# Secure Boot.. yay or nay?



## StrayKAT (Sep 7, 2018)

Couldn't figure out if this should go in Hardware or Software.

Do you guys enable it In your custom PCs? What's the general practice if you're not an OEM or enterprise?

I'm tempted by the extra security, but it seems way too complicated. At least on this board. I talked to a Supermicro engineer, and he just directed me to MS's whitepapers.. which was geared toward OEMs.


----------



## Solaris17 (Sep 7, 2018)

yass

EFI: Enabled

Secure Boot: Enabled

CSM/Legacy Boot: Disabled

Legacy OProms: Disabled

Fast Boot: Enabled

dont need to do anything other than that. the security measures are all handled automagically.

I also run two super micro servers in my homelab, lmk what you need help configuring if something is confusing and I can even take screen shots of my bios screens for you (IPMI)


----------



## StrayKAT (Sep 7, 2018)

Solaris17 said:


> yass
> 
> EFI: Enabled
> 
> ...



He told me the default keys are just for "tests" and shouldn't use them.

And when install Windows with the defaults enabled, it somehow broke the SM "Booster" app (for overclocking). It wouldn't even launch. This is crazy stupid. I like the hardware, but not the rest.

edit: Not to mention that this Booster app didn't even work at all at first. The version on their site is broken and not even meant for this board. So he linked me to a private SFTP server to get a different build (even gave me a private password where I could snoop around SM team member's directories. I'm glad it works, but another example of craziness).


----------



## GoldenX (Sep 7, 2018)

Keep efi and fast boot enable, kill secure boot.
As someone wh tries different Linux distros, I hate secure boot.


----------



## StrayKAT (Sep 7, 2018)

GoldenX said:


> Keep efi and fast boot enable, kill secure boot.
> As someone wh tries different Linux distros, I hate secure boot.



Maybe a good idea, just in case I want to use that down the road. Seems like BSD doesn't play well with it either.


----------



## Solaris17 (Sep 7, 2018)

You can use the default keys, the reality and logic behind using the default keys needs to be understood before accepting the risk and they are generally as follows.

Manufacturers do not usually disclose secure boot key configs but they are usually the following or a combination of:

-Keys are generated per machine
-Keys are generated per model
-Keys are generated per series

In any case if the private key is stolen while it puts the boot chain at risk it is no more at risk then if you had your own personal key stolen. I am basing this off of the companies trying harder than you too safeguard data.

That said I do not have experience with SM Booster since I run server platforms but I would be curious to know what settings are set/modified on your board since secure boot does not or should not touch software interfaces with the platform. for example gigabyte Aourus overclock or w/e its called works fine on my wifes system with secureboot + UEFI. The same goes for XTU on my system.



GoldenX said:


> Keep efi and fast boot enable, kill secure boot.
> As someone wh tries different Linux distros, I hate secure boot.



odd, I run fleets of linux servers and while I can attest that BSD has a hardtime, as long as im not using super unknown distros I have had no problems.


----------



## StrayKAT (Sep 7, 2018)

Solaris17 said:


> You can use the default keys, the reality and logic behind using the default keys needs to be understood before accepting the risk and they are generally as follows.
> 
> Manufacturers do not usually disclose secure boot key configs but they are usually the following or a combination of:
> 
> ...



I had nothing but default settings/on a fresh install (which is just turbo boost).

I was thinking however that maybe it needed to be installed in Adminstrator mode? I didn't test that out.. and got pissed and reinstalled Windows eventually. lol. It works fine just installing normally without Secure Boot on.


----------



## Solaris17 (Sep 7, 2018)

StrayKAT said:


> I had nothing but default settings/on a fresh install.
> 
> I was thinking however that maybe it needed to be installed in Adminstrator mode? I didn't test that out.. and got pissed and reinstalled Windows eventually. lol. It works fine just installing normally without Secure Boot on.



oh, did you try to turn on secure boot after the OS install or something?


----------



## StrayKAT (Sep 7, 2018)

Solaris17 said:


> oh, did you try to turn on secure boot after the OS install or something?



No, installed it while it was on.


----------



## MrGenius (Sep 7, 2018)

I use it. For the same reason I use AV software. It's not very likely that either is doing me any good. But they could...in theory. So I feel like it's kinda stupid not to...if you can. Shit happens.


----------



## FordGT90Concept (Sep 7, 2018)

Read what it is:
https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot


> Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system.


I don't need MSI/Asus/Dell/HP/Lenovo/Gigabyte/etc. telling me what I can and cannot run on my hardware.  I don't usually turn it off immediately but the moment I run into an issue with it (which is often), I turn it off.

It's not "secure boot" so much "daddy-has-my-keys boot"


----------



## StrayKAT (Sep 7, 2018)

FordGT90Concept said:


> Read what it is:
> https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot
> 
> I don't need MSI/Asus/Dell/HP/Lenovo/Gigabyte/etc. telling me what I can and cannot run on my hardware.  I don't usually turn it off immediately but the moment I run into an issue with it (which is often), I turn it off.
> ...



What issues have you run into?

Yeah, I know what you mean. It feels restrictive.. although I'm not sure to what end (some would say it's another grab at monopoly by MS. I really don't know). Mind you, I wasn't using PC desktops for a long while, so I've been pretty ignorant about developments or modern know how. I used Macs a lot during the 2000s then PC laptops (which were built for me, of course). So I'm completely at a loss with this. This is not like PC building of the old days :\


----------



## Solaris17 (Sep 7, 2018)

FordGT90Concept said:


> Read what it is:
> https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot
> 
> I don't need MSI/Asus/Dell/HP/Lenovo/Gigabyte/etc. telling me what I can and cannot run on my hardware.  I don't usually turn it off immediately but the moment I run into an issue with it (which is often), I turn it off.
> ...



Please, its not that bad at all. This isnt some kind of spy regime. This just makes sure non-modifed UEFI drivers and firmware are being used. IF you choose to modify your firmware you need to disable secure boot, but dont pretend this is some kind of evil scheme. This is important for high security environments and systems. Not to mention you seriously overplay it by only mentioning a few AAA companies.

Interestingly far more have a say in the design of the standard. Including Linux companies.

https://www.uefi.org/members


----------



## StrayKAT (Sep 7, 2018)

Solaris17 said:


> Please, its not that bad at all. This isnt some kind of spy regime. This just makes sure non-modifed UEFI drivers and firmware are being used. IF you choose to modify your firmware you need to disable secure boot, but dont pretend this is some kind of evil scheme. This is important for high security environments and systems. Not to mention you seriously overplay it by only mentioning a few AAA companies.
> 
> Interestingly far more have a say in the design of the standard. Including Linux companies.
> 
> https://www.uefi.org/members



Linus doesn't seem to be a fan. 

https://lkml.org/lkml/2018/4/3/674

_".. maybe you don't *want* secure boot, but it's been pushed in your
face by people with an agenda?

Seriously.

                  Linus"_


----------



## GoldenX (Sep 8, 2018)

Two things.
First, it was heavily pushed by Microsoft.
Second, by mistake Microsoft published the master key, and is now public.

Secure Boot is useless, and was pushed to avoid people changing the preinstalled OS.


----------



## FordGT90Concept (Sep 8, 2018)

StrayKAT said:


> What issues have you run into?


Trying to run anything pre-OS including Active KillDisk (not a problem since they updated to TinyCore Linux which is signed) or even BIOS updates that aren't started through the UEFI BIOS.



StrayKAT said:


> It feels restrictive.. although I'm not sure to what end (some would say it's another grab at monopoly by MS. I really don't know).


It's made by OEMs for OEMs.  The less the user modifies with the system, the easier service and support is for them.  It's not really a problem as long as they provide an option to turn it off.  The moment that is gone...


----------



## Solaris17 (Sep 8, 2018)

StrayKAT said:


> Linus doesn't seem to be a fan.
> 
> https://lkml.org/lkml/2018/4/3/674
> 
> ...



You mean his opinion? Sure you can take it at face value I guess, but Linus is a programmer that doesnt like changes that make him work super hard. Or the buisness that is the PC industry, however that doesnt mean UEFI is forced on you. Lets take a look.



			
				https://www.uefi.org/faq said:
			
		

> *CAN ALL SYSTEMS DISABLE UEFI SECURE BOOT?*
> While it is designed to protect the system by only allowing authenticated binaries in the boot process, UEFI Secure Boot is an optional feature for most general-purpose systems. By default, UEFI Secure Boot can be disabled on the majority of general-purpose machines. It is up to the system vendors to decide which system policies are implemented on a given machine. However, there are a few cases—such as with kiosks, ATM or subsidized device deployments—in which, for security reasons, the owner of that system doesn’t want the system changed.



incidentally it appears you and I and ford can disable it on our systems. Still not feeling the chains.


----------



## StrayKAT (Sep 8, 2018)

Solaris17 said:


> You mean his opinion? Sure you can take it at face value I guess, but Linus is a programmer that doesnt like changes that make him work super hard. Or the buisness that is the PC industry, however that doesnt mean UEFI is forced on you. Lets take a look.
> 
> 
> 
> incidentally it appears you and I and ford can disable it on our systems. Still not feeling the chains.



He doesn't just say that though. He goes on about already trusting "his" kernels. Which is to say, I think he puts the impetus of security on himself. 

We're not all developers, but that's probably a good rule of thumb for anyone.


----------



## Solaris17 (Sep 8, 2018)

StrayKAT said:


> He doesn't just say that though. He goes on about already trusting "his" kernels. Which is to say, I think he puts the impetus of security on himself.
> 
> We're not all developers, but that's probably a good rule of thumb for anyone.



If thats how you interpret it. Back to the issue at hand if secure boot doesnt work with the software you would like to run and you have the option to shut it off yay free market. Glad you got it sorted.

As for the deeper train wreck that is to enable or disable thats not what was asked and like an argument about using AV software that blocks legit software and whether or not that means one /should/ use AV software that circle jerk can go on forever. Glad you're firing on all cylinders.


----------



## StrayKAT (Sep 8, 2018)

Solaris17 said:


> If thats how you interpret it. Back to the issue at hand if secure boot doesnt work with the software you would like to run and you have the option to shut it off yay free market. Glad you got it sorted.
> 
> As for the deeper train wreck that is to enable or disable thats not what was asked and like an argument about using AV software that blocks legit software and whether or not that means one /should/ use AV software that circle jerk can go on forever. Glad you're firing on all cylinders.



Yeah, between having this feature and SM's OC utility, I'll take the latter. I just wondered what I'm really sacrificing. It's hard to tell. 

I'm sure Linus has more concerns going on that that.. and more than just Windows or even PCs (Arm uses it too, right?). Just thought it funny you mentioned Linux, since I ran across that opinion earlier.


----------



## FordGT90Concept (Sep 8, 2018)

You'll know when you need to turn it off because trying to use boot software that should work, doesn't work.

You wouldn't believe how often I boot into FreeDOS or MS-DOS to do stuff and Secure Boot doesn't allow that.  Thing is, not many people do and those people can leave it on and never even notice.


----------



## StrayKAT (Sep 8, 2018)

Seems like Debian doesn't have secureboot support either. Huh. That's not an unknown name.


----------



## windwhirl (Sep 8, 2018)

Honestly, I never really turned it on. There wasn't much of a point, ever, and quite often I'm installing this or that Linux distro...


----------



## GoldenX (Sep 8, 2018)

StrayKAT said:


> Seems like Debian doesn't have secureboot support either. Huh. That's not an unknown name.


I think that was their way of saying "F*** you!" to Secure Boot. Ubuntu has support.


----------



## StrayKAT (Sep 8, 2018)

I just discovered a new thing. Windows "Core Isolation" feature (seemingly can't even turn it off without reg editing) actually prevents Virtual Box and others from running. lol.

Just seems like it's all part of the same MS shenanigans. They just want you to use Hyper-V, I think (that or not dual booting). Which I have, but it's kind of B.S. to do this.

I can almost appreciate them wanting their own platform.. like Apple.. but not a damn PC. Go do it to ARM.


----------



## windwhirl (Sep 8, 2018)

StrayKAT said:


> I just discovered a new thing. Windows "Core Isolation" feature (seemingly can't even turn it off without reg editing) actually prevents Virtual Box and others from running. lol.
> 
> Just seems like it's all part of the same MS shenanigans. They just want you to use Hyper-V, I think (that or not dual booting). Which I have, but it's kind of B.S. to do this.



Isn't there a slider in the Windows Security panel to disable it? I don't know if there are more options available, but I have Memory integrity available and disabled...

Memory integrity is the feature that interferes with VMs.


----------



## StrayKAT (Sep 8, 2018)

windwhirl said:


> Isn't there a slider in the Windows Security panel to disable it? I don't know if there are more options available, but I have Memory integrity available and disabled...
> 
> Memory integrity is the feature that interferes with VMs.



It doesn't work. It's greyed out and says only an Adminstrator can do it...even on my own exclusive machine where I am admin. Even when I specifically unlock a hidden Admin profile and log in manually that way.. it's still greyed out.

That said, it's just one switch (1 to 0) in the registry. If it's so simple this way, the interface must be bugged, I guess.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity


----------



## lexluthermiester (Sep 8, 2018)

GoldenX said:


> Secure Boot is useless, and was pushed to avoid people changing the preinstalled OS.


Exactly this. In some cases it can provide a more secure operating environment. However that kind of situation is rarely, if ever, needed in the consumer sector. It is just another way Microsoft(the largest supporter by far) is trying to control everything.


----------



## silentbogo (Sep 8, 2018)

StrayKAT said:


> What issues have you run into?


Had an interesting issue when 1803 came out, which cost me many hours of headache at work. 
If I had EFI+Secure boot  enabled, then Windows would get stuck in "S" mode right after online activation (can't install third-party software).
Tried EFI and no SB: all relatively good, but activation may break on rare occasions (a legit key is accepted during installation, but at the end the machine is not activated), and you end up with Windows 10S once again. 
CSM: no problems whatsoever.

I guess MS had fixed this issue, cause I haven't encountered it for a few months while using the same 1803 installation media.


----------



## StrayKAT (Sep 8, 2018)

I'm dabbling around right now with it on. I don't plan on using this machine full time anyway, until Oct update rolls out, I think. We'll how it goes. I kind of just want to learn more about the innards of Windows, even if I end up avoiding many features (one new cool thing I did find is Windows Application Guard.. which can run Edge in it's own virtualized container.. for safer browsing than usual).

The main ability I lose from that SuperO app is the ability to turn off the damn RGB. I can tweak the BIOS in the usual places. And luckily, I don't see the inside of my computer much anyway.


----------



## FordGT90Concept (Sep 8, 2018)

StrayKAT said:


> I can almost appreciate them wanting their own platform.. like Apple.. but not a damn PC. Go do it to ARM.


They did on their Surface with Windows RT.  Damn thing is practically padlocked.  Couldn't even compile your own programs in Visual Studio and run it on there.  Well you could by doing a lot of hacking but if the machine ever restarts, it reverts to not allow it (application signing).  If Microsoft didn't give your program its stamp of approval, it's a PITA to make it work.


----------



## StrayKAT (Sep 8, 2018)

FordGT90Concept said:


> They did on their Surface with Windows RT.  Damn thing is practically padlocked.



Hah.. yes, I have one. In a box.. sitting under my bed. Not much I can do with it... even it's version of Windows doesn't offer much.

edit: Wait, I at least can turn off Secure Boot temporarily, launch the Super Micro app.. turn off the RGB.. then turn on Secure boot again. Duh. I should have known that.

Still, when I turn off Secure Boot at first, it booted straight into the EFI shell. I had to redirect to the Windows boot loader again. Any reason why that happens?


----------



## Bill_Bright (Sep 8, 2018)

GoldenX said:


> Secure Boot is useless, and was pushed to avoid people changing the preinstalled OS.





lexluthermiester said:


> Exactly this. In some cases it can provide a more secure operating environment.


Then it is NOT "exactly this", is it?

Secure boot is not useless and it was pushed to prevent badguys from hijacking systems by, for example, inserting a bootable USB drive. It also is useful in preventing rootkits from replacing the boot loader

It is only useless if you don't know how to use it. 

For most users with modern UEFI hardware who will not be dual-booting, it is an additional and worthwhile extra layer of security. But with a little effort, dual-booters can effectively use it too. 

https://www.howtogeek.com/116569/ht...e-boot-feature-works-what-it-means-for-linux/


----------



## StrayKAT (Sep 8, 2018)

I've never had a rootkit issue, and haven't known anyone who did since like... the early 2000s. 

But I suppose it's better to be safe than sorry. I'm not going to knock having more security. I'm just curious of all the ways it might be an inconvenience.


----------



## Bill_Bright (Sep 8, 2018)

StrayKAT said:


> I'm just curious of all the ways it might be an inconvenience.


I guess that's my point. When it was first introduced with W8, it caused me minor problems when a new dual-boot build. But those were easy to overcome. I have not encountered any problems with secure boot and current motherboards and W10.


----------



## MrGenius (Sep 8, 2018)

StrayKAT said:


> It doesn't work. It's greyed out and says only an Adminstrator can do it...even on my own exclusive machine where I am admin. Even when I specifically unlock a hidden Admin profile and log in manually that way.. it's still greyed out.
> 
> That said, it's just one switch (1 to 0) in the registry. If it's so simple this way, the interface must be bugged, I guess.
> 
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity


@RejZoR made a tool to do it quick and easy. https://www.techpowerup.com/forums/threads/download-windows-10-th-rs.216164/page-16#post-3835025


----------



## GoldenX (Sep 8, 2018)

Bill_Bright said:


> Then it is NOT "exactly this", is it?
> 
> Secure boot is not useless and it was pushed to prevent badguys from hijacking systems by, for example, inserting a bootable USB drive. It also is useful in preventing rootkits from replacing the boot loader
> 
> ...


If someone has access to the USB ports, he can just take the whole computer as well, you have bigger problems.
Secure boot is using a password at post, there was no need for it.


----------



## R-T-B (Sep 8, 2018)

FordGT90Concept said:


> It's not "secure boot" so much "daddy-has-my-keys boot"



I mean, you can supply your own keys, if you care to do so.

It's designed to protect against "evil maid" attacks primarily, or any kind of bootvector virus/malware.



GoldenX said:


> Secure boot is using a password at post, there was no need for it.



Bill is right here.  It's a little more than that.


----------



## Bill_Bright (Sep 9, 2018)

GoldenX said:


> If someone has access to the USB ports, he can just take the whole computer as well, you have bigger problems.


Can and will are two completely different things. You are using a single narrowly focused example to prove an entire point. But there are many other scenarios to make your example invalid. 

For example, many bad guys have no interest in the hardware. They want the data! For many people and especially companies, the data is way more valuable than the computer.  

Why plant a keylogging device if the bad guy can just steal the computer? Because it is the data he wants, not the computer!

It is often much easier, faster and safer (for the bad guy) to boot to an inserted USB flash drive, do the dirty work, then walk away than it is to disconnect, pick up and attempt to walk out the door carrying a computer without being noticed.


GoldenX said:


> Secure boot is using a password at post, there was no need for it.


Not even! To avoid looking uninformed, please learn about the subject you are talking about before making totally inaccurate comments. Secure boot comes into play long before the OS is touched at boot and long before a user is prompted to enter any password during boot. In fact, *booting with Secure Boot does NOT even require a password!*


----------



## StrayKAT (Sep 9, 2018)

I wouldn't be worried about any hardware theft except with a laptop or phone. If someone broke into my house and actually took the time to get the desktop, I have bigger things to worry about.


----------



## Ja.KooLit (Sep 9, 2018)

Isnt it when first introduced at win8 you cant even install win8 os if secure boot is disabled? I dont know now on win 10. I just leave it enabled. Dont know if it will cause problems if I disabled it


----------



## StrayKAT (Sep 9, 2018)

night.fox said:


> Isnt it when first introduced at win8 you cant even install win8 os if secure boot is disabled? I dont know now on win 10. I just leave it enabled. Dont know if it will cause problems if I disabled it



It appears they've fixed this.. and/or half of the Linux distros out there work with secureboot and provide their own keys.

Although, as I linked to in an earlier post here, it seems that Linus himself is not a fan.


----------



## Bill_Bright (Sep 9, 2018)

night.fox said:


> Isnt it when first introduced at win8 you cant even install win8 os if secure boot is disabled?


First, it is important to note Secure Boot was required ONLY with factory assembled computers and ONLY if those makers wanted to put a "Windows certified" (or some similar verbiage) sticker on the computer (and box). And of course, the motherboard had to have a UEFI BIOS, not a traditional BIOS. Home builders did not have to enable it.

But StrayKAT is right again and MS has fixed and changed a lot about how SB is implemented in W10. 

It should also be noted that MS endured years and years of relentless bashing over security (or lack of it). Even 10 years after XP came out, they were still getting bashed when it was the bad guys perpetrating the crimes, not MS. And why didn't Norton, McAfee, TrendMicro and the others stop it? Because they had no financial incentive to rid the world of malware - but that's for another discussion.

MS is stuck between a rock and hard place. If they make Windows too flexible, it exposes security vulnerabilities and gives the bad guys lots of opportunities and ways to get in - and then MS gets bashed for not caring about user security. 

If Microsoft locks down Windows and takes away flexibility, even though security is greatly improved, MS gets bashed for not caring about user flexibility.

With XP, a great amount of flexibility (which included legacy hardware and software support) was built in, but security was compromised and Microsoft was relentlessly bashed. So then the pendulum swung the other way and Windows 8, while much more secure, was very inflexible. YOU WILL LIKE the new UI for example. You WILL USE secure boot. And more. And then of course, MS was relentlessly bashed for being too rigid and Windows sales plummeted. 

Microsoft, and rightfully so IMO, would much rather be bashed for being inflexible than for allowing the bad guys to run roughshod over their users.

So now with W10, the pendulum has swung back closer to the middle. Microsoft is putting security well ahead of flexibility, but at the same time, allowing users to once again customize and personalize Windows to our own liking. And IMO, they are doing a great job of that. 

We (consumers) have to realize one of Windows greatest assets is it is highly customizable. Users can configure it to look and feel just about anyway we want. We can install all sorts of hardware from 1000s of different makers and be confident Windows will support it. Same with software. If we wanted a computer that was so locked down, so controlled with "proprietary" configurations and parts, we all would have bought Macs! Right?

But we must also understand and accept that one of Windows greatest liabilities is it is highly customizable. And that leaves opportunities for mistakes and vulnerabilities to be accidentally (intentionally?) written into or opened up in the software or driver code - especially if we dink with W10 defaults.


----------



## GoldenX (Sep 9, 2018)

Password during post, not boot, that means before the boot device selection. I'm not talking about an account's password.


----------



## Bill_Bright (Sep 9, 2018)

Still not needed unless you set one.


----------



## StrayKAT (Sep 9, 2018)

There are vendor keys, but it's transparent.

At least for me, since I'm using a noob Standard mode. I don't know a thing about custom keys. Hopefully this is good enough. Isn't it normal to use "Standard mode"? I have to wonder what the Supermicro guy really meant when he said factory defaults shouldn't be used. What the hell is that? Do they really expect random users to generate complex encryption keys? These guys live in their own little world.


----------

