With secure boot disabled, is there long term vulnerability to malicious code (on 14.10 and 15.04/Win multiboot setups)?
Your question is built upon the false premise that there are such things as "safe" and "unsafe" practices. There aren't. There are only relative measures of safety -- practice A may be more safe than practice B, but calling practice A "safe" is misleading at best.
With that in mind, Secure Boot, as the name implies, was designed to increase safety. We could debate how effective it is at doing this, but even if you're very skeptical of it, activating Secure Boot is unlikely to decrease safety, and there are at least theoretical benefits to activating it.
Ubuntu supports Secure Boot, in the sense that Ubuntu ships with a signed Shim program so that the OS can boot with Secure Boot enabled. As doug notes, Ubuntu's GRUB will boot an unsigned kernel, but that's only one possible menace to security -- a computer with Secure Boot disabled will boot any old EFI binary, even one that doesn't rely on GRUB or the Linux kernel in any way. Such a binary could be malicious, so if somebody were to install on your computer, as part of the boot process, a program that writes a megabyte of random data to random sectors on your disk with every boot, you'd be in trouble. Such a program need not rely on GRUB or a Linux kernel; it could be a standalone EFI application. Secure Boot would stand at least a good chance of blocking such a malicious program.
The change to GRUB being discussed for 16.04 will make Ubuntu work a bit more like Fedora -- with that change, Ubuntu's GRUB will launch only signed Linux kernels, not unsigned kernels. This should not make it any harder to launch Ubuntu unless you're using your own locally-compiled kernels, since Ubuntu already ships with signed kernels. In either case, with Secure Boot enabled, you need to use Shim to launch GRUB, and Ubuntu ships with a suitable Shim binary. This change, like Secure Boot, will increase safety, but will not make Ubuntu "safe" in any absolute sense.
As a practical matter, I don't know how common EFI pre-boot malware is. Such tools certainly exist for BIOS, and I've heard of demonstration programs for EFI, but I don't know if they're common "in the wild." Even if they're uncommon today, though, they could become common tomorrow, so protecting yourself makes sense. This protection takes many forms, no one of which is adequate by itself. Secure Boot can be part of that protection, as can virus scanners, firewalls, good account security practices, etc.
If you install Ubuntu properly on a system with a functioning Secure Boot system, you shouldn't even notice that Secure Boot is active -- at least, not unless or until you want to do something like compile your own kernel or use a boot program other than GRUB. Your comment that you had to adjust your "BIOS" (really EFI) settings to enable BIOS/CSM/legacy support suggests you either have a broken EFI or you did things the hard way. (There are still a lot of pages that give very bad EFI installation advice.) My own Web page on Secure Boot provides background information and practical advice on how to use it (or how to disable it). You may also want to read my page on EFI-mode Linux installations and Adam Williamson's blog post on how EFI works for more background information on EFI-mode booting generally. With a proper understanding, EFI-mode booting with Secure Boot active is not hard to handle.
Related videos on Youtube
02 : 32
07 : 22
02 : 49
12 : 04
00 : 30
01 : 34
02 : 24
Flag Bear
Updated on September 18, 2022Comments
-
Flag Bear over 1 year
In a nutshell: is it really a good safe idea to leave Secure Boot disabled?
I have two laptops with LinuxMint,Xuntu, Ubuntu 14&5 Win 10 and Win 8.1 between them. Grub 2 works fine with /,/boot and /home partitions. All this took many reinstalls and fiddling in BIOS, with legacy boot enabled (but UEFI staying on priority) on the Lenovo.
I love my set up even though at times I need to go back into BIOS as Windows keeps reasserting itself as the priority boot.
My question relates to the growing menace of malware, hacker exploits and the advent of new forms of attack such as rootkit and ransomware.
I groan to think of opening cans of worms by re-enabling Secure Boot. But - perhaps it is worthwhile as a preventive measure to start experimenting and see if I can boot in Secure Boot ON mode now, before the next wave of malware starts taking advantage of those of us who have turned Secure Boot off. Is it time to start armoring up and requiring signed OS's to boot or is it still safe to leave it off and take my chances with the exploits which seem to be proiliferating around the world?
Note: both use the same MS compliant BIOS Insyde or something like that on HP 2000 Pentium 4 GB ram the otheer is a Lenovo 5080 i3 4 GB ram (yes I will be upgrading memory asap :-))
-
doug over 8 yearsWouldn't matter much if you enable secure boot as grub will boot unsigned kernels anyway. This should change in 16.04 or so they say
-
doug over 8 yearsNot at all. Read this bug - bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532 & any of the current stories on ubuntu's bootloader 'issues'. (I think some of it is mis-represented to say the least, ex. - pcworld.com/article/3026346/linux/…
-
-
Flag Bear over 8 yearsYour extensive articles are quite useful and actually I noticed somewhere you mentioned a hypothetical prospect of some kind of malicious code exploiting secure boot off so with all the news of hacking last year it got me to thinking.
-
Flag Bear over 8 yearsYes I noticed you have a strong preference for not enabling CSM/Legacy but I needed it on my Lenovo to boot from DVD although I do not have it activated on my HP.
