Windows 11 secure boot Linux

[MAYBL8]

Some people are saying you can't dual boot Linux with Windows 11. They are wrong.
Here is some info to start out with.
Please feel free to add more.

Does Secure Boot interfere with Linux dual boot?

The Secure Boot capability is one of Windows 11’s requirements along with the TPM, so let us tell you how this could affect Linux computers and dual booting.

Secure Boot technology allows only the approved boot loaders to boot your PC in order to protect it from malware.

The issue arises because many versions of Linux aren’t compatible with Secure Boot, and since Secure Boot is a requirement for Windows 11, many were worried that Linux might not run in dual boot mode with Windows 11.

The answer is yes, Linux will be able to run long Windows 11, but you’ll have to use Linux that is compatible with Secure Boot, such as Ubuntu or Fedora, or disable the Secure Boot from the BIOS.

As you can see, to use Windows 11, you need to have Secure Boot capability, but you don’t have to keep this option enabled at all, which means that you can dual boot Linux without any issues.

[j2mcgreg]

@MAYBL8

I think that this last line:

As you can see, to use Windows 11, you need to have Secure Boot capability, but you don’t have to keep this option enabled at all, which means that you can dual boot Linux without any issues.

is ambiguous and contradictory to what you stated in your main discussion. I think it would be enough for you to just edit out this section:

, but you don’t have to keep this option enabled at all,

.

[needmorebrains]

Wanted to add this as a side note:

Lots of security in new Windows 11. Lots. If you have Intel, they have proprietary security extensions in UEFI/BIOS (Newer 2022 hardware). They are separate from TPM 2.0, and Secure Boot. And if your hardware was built for Windows, it normally has no coordinate keys (TPM) for third party installs (unless you order or install it from OEM).

I think for a quick foundation of the current rings of trust (I call it ROT) a good read of the ArchLinux wiki on TPM and Secure Boot and some of the links to setups from TSG, all lead to the conclusion that you can setup linux to use all (except Intel Security) the UEFI TPM/Secure Boot settings, and boot with Windows as a dual boot, but the linux updates (especially for the kernel) may cause the boot to fail for Linux. And if Windows updates the boot partition, all is lost!

In closing, remember that Linux had to get a MOK or Shim key from Windows to allow Linux to boot in TPM/Secure Boot. So if you think that is unfair, and turn off all the Windows Security, a lot of the Windows (11) features will not work even though Windows will boot, and appear normal. And the app list of Windows apps that will not run will only show when you try to run them (or they won't start at all). And you know what Windows will tell you when you ask why. Our friends at Oracle VirtualBox have been working hard to get a handshake in various setups, and it seems that every time they get close to a solution, someone moves a marker for OS boot security, and the systems fail to run, or even boot. These issues are not for the faint of heart, and I do not want to see MXLinux trying to play second fiddle for this Windows Security and their pursuit of total hardware and software ownership. Wait until we get the AI interface software!

[jeffreyC]

Microsoft's Lennart Poettering proposes tightening up Linux boot process
Building your own initial RAMdisk? That's insecure!

https://www.theregister.com/2022/10/26/ ... eepreading

[needmorebrains]

Hi fellow members,

@jeffreyC I read that article you linked. WOW. I am not sure what to make of that. You can be sure it is for the benefit of one company, not for everyone.

I think there is a definite "push" to make the hardware and software "owned" by the OS that is on the unit. We all know you can setup your machine how you want, then deal with the fallout (if any), but for most of us, messing with a bootloader of any sort (GRUB, Windows, iOS, etc.) is a real difficult task. There are scores of comments about bricked devices, non-bootable OS's etc., where the answers to the dilemma always come too late for the users (normal users, not experts).

Obviously, they lose interest quickly if nothing they try fixes the boot issues, so they format, re-install the OS they bought with the hardware, and they never come back for advice.

When I read how hackers gain access to an unsecure device, nearly all of the successful hacks require the actual device, and opening the unit. That requires an act of theft to obtain the unit, so that should be the first concern.

I have always been fascinated by cell phones, that require a 4-digit pin to gain access (or Windows Hello) to all the fancy and long secure passwords to secure banking and highly personal information on the device, and that device stays with the person in most cases.

There may need to be a way (for the ultra-secure person) to remove a security device that boots the specific hardware. No device, no boot. You lose the device, automatic bricked unit.

[Arnox]

As bad as Windows has made and is trying to make Secure Boot, I don't actually think that's the worst part, funnily enough. The worst part is when Windows 10/11 just flat out screws up your Linux partition after a Windows update. And it's happened much more often than you'd think.

Windows 8.1 works just fine with Linux dual boot. Windows 7 works just fine with Linux dual-boot. Every Windows except 10 and 11... >_>

[pbear]

And it's happened much more often than you'd think.

Cites, please. We almost had this discussion in another thread, but a mod ruled it off-topic. To be clear, I know it happens. I have my own little collection of examples I use to get people's attention as regards the need for system backup. What I've not seen is anything of a statistical nature, i.e., how often it happens. Meanwhile, anecdotally, participating on several Linux forums, seems to me pretty darn rare.

[jeffreyC]

When I read how hackers gain access to an unsecure device, nearly all of the successful hacks require the actual device, and opening the unit. That requires an act of theft to obtain the unit, so that should be the first concern.

Much of the computer security news seems to be little more than fear-mongering, whether just to get headlines or to sell services.

What caused me to arrive at this conclusion was the so-called Plundervolt exploit, which if you read the research paper you will find that the attacker needs to have root access to that computer to put into place. But of course the fix that the manufacturers came out with was to remove the ability to undervolt the computers from everyone.

The way I see it if you leave your computer out unprotected and unsupervised for any lengthy time around people whom you should not trust then the real security hole is you.

[FullScale4Me]

And it's happened much more often than you'd think.

Cites, please. We almost had this discussion in another thread, but a mod ruled it off-topic. To be clear, I know it happens. I have my own little collection of examples I use to get people's attention as regards the need for system backup. What I've not seen is anything of a statistical nature, i.e., how often it happens. Meanwhile, anecdotally, participating on several Linux forums, seems to me pretty darn rare.

I have seen reputable Windows techs say they feel its the semi-annual Feature Upgrades that were the source of this. No source was cited by them other than observation.

These Feature Updates are now confined to Windows 11 as Win 10 is no longer getting them. (I'm a Microsoft Windows Insider member). Again no MS source that I am able to cite. Having supported MS products for ~40 years you are NOT likely to get official reports from employees recently on this.

Yet we have people reporting it happening on occasion. Do I believe that the boot order got hosed up? Yes. Do I believe it was MS's (or the Linux distro) fault 100% of the time? Absolutely NOT! Also, a good portion of users will lie rather than admit self-inflicted carnage. Some of it may also be unknowingly inflicted by random keystroke errors and PC setting screen ambiguity (imperfect language).

A magnifying influence I have personally seen is Linux fanbois appearing from the bleachers to 'help' the new user. Rarely is this help viewed by all as the highest quality help.

Yes, a boot media of BOTH operating systems (tested) should be on hand BEFORE beginning installation.

I've seen too often an oldish USB burning program mentioned that does weird things that trip up the user too. Windows 10 boot media was trivial to make on Linux PCs from Spring 2018 and earlier. The only Linux working program (WOEUSB-ng) requires binaries from 3 locations and source code from a 4th location to install a working Windows 10/11 USB burner! Far easier to get a friend burn the Linux USB on Rufus running on a Windows machine.

[Eadwine Rose]

As this is moving into a chatty topic, I am moving it to that area.