Is it safe to disable Secure Boot? [closed]

Solution 1:

Secure boot forces both Windows and Ubuntu to require that all system level drivers are "signed", proving that they approved as authentic software. The idea is fairly good, and on Windows, Microsoft signs most of the drivers.

However, on Ubuntu, the user may require special drivers for their wireless card, video card, or specialty hardware. These drivers are normally unsigned, as they can come from a number of different sources. If secure boot is enabled, and the drivers are not signed, these drivers will not load. In order for them to load, each driver must be "signed". This process of signing the drivers is not extremely difficult, but it can be a hassle... especially if you change/update the driver, or change/update the kernel software that is a part of Ubuntu. Each change will require that you resign the driver.

So, imagine this... your system is running fine... you have secure boot enabled... your drivers are all properly signed... and you use Ubuntu's Software Updater and it installs a new kernel... or you install a new driver... and you reboot the system only to find that your wireless card may no longer work, your video card doesn't display properly, or your specialty hardware no longer works. Now you must recompile and resign all of the modules again. Not fun.

On my own system, I use 5 custom DKMS driver modules that would require resigning after every Ubuntu kernel update. Oh my.

Short story... disable secure boot and be happy. Windows won't care, and Ubuntu will survive software updates and driver installs with less work on your part.

Solution 2:

Yes, no, maybe so. This is really quite an opinionated question and not really about Ubuntu. Nevertheless, I will do my best to answer in an impartial way, so I don't start arguments and can allow you to make your own decision.

Secure Boot is a feature in Windows 8+ laptops that only allows an operating system to boot if it is signed by Microsoft. It's kind of like how Apple only allows apps and firmware that are officially signed to be installed to an iDevice. This feature can usually be turned off, but not always, which can cause issues with Linux.

The point of Secure Boot is to prevent things like rootkits and other malware from hijacking your boot process for nefarious purposes. This is where you might want to consider whether or not you should keep Secure Boot on. If you visit a lot of shady websites, without using anything like AdBlocker or Privacy Badger, then you may want to consider keeping it on, or, as zwets suggested, signing the NVIDIA module yourself. Of course, if your browsing is normal and safe, then Secure Boot is usually alright turned off.

It can also depend on your paranoia level. If you're someone who would rather not have internet, because of how insecure that has the potential to be, then you should probably keep Secure Boot enabled. If you're someone like me, who uses the same password for multiple sites, then turn it off.

There isn't much that's very special about Secure Boot. (It honestly seems like it wouldn't be all that difficult for a rootkit to bypass it.) But it really depends on how you feel about security.

Solution 3:

Whether it is safe to turn off Secure Boot depends on your security requirements. However, rather than turning off Secure Boot, you could also sign the kernel module.

Here is a concise description of how to do that: https://askubuntu.com/a/768310/134479