• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.
  • The forums have been upgraded with support for dark mode. By default it will follow the setting on your system/browser. You may override it by scrolling to the end of the page and clicking the gears icon.

Secure Boot.. yay or nay?

StrayKAT

StrayKAT

Joined
Sep 7, 2017
Messages
3,244 (1.15/day)
System Specs
System Name Grunt
Processor Ryzen 5800x
Motherboard Gigabyte x570 Gaming X
Cooling Noctua NH-U12A
Memory Corsair LPX 3600 4x8GB
Video Card(s) Gigabyte 6800 XT (reference)
Storage Samsung 980 Pro 2TB
Display(s) Samsung CFG70, Samsung NU8000 TV
Case Corsair C70
Power Supply Corsair HX750
Software Win 10 Pro
Couldn't figure out if this should go in Hardware or Software.

Do you guys enable it In your custom PCs? What's the general practice if you're not an OEM or enterprise?

I'm tempted by the extra security, but it seems way too complicated. At least on this board. I talked to a Supermicro engineer, and he just directed me to MS's whitepapers.. which was geared toward OEMs.
 
yass

EFI: Enabled

Secure Boot: Enabled

CSM/Legacy Boot: Disabled

Legacy OProms: Disabled

Fast Boot: Enabled

dont need to do anything other than that. the security measures are all handled automagically.

I also run two super micro servers in my homelab, lmk what you need help configuring if something is confusing and I can even take screen shots of my bios screens for you (IPMI)
 
Solaris17 said:
yass

EFI: Enabled

Secure Boot: Enabled

CSM/Legacy Boot: Disabled

Legacy OProms: Disabled

Fast Boot: Enabled

dont need to do anything other than that. the security measures are all handled automagically.

I also run two super micro servers in my homelab, lmk what you need help configuring if something is confusing and I can even take screen shots of my bios screens for you (IPMI)
Click to expand...

He told me the default keys are just for "tests" and shouldn't use them.

And when install Windows with the defaults enabled, it somehow broke the SM "Booster" app (for overclocking). It wouldn't even launch. This is crazy stupid. I like the hardware, but not the rest.

edit: Not to mention that this Booster app didn't even work at all at first. The version on their site is broken and not even meant for this board. So he linked me to a private SFTP server to get a different build (even gave me a private password where I could snoop around SM team member's directories. I'm glad it works, but another example of craziness).
 
Keep efi and fast boot enable, kill secure boot.
As someone wh tries different Linux distros, I hate secure boot.
 
GoldenX said:
Keep efi and fast boot enable, kill secure boot.
As someone wh tries different Linux distros, I hate secure boot.
Click to expand...

Maybe a good idea, just in case I want to use that down the road. Seems like BSD doesn't play well with it either.
 
You can use the default keys, the reality and logic behind using the default keys needs to be understood before accepting the risk and they are generally as follows.

Manufacturers do not usually disclose secure boot key configs but they are usually the following or a combination of:

-Keys are generated per machine
-Keys are generated per model
-Keys are generated per series

In any case if the private key is stolen while it puts the boot chain at risk it is no more at risk then if you had your own personal key stolen. I am basing this off of the companies trying harder than you too safeguard data.

That said I do not have experience with SM Booster since I run server platforms but I would be curious to know what settings are set/modified on your board since secure boot does not or should not touch software interfaces with the platform. for example gigabyte Aourus overclock or w/e its called works fine on my wifes system with secureboot + UEFI. The same goes for XTU on my system.

GoldenX said:
Keep efi and fast boot enable, kill secure boot.
As someone wh tries different Linux distros, I hate secure boot.
Click to expand...

odd, I run fleets of linux servers and while I can attest that BSD has a hardtime, as long as im not using super unknown distros I have had no problems.
 
Solaris17 said:
You can use the default keys, the reality and logic behind using the default keys needs to be understood before accepting the risk and they are generally as follows.

Manufacturers do not usually disclose secure boot key configs but they are usually the following or a combination of:

-Keys are generated per machine
-Keys are generated per model
-Keys are generated per series

In any case if the private key is stolen while it puts the boot chain at risk it is no more at risk then if you had your own personal key stolen. I am basing this off of the companies trying harder than you too safeguard data.

That said I do not have experience with SM Booster since I run server platforms but I would be curious to know what settings are set/modified on your board since secure boot does not or should not touch software interfaces with the platform. for example gigabyte Aourus overclock or w/e its called works fine on my wifes system with secureboot + UEFI. The same goes for XTU on my system.



odd, I run fleets of linux servers and while I can attest that BSD has a hardtime, as long as im not using super unknown distros I have had no problems.
Click to expand...

I had nothing but default settings/on a fresh install (which is just turbo boost).

I was thinking however that maybe it needed to be installed in Adminstrator mode? I didn't test that out.. and got pissed and reinstalled Windows eventually. lol. It works fine just installing normally without Secure Boot on.
 
StrayKAT said:
I had nothing but default settings/on a fresh install.

I was thinking however that maybe it needed to be installed in Adminstrator mode? I didn't test that out.. and got pissed and reinstalled Windows eventually. lol. It works fine just installing normally without Secure Boot on.
Click to expand...

oh, did you try to turn on secure boot after the OS install or something?
 
I use it. For the same reason I use AV software. It's not very likely that either is doing me any good. But they could...in theory. So I feel like it's kinda stupid not to...if you can. Shit happens.
 
Read what it is:
https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot
Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system.
Click to expand...
I don't need MSI/Asus/Dell/HP/Lenovo/Gigabyte/etc. telling me what I can and cannot run on my hardware. I don't usually turn it off immediately but the moment I run into an issue with it (which is often), I turn it off.

It's not "secure boot" so much "daddy-has-my-keys boot"
 
FordGT90Concept said:
Read what it is:
https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot

I don't need MSI/Asus/Dell/HP/Lenovo/Gigabyte/etc. telling me what I can and cannot run on my hardware. I don't usually turn it off immediately but the moment I run into an issue with it (which is often), I turn it off.

It's not "secure boot" so much "daddy-has-my-keys boot"
Click to expand...

What issues have you run into?

Yeah, I know what you mean. It feels restrictive.. although I'm not sure to what end (some would say it's another grab at monopoly by MS. I really don't know). Mind you, I wasn't using PC desktops for a long while, so I've been pretty ignorant about developments or modern know how. I used Macs a lot during the 2000s then PC laptops (which were built for me, of course). So I'm completely at a loss with this. This is not like PC building of the old days :\
 
FordGT90Concept said:
Read what it is:
https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot

I don't need MSI/Asus/Dell/HP/Lenovo/Gigabyte/etc. telling me what I can and cannot run on my hardware. I don't usually turn it off immediately but the moment I run into an issue with it (which is often), I turn it off.

It's not "secure boot" so much "daddy-has-my-keys boot"
Click to expand...

Please, its not that bad at all. This isnt some kind of spy regime. This just makes sure non-modifed UEFI drivers and firmware are being used. IF you choose to modify your firmware you need to disable secure boot, but dont pretend this is some kind of evil scheme. This is important for high security environments and systems. Not to mention you seriously overplay it by only mentioning a few AAA companies.

Interestingly far more have a say in the design of the standard. Including Linux companies.

https://www.uefi.org/members
 
Solaris17 said:
Please, its not that bad at all. This isnt some kind of spy regime. This just makes sure non-modifed UEFI drivers and firmware are being used. IF you choose to modify your firmware you need to disable secure boot, but dont pretend this is some kind of evil scheme. This is important for high security environments and systems. Not to mention you seriously overplay it by only mentioning a few AAA companies.

Interestingly far more have a say in the design of the standard. Including Linux companies.

https://www.uefi.org/members
Click to expand...

Linus doesn't seem to be a fan. :p

https://lkml.org/lkml/2018/4/3/674

".. maybe you don't *want* secure boot, but it's been pushed in your
face by people with an agenda?

Seriously.

Linus"
 
Two things.
First, it was heavily pushed by Microsoft.
Second, by mistake Microsoft published the master key, and is now public.

Secure Boot is useless, and was pushed to avoid people changing the preinstalled OS.
 
StrayKAT said:
What issues have you run into?
Click to expand...
Trying to run anything pre-OS including Active KillDisk (not a problem since they updated to TinyCore Linux which is signed) or even BIOS updates that aren't started through the UEFI BIOS.

StrayKAT said:
It feels restrictive.. although I'm not sure to what end (some would say it's another grab at monopoly by MS. I really don't know).
Click to expand...
It's made by OEMs for OEMs. The less the user modifies with the system, the easier service and support is for them. It's not really a problem as long as they provide an option to turn it off. The moment that is gone...
 
Last edited:
StrayKAT said:
Linus doesn't seem to be a fan. :p

https://lkml.org/lkml/2018/4/3/674

".. maybe you don't *want* secure boot, but it's been pushed in your
face by people with an agenda?

Seriously.

Linus"
Click to expand...

You mean his opinion? Sure you can take it at face value I guess, but Linus is a programmer that doesnt like changes that make him work super hard. Or the buisness that is the PC industry, however that doesnt mean UEFI is forced on you. Lets take a look.

https://www.uefi.org/faq said:
CAN ALL SYSTEMS DISABLE UEFI SECURE BOOT?
While it is designed to protect the system by only allowing authenticated binaries in the boot process, UEFI Secure Boot is an optional feature for most general-purpose systems. By default, UEFI Secure Boot can be disabled on the majority of general-purpose machines. It is up to the system vendors to decide which system policies are implemented on a given machine. However, there are a few cases—such as with kiosks, ATM or subsidized device deployments—in which, for security reasons, the owner of that system doesn’t want the system changed.
Click to expand...

incidentally it appears you and I and ford can disable it on our systems. Still not feeling the chains.
 
Solaris17 said:
You mean his opinion? Sure you can take it at face value I guess, but Linus is a programmer that doesnt like changes that make him work super hard. Or the buisness that is the PC industry, however that doesnt mean UEFI is forced on you. Lets take a look.



incidentally it appears you and I and ford can disable it on our systems. Still not feeling the chains.
Click to expand...

He doesn't just say that though. He goes on about already trusting "his" kernels. Which is to say, I think he puts the impetus of security on himself.

We're not all developers, but that's probably a good rule of thumb for anyone.
 
StrayKAT said:
He doesn't just say that though. He goes on about already trusting "his" kernels. Which is to say, I think he puts the impetus of security on himself.

We're not all developers, but that's probably a good rule of thumb for anyone.
Click to expand...

If thats how you interpret it. Back to the issue at hand if secure boot doesnt work with the software you would like to run and you have the option to shut it off yay free market. Glad you got it sorted.

As for the deeper train wreck that is to enable or disable thats not what was asked and like an argument about using AV software that blocks legit software and whether or not that means one /should/ use AV software that circle jerk can go on forever. Glad you're firing on all cylinders.
 
Solaris17 said:
If thats how you interpret it. Back to the issue at hand if secure boot doesnt work with the software you would like to run and you have the option to shut it off yay free market. Glad you got it sorted.

As for the deeper train wreck that is to enable or disable thats not what was asked and like an argument about using AV software that blocks legit software and whether or not that means one /should/ use AV software that circle jerk can go on forever. Glad you're firing on all cylinders.
Click to expand...

Yeah, between having this feature and SM's OC utility, I'll take the latter. I just wondered what I'm really sacrificing. It's hard to tell.

I'm sure Linus has more concerns going on that that.. and more than just Windows or even PCs (Arm uses it too, right?). Just thought it funny you mentioned Linux, since I ran across that opinion earlier.
 
You'll know when you need to turn it off because trying to use boot software that should work, doesn't work.

You wouldn't believe how often I boot into FreeDOS or MS-DOS to do stuff and Secure Boot doesn't allow that. Thing is, not many people do and those people can leave it on and never even notice.
 
Seems like Debian doesn't have secureboot support either. Huh. That's not an unknown name.
 
Honestly, I never really turned it on. There wasn't much of a point, ever, and quite often I'm installing this or that Linux distro...
 
StrayKAT said:
Seems like Debian doesn't have secureboot support either. Huh. That's not an unknown name.
Click to expand...
I think that was their way of saying "F*** you!" to Secure Boot. Ubuntu has support.
 
I just discovered a new thing. Windows "Core Isolation" feature (seemingly can't even turn it off without reg editing) actually prevents Virtual Box and others from running. lol.

Just seems like it's all part of the same MS shenanigans. They just want you to use Hyper-V, I think (that or not dual booting). Which I have, but it's kind of B.S. to do this.

I can almost appreciate them wanting their own platform.. like Apple.. but not a damn PC. Go do it to ARM.
 
You must log in or register to reply here.
Back
Top