I dual boot with win 11, I do so for programming purposes, not gaming. I read online that the game straight up blocks Linux on all fronts (typical EA). So, I booted into win 11 and launched the beta. It still refused to start and complained that secure boot was “disabled”. Booted into BIOS and it was enabled, but not active. I had to reset the keys to the windows default keys to be able to play this game. This is a no go for me. Not giving them my money until they stop this bullshit. Just wanted to let everyone know the situation so far.
This weird hatred around secure boot is baffling to me.
Secure boot isnt even new, it’s been around for over a decade. Most Linux distros work well with it. It’s like the weird hatred with UEFI when it first became a thing.
Personally it’s not a hatred for Secure Boot itself. It’s a hatred for these companies requiring something that 1) is not necessary for their software to function and 2) offers little to no benefit for their software
I refuse to let these corporations tell me how to use my hardware. Right now, I dual boot and I want to continue to dual boot, at least for the foreseeable future.
I get irritated when people say “it’s no big deal, it’s easy to enable”, etc.
You all are just enablers.
Didn’t all these companies use the same demo keys for production anyway, negating the entire exercise? I swear I read a article saying that.
Are you saying this as someone who has gotten a self-signed key to work with their BIOS + kernel + bootloader + dual boot with windows, someone who runs a mainstream enough distro that they convinced manufacturers to ship with support for their key, or someone who doesn’t run linux with secure boot at all?
I’m literally dual booting windows 11 and Linux right now. It actually just worked. After install it just asks you to approve the key, you confirm it, and boom it’s done.
So the second option? What distro?
Ubuntu
Yeah, so that’s possible because Canonical has enough sway to get their key to play nice with manufacturers’ firmware. If you are on almost any other distro (arch included) or if you build your own kernel, it’s a headache just to get it to work at all even without dual boot. It also just might not even be possible due to a bad implementation on your motherboard (results ranging from dual boot windows refusing to boot, to a bricked motherboard).
Here’s the process for enabling secure boot for arch users. Make sure to peruse the section on dual booting.
If you’re wondering why it’s so complicated, it’s because of what secure boot is: you want to be sure you’re booting into binary that’s signed by a set of special keys. But Linux is not one binary that can be signed by Linus Torvalds, it’s a bundle of source code that is built by end-users. So if you decide to make any changes to the kernel you have on ububtu, you won’t be able to convince Canonical to sign your build, and you will need to jump through all the hoops on that arch wiki.
There are many reasons for the headache, but primarily I’d say it’s because UEFI is closed source, and msft designed Secure Boot for it, and then manufacturers didn’t care about supporting it any more than the bare minimum. And all of that together results in an ecosystem of devices that favor MSFT. That’s why Linux users don’t like secure boot.
I’m saying this as someone who has a self-signed key + kernel + bootloader + dual boot with windows. I have Arch and I dual boot windows, and the setup was literally three commands.
Enable secure boot setup mode and then do the following:
sbctl create-keysto create the keyssbctl enroll-keys -mto enroll the keys to BIOS, including microsoft keyssbctl verify | sed -E 's|^.* (/.+) is not signed$|sbctl sign -s "\1"|e'to sign everything that needs to be signed.And everything is signed automatically on an update with a pacman hook that comes by default when installing sbctl.
That wiki entry lists all the possible ways to do it, for all combinations of bootloaders and secure boot tools. You only need one of them, for example 3.1.4. which is what I just described.
Cool, good to hear!
A few questions:
I think the part that has me most spooked is the “Replacing the platform keys with your own can end up bricking hardware on some machines” warning.
As for bricking your motherboard, this only happens if your motherboard or any other component uses the microsoft vendor keys as part of the boot sequence, and it’s only really a hard brick if it’s your motherboard that uses it. If it’s any other component, you can remove it and readd the microsoft keys and it’ll work again when you add the component back.
And the key part here is replacing the platform keys. If you just always use the -m flag on sbctl enroll-keys, you’ll enroll both your own keys and microsoft’s, meaning no replacing necessary. If you always use -m, there’s no real risk really, because you’ll always add the microsoft keys that your hardware might need. Plus, if you’re dual booting with windows, you need the -m to have windows secure boot work, anyway.
If you’re extra paranoid, you can also add the -f option which should also include all the keys that your motherboard comes with by default, if it contains more than just microsoft’s keys, but this shouldn’t really be necessary.
The equivalent on phones locks you in the stock OS on most models. They didn’t pull that yet on laptops.
Some of it the hate probably amplified by cheaters and cheat makers. Though to be fair anyone can be annoyed at having to go into their BIOS and change settings…
BF6 is literally already hacked though
Sure. But that doesn’t mean Secure Boot didn’t make it harder to create a cheat or limit what kind of cheat they could create this quickly. The cheat was a wall hack one and that is one of the hardest to stop AFAIK.
Yup, seems mostly like a fear of the unknown.
I dont trust myself not to get locked out somehow.