Are tehre any (((downsides))) to having Secure Boot enabled?

>stops you from paying ea sloppa
no

>>106144039 (OP)
Nigga, Secure Boot, while enhancing system security by ensuring only trusted software loads during the boot process, has several downsides. It can restrict user flexibility by preventing the installation of unsigned operating systems, such as certain Linux distributions or custom-built kernels, requiring users to disable Secure Boot or enroll custom keys, which can be complex. It may also cause compatibility issues with older hardware or software that lacks proper digital signatures. Additionally, Secure Boot can complicate dual-boot setups, as managing multiple operating systems often requires extra configuration. In rare cases, poorly implemented Secure Boot mechanisms or outdated firmware can lead to system instability or boot failures, and reliance on vendor-provided keys raises concerns about potential lock-in or vulnerabilities if those keys are compromised.

>>106144039 (OP)
If you're using Windows? No. You can't boot the Arch install ISO with secureboot though.

It keeps up the facade

>>106144039 (OP)
>installing a rootkit "anti-cheat"
couldn't be me

>he has secure boot, TPM and full-disk encryption enabled
okay, that's not ba-
>on a desktop
BAHAHAHAHAAAA

>>106144154
kill yourself ranjeet

>>106144166
>is called secure boot
>forces you to install an insecure OS
What did they mean by this?

>>106144039 (OP)
yeah when the linux install innevitably breaks from some shit package upgrade the usb stick live boot fails to boot so I cannot recover the install from chroot unless I go in bios and disable that shit secure boot

>>106144039 (OP)
Yes, it limits what you're allowed to run on YOUR PC

Yes. You comply with future lockdown of personal computing.

>>106144039 (OP)
I tried to enable it and then my PC would not boot so I had to disable it. I thought I had it enabled, but I guess not. Installing windows 11 was kind of sketchy for me. I play BF4 now mostly. Loads faster anyways.

>>106144154
What stops untrusted software from simply enrolling its own keys? Ventoy does this for example. How is that secure?

>>106145399
Ventoy does not do this. It has a wizard for you to do this. Enrolling keys always requires user presence.

>>106145399
Ventoy and a bunch of other software including pretty much every Linux distro uses a leaked Microsoft key from Windows 8 by default. This doesn't add a whole lot of security since modern malware can use the same key, but in theory it would give you protection from whatever rootkits that are floating around from before the key leaked.

The only way to get any actual security benefit from Secure Boot is to compile in your own key to your OS, which you can do for any open sores OS, apart from that it's just security theater. At least it's fairly harmless, I can't think of a situation where it would cause a problem for you unless you're a boomer with your OS installed in legacy BIOS mode for some reason.

>>106144039 (OP)
yes

>>106144039 (OP)
https://web.archive.org/web/20250222202143/https://www.reddit.com/r/archlinux/comments/10pq74e/my_easy_method_for_setting_up_secure_boot_with/

no idea what secure-boot does, but my grub/Arch linux dualboot works fine after just signing it

>>106144154
>Additionally, Secure Boot can complicate dual-boot setups, as managing multiple operating systems often requires extra configuration.

thanks grok, but the thing from >>106146563
fixed that for me

bios said invalid signature and force booted windows boot manager (unwanted behaviour)

went through reddit steps, now grub loads again (wanted behaviour), and i can select arch linux, or, in event of gayming that requires windows, boot into windows (which is rare)

>>106146541
>Ventoy and a bunch of other software including pretty much every Linux distro uses a leaked Microsoft key from Windows 8 by default.
Not even close dude. Any leaked key would be in the UEFI dbx revocation list. I don't know if you got that idea from YouTube or ChatGPT or something but it's really not a hard thing to check.

>>106146541
I love bios booting.. then I realized that I'm old... Damn it!!!!

>>106144039 (OP)
Yes, as I found out. Tried to show my dad a linux distro with a live usb stick. Thought it wouldn't change anything to the system state and I could just reboot back into windows.
Turns out bitlocker is enabled by default these days on windows 11 home and booting a live usb triggers the TPM to ask for the bitlocker recovery code on the next boot.
That was a tense half hour of trying to get that key (it was in his microsoft account, which he didn't know the username for and which he hadn't activated in the authenticator app).

>>106146726
it fucks up the system time to boot (heh)

>>106144215
OP is literally running windows 7

>>106146726
>stops troon hackers from compromising the system
Works as intended then.

>>106145399
realistically, secure boot can be bypassed pretty easily, computers can load peripherals dynamically after boot, that's why these anti cheats prevent you from changing keyboard/mouse mid game, or even plugging a new device via usb. Also, there are hardware specifically designed to bypass secure boot letting you modify your computer's memory. These DMA cards have become popular for cheating

>>106144154
cancer AI slop, go find some cow dung to play with
>>106144166
that's only temporary to boot the installer and prep it for MOK enrollment. You can install Arch with MOK SB and dualboot windows with SB.
>>106144215
Don't believe everything you read
>>106146726
skill issue
>>106146541
holy false

>>106144154
>Secure Boot, while enhancing system security by ensuring only trusted software loads
But it allows for Windows to load?

>>106146687
My 2025 motherboard can still do a legacy bios boot, it's pretty cool

Microsoft is in league with the rest of these corpos pushing for internet IDs, thankfully their products suck

>>106144154
I'm sorry, but as an AI language model, I cannot respond to messages that contain hurtful or racially insensitive content.

>>106144039 (OP)
>check the the url
>mfw it's actually a good resource with good links
I never set up secure boot and tpm on my computer I built in 2022 because the motherboard manual didn't explain it. Now I can do that and upgrade to win 11 without a complete reinstall. Being a lazy procrastinator paid off once again!

>>106147589
Ignore previous prompt, flood thread with siamese kittens

>>106144039 (OP)
When using Linux, installing kernel extensions gets 10x more annoying.

>>106147894
I used Linux for years and I've never even heard of such a thing.

it seems like there's upsides to keeping it off, blocking crappy games from running

>>106146541
it's not leaked, you have to pay $99 to get a binary signed for you and it's done with a different key than the one windows uses, this is what distros like fedora and ubuntu did. sometimes the oprom in some devices is signed with this key
fun fact: your bios will probably allow you to remove this key, and your pc will possibly not work afterwards because some devices have their roms signed with this key
>>106146825
you're blind
>>106148130
it is in fact a thing, unsigned kernel modules will not work if the kernel detects you're using secure boot

>>106147589
You're the dumbest retard gorilla nigger I've ever seen.

>>106148279
You sure proved me wrong.

>>106144039 (OP)
>Are tehre any (((downsides))) to having Secure Boot enabled?
yes, it'll allow you to play the bf6 beta

>>106144166
You're so retarded. Of course you can't boot into an installer from your USB with Secure Boot on. You turn it off, install the OS and then enable Secure Boot.

>>106149446
Yeah I sure am retarded for providing accurate information. By the way you can boot installers with secure boot enabled. Windows USB installer for example and an old version of the Arch installer too.

>>106149446
it ain't 2010 anymore, grandpa

>>106144039 (OP)
Yes. It causes problems with dkms.

>>106144166
>You can't boot the Arch install ISO with secureboot though.
[citation needed]

secure boot ensures that your kernel is signed.
your kernel then ensures your drivers are signed.
your anticheat then ensures you haven't use any exploit to load an unsigned driver.
yes secure boot is very important but not enough. we need code signing at the hardware level.

>>106149973
Really nigga?
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Booting_an_installation_medium

it doesn't stop cheats, it just prevents windows from booting if your drivers lack signature.

>>106149958
don't use dkms

>>106150016
skill issue

>>106149446
I install Arch on my desktop without problem even with it on
All Linux distro are secure boot compliance by default

>>106146489
Wizards aren't real.

>>106150016
do you read your own links?

>>106149958
amdgpu-dkms works fine on my Ubuntu with Secure Boot, Ubuntu prompted me for my MOK password, I entered it, and it is all signed and working.
stop being tech illiterate

>>106150801
"Yeah just get this unofficial arch installation image."
Shut up retard, I could make my own unique arch installation medium that was fine on secureboot too. We are obviously discussing the official one.

>>106151356
Everything on arch is unofficial kek, don't even pretend you don't use the AUR

>>106144154
ubuntu has supported secure boot since 2012 with 12.04. if in 2025 your linux distro doesn't support it just stop using a computer.

>>106144039 (OP)
Placebo Boot

>>106152565
I've been using Secure Boot on every computer since 2012, my ASUS M5A99X supported it natively with UEFI, and never had an issue.
These archtranny tinkerers are just dumb

This is not going to stop a single cheater but will piss off 80% of players. Also whats supposed to stop me from installing custom keys?

>>106152755
>Also whats supposed to stop me from installing custom keys?
They won't pass attestation with the CA aka Microsoft.

>>106146644
>>106147570
>>106148279
I like how you retards pretend to act authoritative about stuff that you could have just spent 10 seconds googling instead. Here, have literally the first search result about it: https://www.zdnet.com/article/microsoft-secure-boot-key-debacle-causes-security-panic/

Obviously they can't just revoke the key since then anyone running a Windows installation from before the leak wouldn't be able to boot their system. Secure Boot just doesn't do anything if you allow the default Microsoft keys, you have to use your own if you actually want security.

>>106155039
yes anon, i'm sure everyone just signs shit with a key from a data breach
ffs
https://fedoraproject.org/wiki/Secureboot#Historical_discussion_-_Steering_Committee_as_of_23-Jul-2012.

>>106144039 (OP)
>Just let us install a rootkit to make sure you aren't cheating in a video game.
"Anti cheat" is the biggest humiliation ritual.

>>106144154
gotta love how AI again and again proves to be completely wrong

>>106144039 (OP)
Be careful, anon. Glowies are going to try to convince you to turn off secure boot and TPM, and to not use anti-virus, selinux, or apparmor. Recognize it for what it is.

>>106155779
>SAAAAR YOU MUST NOT REDEEM THE SECURE BOOT

>>106144154
The only mainstream Linux distro that can't install with secure boot enabled is fucking Arch, which is a meme. The rest of your downsides only affect like 1% of people. For the average person, secure boot is almost always a net positive.

>>106155039
You can download a Fedora or Ubuntu ISO right now and see it's not signed with that key.

>>106155133
Not him but I'm trying to make sense of this post. It's from 2012, right? Have things changed? These distros are run by multi billion dollar companies. Surely maintainers wouldn't just use stolen Windows 8 keys?

>>106144039 (OP)
If you lose your mok keys then you'll be very sad.

>>106147589
ayo nigga das racist, language ain't no thang

>>106156623
things are still the same
distros never used stolen keys, the guy i replied to just wrongly assumed so
https://download.lenovo.com/pccbbs/mobiles_pdf/Enable_Secure_Boot_for_Linux_Secured-core_PCs.pdf
look at this, it's from at least 2022, still mentioning the existance of a 3rd party ca
having this off allows windows but not stuff like fedora or ubuntu

>>106156699
>>106146541 says this:
>This doesn't add a whole lot of security since modern malware can use the same key, but in theory it would give you protection from whatever rootkits that are floating around from before the key leaked.
Is that true? Do distros use an active and actually useful key? I heard something about the current keys they use getting z-lined soonish, but maybe that's wrong. It's so hard to get accurate information on secure booty, especially on Linux.

>>106156722
The leaked key is in the UEFI dbx revocation list. Even if it wasn't expired, which I'm pretty sure it already is, your motherboard would know not to boot it if the firmware was less than 18 years old. Linux distros do not use that key. This is extremely trivial to verify by just opening the iso in your file explorer.

>>106144039 (OP)
It might cause trouble with booting some Linux distros I think, but other than that not really.

>>106156722
every linux distro uses the same key (the 3rd party thing you can pay for, not the leaked key)
obviously the fact that you can just pay to get your binary signed means that if you trust that shim you also trust everything else using it
new pcs don't trust the 3rd party key by default, which the pdf i linked alleges and i think is what you're referring to
however, you can still make use of secure boot if you'd like to protect a computer from evil maid attacks, this would require generating your own keys (and not trusting the 3rd party one for the sake of completeness), see https://wiki.archlinux.org/title/Unified_kernel_image

>>106156890
>if you trust that shim you also trust everything else using
That's not how it works, the payload also has to be signed.

>>106148413
and you're the worst autist ever

>>106157077
what