this post was submitted on 14 May 2024
21 points (95.7% liked)
linux4noobs
1388 readers
1 users here now
linux4noobs
Noob Friendly, Expert Enabling
Whether you're a seasoned pro or the noobiest of noobs, you've found the right place for Linux support and information. With a dedication to supporting free and open source software, this community aims to ensure Linux fits your needs and works for you. From troubleshooting to tutorials, practical tips, news and more, all aspects of Linux are warmly welcomed. Join a community of like-minded enthusiasts and professionals driving Linux's ongoing evolution.
Seeking Support?
- Mention your Linux distro and relevant system details.
- Describe what you've tried so far.
- Share your solution even if you found it yourself.
- Do not delete your post. This allows other people to see possible solutions if they have a similar problem.
- Properly format any scripts, code, logs, or error messages.
- Be mindful to omit any sensitive information such as usernames, passwords, IP addresses, etc.
Community Rules
- Keep discussions respectful and amiable. This community is a space where individuals may freely inquire, exchange thoughts, express viewpoints, and extend help without encountering belittlement. We were all a noob at one point. Differing opinions and ideas is a normal part of discourse, but it must remain civil. Offenders will be warned and/or removed.
- Posts must be Linux oriented
- Spam or affiliate links will not be tolerated.
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The info on the bootloader is wrong. Secure Boot in UEFI is important to understand. The actual bootloader is the largest vulnerable surface area in a modern computer with a fully encrypted drive.
Linux itself does not support SB in the kernel. SB is a mechanism to steal ownership from the end user. You can find a document that says the exact opposite; typical of corporate gaslighting from the members of the UEFI consortium. The specification for Secure Boot includes a provision to allow the end user to create and sign their own SB key set. However, the design specification is not a required implementation and in many cases you will find this is not implemented in consumer grade hardware. There is a tool called Keytool that can boot directly into UEFI (wrap your head around that and you'll understand why this might be important). Good luck finding solid documentation for Keytool though. Gentoo has a guide, but all Gentoo documentation assumes a very high level of competence.
The reason people have issues with Linux and W11 coexisting is because they are not addressing the issue of UEFI Secure Boot. W11 only works with SB. If you boot into a SB distro, it will do exactly what it is supposed to do and remove any unsigned bootable code.
If you can't change SB keys for self signed, both Fedora and Ubuntu include a shim key outside of Linux. The final package manager signs this shim key with a Microsoft 3rd party key signing system m$ created. If you use one of these distros with a shim, you will not be able to mess with kernel space at all (read: potential Nvidia issues), but Linux and Windows can coexist in any configuration.
I never use W11, and I have a copy on a separate drive, but I have a W11 partition on the same NVME as Linux with no issues whatsoever using Fedora with the shim key.