it installs a new kernel... or you install a new driver... and you reboot the system only to find that your wireless card may no longer work, your video card doesn't display properly, or your specialty hardware no longer works. Now you must recompile and resign all of the modules again. Not fun.

On my own system, I use 5 custom DKMS driver modules that would require resigning after every Ubuntu kernel update. Oh my.

Short story... disable secure boot and be happy. Windows won't care, and Ubuntu will survive software updates and driver installs with less work on your part.

Solution 2

Yes, no, maybe so. This is really quite an opinionated question and not really about Ubuntu. Nevertheless, I will do my best to answer in an impartial way, so I don't start arguments and can allow you to make your own decision.

Secure Boot is a feature in Windows 8+ laptops that only allows an operating system to boot if it is signed by Microsoft. It's kind of like how Apple only allows apps and firmware that are officially signed to be installed to an iDevice. This feature can usually be turned off, but not always, which can cause issues with Linux.

The point of Secure Boot is to prevent things like rootkits and other malware from hijacking your boot process for nefarious purposes. This is where you might want to consider whether or not you should keep Secure Boot on. If you visit a lot of shady websites, without using anything like AdBlocker or Privacy Badger, then you may want to consider keeping it on, or, as zwets suggested, signing the NVIDIA module yourself. Of course, if your browsing is normal and safe, then Secure Boot is usually alright turned off.

It can also depend on your paranoia level. If you're someone who would rather not have internet, because of how insecure that has the potential to be, then you should probably keep Secure Boot enabled. If you're someone like me, who uses the same password for multiple sites, then turn it off.

There isn't much that's very special about Secure Boot. (It honestly seems like it wouldn't be all that difficult for a rootkit to bypass it.) But it really depends on how you feel about security.

Solution 3

Whether it is safe to turn off Secure Boot depends on your security requirements. However, rather than turning off Secure Boot, you could also sign the kernel module.

Here is a concise description of how to do that: https://askubuntu.com/a/768310/134479

Share:
93,506

Related videos on Youtube

VihanAgarwal
Author by

VihanAgarwal

Updated on September 18, 2022

Comments

  • VihanAgarwal
    VihanAgarwal over 1 year

    I just wanted to know if it is safe for me to disable secure boot for the purpose of installing the latest Nvidia Graphics Driver.

    I am running Windows 10 alongside Ubuntu 16.04 on an Acer Aspire V Nitro. They each have their own partition on the same HDD.

  • VihanAgarwal
    VihanAgarwal over 7 years
    This is really helpful! I do have adblock, but I visit a ton of websites with loads of adware and malware and would rather sign my package. That being said, I went over the link you posted by zwets but it wasn't specific. Could you guide me a little on how I can sign the module?
  • VihanAgarwal
    VihanAgarwal over 7 years
    Thanks for the input! I did read some places that after disabling secure boot some people were unable to boot windows back! To what extent is this true? Furthermore, by disabling secure boot how probable is it that my computer gets a virus?
  • Boris Hamanov
    Boris Hamanov over 7 years
    I've used Windows 8, 8.1, and 10 with secure boot disabled, with no difficulty. I can't speak to others experiences. Virus? If you have a good virus protection program, and you don't go clicking on email or web page links that try to install malware, you're probably fine. My opinion.
  • Csabi Vidó
    Csabi Vidó over 7 years
    Thanks for the heads up. However, I am unable to find sign-file in my linux-headers/script directory, apt-file search sign-file only returns results for kernel version up to 4.4.0-28. I found the .c file which I guess I have to compile, but my attempt with sudo make --directory=/usr/src/linux-headers-4.4.0-45/scripts/ sign-file was to clumsy (and probably ugly because of sudo make). How does one build the sign-file tool with current packages and how can the OP (he is asking in another comment) sign the Nvidia driver? Note that an updated post was published on gorka.eguileor.com.
  • zwets
    zwets over 7 years
    @LiveWireBT this one had me baffled! I have no sign-file in /usr/src/linux-headers-4.4.0-45/scripts either, and yet the script I use works. Huh?! The devil is in the details: the script is in /usr/src/linux-headers-4.4.0-45-generic/scripts. I.e. to sign the modules in /lib/modules/$KVER/updates/dkms, use /usr/src/linux-headers-$KVER/scripts/sign-file.
  • Gabriel Staples
    Gabriel Staples over 3 years
    Thanks. Moral of the story is: just disable Secure Boot. I'm installing Ubuntu 20.04 on a new system and saw something about Secure Boot while going through the install. It confused me so I Googled and came upon this Q&A. Rebooting to BIOS/UEFI settings now to disable Secure Boot before doing the install. Sounds like it'll save me a ton of hassle in the long run. Thanks.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to enable Secure Boot in a guest VM using VMWare Workstation?
"Booting in insecure mode" when secure boot is turned on
Virtualbox cannot create .COM object
Qualcomm Atheros Bluetooth 4.0 not working on Ubuntu 16.04
Can't access shared folder from Virtual Machine
Unable to enumerate USB device under virtualbox
Windows 10 and Ubuntu 16.04 LTS dual boot problem
How do I reinstall Windows 10 while keeping my dual boot configuration?
/sbin/mount.vboxsf: mounting failed with the error: Invalid argument - how to solve this error?
Unable to disable secure boot with mokutil in 16.04