nemozone

Secure Boot is a security feature that can help protect systems from malware by only allowing signed software to run. However, most Linux Distros do not support SecureBoot and require extended work by the user or developers to work. This is because the Linux bootloader is not digitally signed with one of the certificates stored in the BIOS. There are a few Linux distros that have a signed bootloader, but this is not common.

Another approach to UEFI secure boot is Trusted Boot (tboot), which utilizes a Trusted Platform Module (TPM) instead of signatures. The TPM is a cryptographic coprocessor that can be used for secure storage, RNG, system state reporting, and more. Unlike Secure Boot, tboot does not use signatures and does not directly stop the boot sequence. Instead, it puts the machine into a privileged and trusted state, where it can then take measurements of the OS and related components and push them to the TPM to be stored securely.

Secure Boot is useful for Linux, as it can help protect the system from rootkits and other attacks that may not be detected by antivirus software. However, there are some disadvantages to using Secure Boot. For example, signing authorities may make mistakes in granting signatures or loading hashes, and bootloaders that ignore Secure Boot and boot-time malware have been mistakenly signed and released to the public in the past. Additionally, there is an element of implicit trust when using tboot/TPM, as it delves into a stratum of hardware and processor microcode that is not completely explained.

Overall, nobody uses Secure Boot on their installed Linux systems because it requires extra work to get it working, and there are some potential risks associated with it.

Some editorial notes:

There are in fact some Linux Distributions which provide accessible support for secure boot. Nonetheless, it is not a silver bullet or a magic wand and can still be subjugated The DRM like nature and hindrance of creative work or experimenting is still a big flaw The overall additional steps and maintenance work to keep a system working is also a big downer There are a handful of people organizations, primarily government or big-tech sided, which indeed elaborately – extensively use this technology. Citations :

1. https://www.nsa.gov/portals/75/documents/what-we-do/cybersecurity/professional-resources/csi-boot-security-modes-and-recommendations.pdf
2. https://www.quora.com/Why-does-secure-boot-prevent-me-from-booting-into-Linux
3. https://www.redhat.com/sysadmin/secure-boot-systemtap
4. https://www.zdnet.com/article/another-way-around-linuxs-windows-secureboot-problem/
5. https://itconnect.uw.edu/tools-services-support/software-computers/mws/mgmt/setup-computer/secure-boot/
6. https://www.makeuseof.com/what-is-secure-boot-how-does-it-work/
7. https://lwn.net/Articles/519618/
8. https://unix.stackexchange.com/questions/370223/is-there-an-open-source-alternative-to-uefis-secure-boot
9. https://www.quora.com/What-are-the-advantages-and-disadvantages-of-Secure-Boot-on-a-Mac-and-should-it-be-disabled-to-protect-your-data-in-the-event-of-a-problem-with-the-T2-chip
10. https://www.helpnetsecurity.com/2013/07/15/uefi-secure-boot-next-generation-booting-or-a-controversial-debate/