You are not logged in.
- Topics: Active | Unanswered
#1 2024-12-29 00:18:40
- Succulent of your garden
- Member
- Registered: 2024-02-29
- Posts: 132
questions about installation with secure boot
Hi
Since i had read all of this https://wiki.archlinux.org/title/Unifie … ecure_Boot I'm concerned if it is a good idea to make a secure boot installation because of the possiblity of bricking the mobo. So my first question is to know which method have less possibility to break the mobo. It seems that sbctl is the favorite one, but i'm not sure if sbctl could damage the mobo.
Since this feature is not supported by the default arch linux isos, i really want to know the experiences of other people in getting a system with secure boot. It's hard to mantain and could in many scenarios just need manual intervention to make the boot possible again ?
As far as I know you can make your system to be able to have the secure boot feature after complete installation, but nevertheless I really want to know if I'm correct. I don't know if I will just stay with the full disk encryption with TPM for the hardware, or also go with the secure boot.
Thanks in advance and cheers
Last edited by Succulent of your garden (2024-12-29 00:19:42)
Offline
#2 2024-12-29 10:27:58
- Head_on_a_Stick
- Member
- From: The Wirral
- Registered: 2014-02-20
- Posts: 8,738
- Website
Re: questions about installation with secure boot
The "bricking" risk comes from adding your own custom keys and then removing the factory supplied Microsoft keys because some hardware components might need the Microsoft keys to boot.
All the laptops I have owned display a firmware option to restore the Microsoft keys so I don't really see how that could "brick" a machine but that's what the warnings are talking about. EDIT: see post #4
So to implement SecureBoot without incurring the stated risk either use the shim or add your own keys and keep the Microsoft keys in the firmware.
FWIW I think sbctl will check for opROMs and give a warning along with mitigating steps.
Last edited by Head_on_a_Stick (2024-12-29 12:32:06)
Para todos todo, para nosotros nada
Offline
#3 2024-12-29 11:18:31
- Succulent of your garden
- Member
- Registered: 2024-02-29
- Posts: 132
Re: questions about installation with secure boot
thanks for the info. This is is possible to implement if for example I made a Arch installation with full disk encryption and after that I want to implement secure boot ? Probably I'm going to do it but first I want to make the installation and configure the tpm.
Offline
#4 2024-12-29 12:25:09
- nl6720
- The Evil Wiki Admin
- Registered: 2016-07-02
- Posts: 667
Re: questions about installation with secure boot
All the laptops I have owned display a firmware option to restore the Microsoft keys so I don't really see how that could "brick" a machine but that's what the warnings are talking about.
The machines are "bricked" because you don't get any graphical output at all without the OpROM (even integrated graphics can require it) and hence cannot re-enroll the Microsoft's 3rd Party UEFI CA in the Secure Boot db.
Offline