Disable Safe Boot

0 views
Skip to first unread message

Serafin Sonnier

unread,
Aug 4, 2024, 5:04:43 PM8/4/24
to pielibacar
Secureboot forces both Windows and Ubuntu to require that all system level drivers are "signed", proving that they approved as authentic software. The idea is fairly good, and on Windows, Microsoft signs most of the drivers.

However, on Ubuntu, the user may require special drivers for their wireless card, video card, or specialty hardware. These drivers are normally unsigned, as they can come from a number of different sources. If secure boot is enabled, and the drivers are not signed, these drivers will not load. In order for them to load, each driver must be "signed". This process of signing the drivers is not extremely difficult, but it can be a hassle... especially if you change/update the driver, or change/update the kernel software that is a part of Ubuntu. Each change will require that you resign the driver.


So, imagine this... your system is running fine... you have secure boot enabled... your drivers are all properly signed... and you use Ubuntu's Software Updater and it installs a new kernel... or you install a new driver... and you reboot the system only to find that your wireless card may no longer work, your video card doesn't display properly, or your specialty hardware no longer works. Now you must recompile and resign all of the modules again. Not fun.


Yes, no, maybe so. This is really quite an opinionated question and not really about Ubuntu. Nevertheless, I will do my best to answer in an impartial way, so I don't start arguments and can allow you to make your own decision.


Secure Boot is a feature in Windows 8+ laptops that only allows an operating system to boot if it is signed by Microsoft. It's kind of like how Apple only allows apps and firmware that are officially signed to be installed to an iDevice. This feature can usually be turned off, but not always, which can cause issues with Linux.


The point of Secure Boot is to prevent things like rootkits and other malware from hijacking your boot process for nefarious purposes. This is where you might want to consider whether or not you should keep Secure Boot on. If you visit a lot of shady websites, without using anything like AdBlocker or Privacy Badger, then you may want to consider keeping it on, or, as zwets suggested, signing the NVIDIA module yourself. Of course, if your browsing is normal and safe, then Secure Boot is usually alright turned off.


It can also depend on your paranoia level. If you're someone who would rather not have internet, because of how insecure that has the potential to be, then you should probably keep Secure Boot enabled. If you're someone like me, who uses the same password for multiple sites, then turn it off.


Yesterday, a little water spilt on my 13" MBP keyboard. I turned it around immediately, drained out the water and used tissue to suck it all up but the keyboard was still acting funny. I turned it off and left it out in the sun for a couple of hours and turned it on again but problems remained. My warranty had run out just a month ago and I knew Apple would not cover this under warranty. I tried to clean the shift keys and left it overnight with some rice on them with hopes that the moisture might get sucked out. Nothing worked. (The rice bit is an urban legend that seems to work with some electronics). Went to the Apple Store this morning and was told that they wouldn't even take out the key and clean it, and that the entire top case would have to be replaced. A total bill of 156 Euros which I cannot afford. I had a USB keyboard that would let me use the Mac for the moment so I decided to try to work out a fix.


If only one shift key was the problem, then you are done. If both shift keys were shorted, then its likely other keys are too. In which case you should probably just replace the entire thing. If you think other keys are not affected, then you can use KeyRemap4MacBook itself to remap the shift functionality to a lesser used key like the Left Option key.


Under System Preferences > Users & Groups > Login Items , add KeyRemap4MacBook as an application that should start on login. This will ensure that your disable/remap of the shift key is active every time you login.


I have the same problem, from the same cause: a spill into my MBP's keyboard rendered it completely nonfunctional, so now I have to use an external USB keyboard. If I don't press any keys at all while booting, it always boots into safe mode. So now instead I always hold down the space bar just after the chime and then it boots normally.


You could enable a firmware password. When a firmware (EFI) password is active it prevents modifier keys during the boot process unless you first disable the firmware password. Apple's KB article detailing this behavior - HT1352


I'm going to assume that you can't boot to your recovery partition, or an installer disc, thanks to the stuck shift key. Typically you would enable the firmware password from either of these options, however it's still possible to do from the OS.


You need to find the root cause why the Shift key gets stuck and fix it. Look carefully for small object sneaked inside crevice between key and keyboard. It happened to me because a small piece of pencile lead got in which was barely noticable. After reading through this thread made me search through a subtle stuck Shift key and finally got the issue resolved.


hello, I recently received my framework laptop and am looking to install Linux, however the option for secure boot is not available in my bios menu. I boot up the system, press f2, go to setup utility, but under security there is no option to disable secure boot. the only options are:


For Intel 13th Gen, secure boot is enabled by default. (Thanks Microsoft.) To disable it, access the Administer Secure Boot panel from the BIOS root screen before attempting to boot an unsigned image. Otherwise, the content of the Administer Secure Boot panel is blocked when a secure boot fails.


If you get the message blocking Administer Secure Boot, then power off and try again. When powering on, either press F2 before the BIOS attempts to load an image, or power on with no OS image attached.


Open a terminal (Ctrl + Alt + T), and execute sudo mokutil --disable-validation.

Enter a temporary password between 8 to 16 digits (not characters: * &% $ "/^etc ...).

Enter the same password again to confirm.

Reboot the system and press any key when you see the blue screen (MOK management).


I searched for a long time on Zorin forum but I did not find it ... I saw that with the last update the action was available, but I chose a password with "*" and it did not recognize it ... Now I have enabled secure bot but I wanted to understand how to access from the terminal.

To check if it is enabled from the terminal do you know the command?

Thanks for your help.


I have recently purchased the ASUS UX303UA-R4005T and intend to dual boot Arch Linux and the preinstalled Windows 10. I have already installed and maintained a number of Arch installs but this is my first UEFI device. I have read:


Following the advice in the last link from the list above, I began by disabling "Fast Start-Up" and Resizing the Windows "C" partition, leaving space for Arch to be installed. Given the guidance in the first entry, I wanted to proceed by disabling "Secure Boot".


The issue is as follows: I am unable to toggle the option "Secure Boot Enabled". Furthermore, I was unable to find any resources on enabling secure boot for my device. Regarding Asus, several sources suggest to delete the secure boot variables, claiming that upon doing so "Secure Boot" will be set to "Disabled". In any case, I have carried out "Save all Secure Boot Variables".


Thank you for the reply. Unfortunately I have no access to the option "CSM" either. Furthermore, according to this, I'm not sure if changing UEFI to Legacy Boot mode is safe (i.e. ...Windows forces type of partitioning depending on the firmware mode used...)


Secure Boot is a security feature found in the UEFI standard, designed to add a layer of protection to the pre-boot process: by maintaining a cryptographically signed list of binaries authorized or forbidden to run at boot, it helps in improving the confidence that the machine core boot components (boot manager, kernel, initramfs) have not been tampered with.


As such it can be seen as a continuation or complement to the efforts in securing one's computing environment, reducing the attack surface that other software security solutions such as system encryption cannot easily cover, while being totally distinct and not dependent on them. Secure Boot just stands on its own as a component of current security practices, with its own set of pros and cons.


You may access the firmware configuration by pressing a special key during the boot process. The key to use depends on the firmware. It is usually one of Esc, F2, Del or possibly another Fn key. Sometimes the right key is displayed for a short while at the beginning of the boot process. The motherboard manual usually records it. You might want to press the key, and keep pressing it, immediately following powering on the machine, even before the screen actually displays anything.


After entering the firmware setup, be careful not to change any settings without prior intention. Usually there are navigation instructions, and short help for the settings, at the bottom of each setup screen. The setup itself might be composed of several pages. You will have to navigate to the correct place. The interesting setting might be simply denoted by secure boot, which can be set on or off.


Here we see that Secure Boot is enabled and enforced (in user mode); other values are disabled (setup) for Setup Mode, disabled (disabled) if Secure Boot is disabled and disabled (unsupported) if the firmware does not feature Secure Boot.

3a8082e126
Reply all
Reply to author
Forward
0 new messages