0

I installed Ubuntu 16.04 LTS on my new ThinkPad E460 and for the first time in a decade I was shocked about a question Ubuntu was asking me. None of my previous computers had this Secure Boot thing, and all worked on BIOS, so I am clearly unaware of some things...

During the install it popped me this question about third-pary packages and disabling Secure Boot. enter image description here Not knowing what is Secure Boot, I decided to NOT disable it and NOT install third party packages. The install went smooth.

Then I reboot and all seems fine. Of course, I can't play mp3. So I download an mp3, open it, and the player asks me to install GStreamer bad/ugly etc: third-party software. So I was expecting it would say "hey, we need to disable the secure boot". But instead it installed the packages and I can now play mp3.

So what is the deal with this thing? Is it only for drivers (like NVidia etc) that you need to disable the secure boot? Because if that is the case, I think Ubuntu could check if any of those is necessary and then prompt the questions about Secure Boot instead of scaring people that only want to play mp3 files...

excalibur1491
  • 213
  • 2
    Secure boot only affects kernel modules, typically 3rd party, as they are often unsigned. If you sign them secure boot works fine. IMO secure boot is blamed for more problems then it causes. – Panther Feb 15 '17 at 22:53
  • 1
    As above but adding that you'll have to disable secure boot since you won't be the one signing those drivers you need. It has nothing to do with MP3 though. Opting in for the third party codecs and others is independent and unrelated and you can at any time install ubuntu-restricted-extras to obtain almost all media codec you'll ever need. –  Feb 15 '17 at 22:56
  • @bodhi.zazen Hi, thanks for your quick comment. What would those 3rd party kernel modules be? (I have never owned a machine with "strange/proprietary" hardware). What do you mean Secure Boot is blamed for problems? I personally prefer living it on. I'm not too sure what it does, but the thing is called "Secure Boot" not "Please-disable-me-I-am-uselless-boot". I think it's a sign that it might actually be worth keeping. Thanks! – excalibur1491 Feb 15 '17 at 22:56
  • @CelticWarrior: Thanks for the info. So I guess it's about drivers. Last time I installed Ubuntu I think the only thing that option did was install codecs so I thought it was about that. – excalibur1491 Feb 15 '17 at 22:59
  • 1
    Secure boot is a new feature only present in UEFI machine (old BIOS didn't need it / wouldn't know how to deal with it). It can be disabled and it's not near as secure as its name implies. You lived without it until now. –  Feb 15 '17 at 22:59
  • 1
    See https://wiki.ubuntu.com/SecurityTeam/SecureBoot for details. So it affects third party kernel modules (ubuntu signs it's kernel modules, see link for details). The two most common kernel modules would be the propriety nvidia and ati (graphic) drivers as neither Nvidia or Ati signes their drivers. – Panther Feb 15 '17 at 23:22
  • @CelticWarrior - That is not true, an end user can sign kernel modules. See https://wiki.ubuntu.com/SecurityTeam/SecureBoot and https://wiki.archlinux.org/index.php/Secure_Boot#Using_your_own_keys . – Panther Feb 15 '17 at 23:24
  • @bodhi.zazen An end user that up until now had no idea secure boot even existed? Hardly... But I agree with you and God (God = Linus Torvalds) about Secure Boot but at the same time I see no problem in suggesting users to just disable it, as we've been doing for years now. –  Feb 15 '17 at 23:33
  • 1
    @CelticWarrior - Here is an example of how to sign kernel modules with Ubuntu - http://askubuntu.com/questions/760671/could-not-load-vboxdrv-after-upgrade-to-ubuntu-16-04-and-i-want-to-keep-secur/768310#768310 and https://stegard.net/2016/10/virtualbox-secure-boot-ubuntu-fail/ and https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-signing-kernel-modules-for-secure-boot.html and https://docs.fedoraproject.org/en-US/Fedora/23/html/System_Administrators_Guide/sect-signing-kernel-modules-for-secure-boot.html – Panther Feb 15 '17 at 23:33
  • @CelticWarrior - security is always a balance between security and convenience . The OP quite clearly stated s/he does not want to disable secure boot and I do not either. IMO you should explain how to manage security features and disable them only if there is no other option. Self signing kernel modules is not that difficult and those to need to do so are already building such modules from source so adding a step to sign the modules is not really adding much. – Panther Feb 15 '17 at 23:37
  • @bodhi.zazen I wasn't arguing as we're not supposed to. Yes, at the end of the day, it's up to personal choice and mine is not have that extra work for the little gain, if any. What does it prevent? Booting unauthorized software and that is only effective if UEFI is password secured as well. Otherwise anyone with physical access to the machine will be able to disable secure boot. I suggest you write your comments above as an answer. Give me a nudge so I can upvote. –  Feb 15 '17 at 23:43

0 Answers0