0

After completing a dual boot, can I turn secure boot back on? Or do I have to keep it off for the entirety of the time I have the dual boot on my system?

itsqu
  • 1
  • ubuntu uses a signed grub, you should be able to turn secure boot back on – ravery Sep 16 '17 at 17:32
  • 1
    You don't need to disable Secure Boot to install Ubuntu. You need to disable it if you are using 3rd party kernel modules. – Pilot6 Sep 16 '17 at 17:32
  • 1
    The exception is if you have a proprietary driver for video or WiFi. Those cannot be signed by Ubuntu, so break the signed chain required to boot with Secure boot on. – oldfred Sep 16 '17 at 17:33

1 Answers1

-2

Without discussing the merits of secure boot, IMO the advice to disable secure boot is poor. More likely than not you can keep secure boot enabled.

If you use 3rd party unsigned kernel modules you would either need to sign them yourself or disable secure boot. Examples would be ndivia or ATI graphics drivers, wireless drivers, and perhpas virtualbox.

To self sign modules see

https://computerlinguist.org/make-dkms-sign-kernel-modules-for-secure-boot-on-ubuntu-1604.html

How to sign kernel modules with sign-file?

https://insights.ubuntu.com/2017/08/11/how-to-sign-things-for-secure-boot/

https://wiki.ubuntu.com/SecurityTeam/SecureBoot

https://www.kernel.org/doc/html/v4.10/admin-guide/module-signing.html

Although IMO it is easy to sign modules, most people (erroneously) advise you disable secure boot. See first link to automate - https://computerlinguist.org/make-dkms-sign-kernel-modules-for-secure-boot-on-ubuntu-1604.html

Panther
  • 102,067
  • See already collected a downvote by people who advocate disabling secure boot !!! – Panther Sep 16 '17 at 17:53
  • 1
    It is too much effort especially for a newbie to sign modules. The Secure Boot feature is not worth this effort. Canonical officially recommends to disable Secure Boot for using 3rt party modules. – Pilot6 Sep 16 '17 at 17:53
  • 1
    The Secure Boot is 99% useless feature. Only very advanced fans of it will do the manual signing. Can you really imagine that every user of Nvidia or Broadcom will fiddle with it? – Pilot6 Sep 16 '17 at 17:55
  • @Pilot6 - you are welcome to your opinion, we will have to agree to disagree. Should apparmor be disabled also as only very advanced fans will configure it if there are problems ? How about downvoting tutorials on apparmor too =) – Panther Sep 16 '17 at 17:56
  • 1
    It could be a good answer if not saying that the advice to disable SB is poor. It is an opinion, not a helpful answer. And everything else are links. – Pilot6 Sep 16 '17 at 17:58
  • 1
    So expressing an opinion is a reason to downvote questions/answers now? lol – Panther Sep 16 '17 at 18:01
  • 1
    Yes, it is an opinion and a link-only answer. Hence downvote. – Pilot6 Sep 16 '17 at 18:01
  • 1
    There's nothing wrong with expressing an opinion as long as you're always right. bodhi.zazen has expressed some opinions to me that seemed difficult for me to believe but in the end he was always right. I wouldn't ever downvote an answer that was posted by someone like that. – karel Sep 17 '17 at 01:03