Since buying this new computer I have left Secure Boot on.
Ubuntu, Fedora and a few others have signed shims.

But Arch among others do not, so its a pain working with Secure Boot. In fact I just don't install them because I don't understand Moky or whatever it is.

My question is anyone else have Secure Boot turned off and have Windows installed on a partition. I have no desire to use a VB.

Right now is the first time I turned it off, and Windows 10 boots up okay, just concerned about security.

I've read that hackers have a work around regarding Secure Boot.

Any thoughts on the subject?

Nothing Inspired really. I have a 2013 laptop, which came with windoze 8 and was an absolute PITA over secure boot. Windows booted, but linux at the time was still at the "Sh%&@! What is this?…" stage with UEFI development and there was some alpha stuff out there where you got lost in the instructions. My solution was to buy an ssd, junk the windows 8 which had committed Hari-Kari trying to update to 8.1, partition the ssd with fdisk because my bios defaulted to UEFI with a gpt disk and go. I think there's a 2TB limit on MBR, but that doesn't freak me. I kept the windows disk for a few years but never went back.

UEFI reminds me of bluetooth. Both are supposed to be ultra-secure, and both provide massive difficulties for users. And as they are stationary sitting ducks for hackers, you can bet they have found ways in.

UEFI is a good preventative for windows boot viruses, but it's a long time since I did much with windows except run it in a vm.

Secure Boot and UEFI are completely different things.
If you have GPT drives you need an esp installed.

My question was on Secure Boot only. I have Windows installed on a partition along with several Linuxes.

Honestly. Long term it is way better to only run GNU/Linux from your boot and then run Windows10 or whatever version in a virtual machine.

I ran multi boot for many years, first windows with second boot linux, then linux with second boot windows. Then I just skipped Windows alltogether. Whenever I use Windows I use it in a virtual machine. It works the same as a regular boot, sometimes faster, and sometimes slower. I rarely use Windows.

Anyways, as I said, it's probably well worth skipping the multi boot period and just jump in the water and only run GNU/Linux and have Windows in virtual machine if needed.

Can't run Windows in VB. Need the hardware to run certain programs. VB won't work. I keep hearing the same advice about VB. If I didn't need the hardware, which VB doesn't work, I wouldn't use Windows.

I have secure boot turned off on all my machines. It's only useful if an attacker has physical access to your machine, and at that point, IMO, it's already too late even if you DO have secure boot turned on. So since I like to distro-hop and several distro's don't (or didn't) supply signed shims by default, secure boot is off and I've never run into issues.

IMO, encrypted /home > secure boot. Though neither is unbeatable.

Do you also have Windows installed? Thanks for the thought though.

On one system, yes. Most of my systems are linux only. But I do have Windows 10 dual booting with Debian 10 (was 9 when it was installed).

As far as I know, Secure Boot just protects you from malware modifying the kernel. But malware can already do all sorts of bad things without modifying the kernel, so I don't think there is a huge security advantage to Secure Boot.

Thanks. I never even thought about turning it off, until now. I don't use Windows much of browsing just some hardware related stuff. Just curious why Ubuntu, debian , Fedora and the like have spent the time effort and money to pay to get Windows okay on signed kernel, if not needed.

I guess also, the less you use Windows the smaller the attack surface is. My personal experience is that the less you use Windows, the better it holds up in the long run. Less errors, less problems etc. It's one of the main differences with GNU/Linux and Windows in my book, over time GNU/Linux is stable and remain the same (or whatever you change it to) while Windows tends to live its own life and do its own thing which is often very bad over time.

I think if you only use Windows for a very few things and rarely, the risk of using the system is quite low in general. It's the daily use it can't handle well. What I mean to say is that you don't have such a big need for things like secure boot then. You can also partly secure Windows from physical attacks by securing your Grub and Bios boot with a password.

Apart from physical access, I'm not aware of an attack vector attacking /boot That's root:root anyhow. To do anything from boot you'd surely need some way of seeing the peripherals, which is hardly achievable without root access. If you have root, I imagine you'd have better things to do with your time .

The big day of this was back in the 90s when every system read and acted on the MBR, and you had viruses like form, cih, or ping-pong (which was actually pretty harmless). CIH overwrote the system bios on April 26th, and that was nasty. I got it through my kids on irc, and one year I deleted 175 copies between 2 machines on April 23rd! That's what got me into Linux.