As far as I know this isn’t a Linux limitation. There are distros (e.g. Ubuntu) that work with Secure Boot out of the box. Shouldn’t this be something EndeavourOS strive to support as well?
Not looking to start a flame war, just honestly trying to understand why this hasn’t/isn’t being worked on. Thanks in advance for educating me 
Good Lord, I hope not!
It doesn’t? Anyway, secure boot is cancer.
Straight from the front page…
“No matter which method, DE or WM you choose, they all have one thing in common, a basic and almost bare-boned installation with a modest but…”
EOS comes with very few things out of the box to encourage you to customize your install to your hearts content. If you want secure boot, you’re more than welcome to set it up. That’s the beauty of a “bare-bones” distro.
For Secure Boot(SB) to work without user invervention, you need to get the binaries signed by Microsoft which incurs a fee each time you do it. We use binaries from Arch and since those aren’t signed, we can’t easily support secure boot.
Thanks Dalto, makes sense. I guess the question is then why doesn’t Arch get their binaries signed. Wondering if it’s the cost or ideology. But either way - got it. Thanks for your reply.
I read the guide for setting it up manually on EndeavourOS. Sounds quite lengthy, complicated, and far from bulletproof - whereas It works out of the box for Ubuntu, Fedora, and their derivatives.
Not faulting EndeavourOS here (I understand it’s simply a downstream impact of Arch not getting a Secure Boot certification). Just another thing to consider when choosing a distro, I guess.
I think you should also consider if the secure boot implementation in those distros actually increases security for your personal use case. The shim implementation used by Linux distros is something should investigate for yourself.
Because they don’t want to give a whole bunch of money to Micro$oft for nothing of actual value.
I got into it with someone at Fedora and I compared views on secure boot to politics and said that no matter what either of us say - we’re both right, and we’re both wrong.
I was subsequently banned for talking “politics” in that group. . . for literally comparing secure boot to discussing politics.
Whatever.
Anyways - secure boot is up to you - Microsoft obviously thinks it’s a big deal. Fedora kinda thinks it’s a big deal, even though most ofthe copr stuff requires it off. Arch/EOS basically doesn’t use it. . .
It doesn’t have any affect on me, so I keep it off. Even on Fedora, which I “don’t use correctly.” Or so I’m told.
From my understanding and again this was several years back so i could be completely wrong now however the proposal of secure boot was to ensure that malware did not have the ability to boot into the system and overwrite the Microsoft boot loader. A way for Microsoft to produce an illusion of security. Emphasis on the Microsoft Boot Loader and not a Linux boot loader. Microsoft does not care about Linux nor does it care if Linux can boot. Ubuntu and Fedora are their own systems and they can go to bed with Microsoft if they want. Paying another company so your OS can boot is utterly ridiculous.
Again been awhile since I read about all this and back then it was still in the proposal stage.
In a nutshell HELL no!!!
There are probably arguments for advantages and distances but there will come a time when turning off secure boot won’t be an option anymore. I have looked the Archwiki SecureBoot page but it seems to be one of the most confusing Archwiki pages I have come across. So I won’t be trying it anytime soon until I try it on a vm that use uefi boot.
My understanding is that the fee is fairly minimal. But the real question is how one defines “actual value”.
Some users are deterred by (don’t have the tech know-how and/or confidence) to tweak bios settings, turn off “security features”, or perform the complex manual process to add Secure Boot support to their Arch install.
The value for adding Secure Boot support out of the box - even if you think that Secure Boot has no actual security value - is making Arch accessible to said users. That’s why Ubuntu and Fedora added it out of the box.
Whether or not you think it is worth it for Arch to do so as well is up to you, of course. But yes, there is value in the sense of “it makes Arch relevant for more users”
I would have to disagree with this as Arch isn’t a traditional system such as Ubuntu and Fedora. Those come preinstalled with packages of their choosing they decided the users want. Arch allows you to build your own operating system. You control your computer and every app on it.
They probably should not be using Arch then.
I’m not sure where you disagree, though. I said it would make Arch more accessible to some users, and you actually agree as far as I can tell, but answer with “they probably should not be using Arch then”, which is fair enough - definitely not here to argue about opinions on the the balance between “more users” and “bare bones/not working with Microsoft”. Not getting into those hot waters!
I recently read a write up from alt-linux about getting secure boot certified. Seems like while the dollar cost wasn’t large, the time required and the hoops you had to jump thru was a large cost.
As also said, is it really secure, especially given the recent root/boot kit discovered, which will be poking it’s head up many times over the next 10 years I’m sure. So at least one documented case of failure, how many undocumented?
Seems like if you are really keen, you could go and get a bootloader signed my microsoft yourself, and jump thru all the hoops, and spend all the time, and but a little money? Is it worth it to you?
This is probably true.
This is a fair point. It would make installation cleaner and more accessible.
I am sure you have already noticed this but Secure Boot tends to be a touchy subject on Linux forums. Some people are very passionate about it. In part because it comes from Microsoft.
It would be like going into a restaurant at a shopping mall. You go in eat and then pay. Then get to the door and they then charge you to leave and go back into the shopping area.
It’s literally a paywall to access your hardware you already bought.
Every security tool can be used for security for the user or it can be used against the user. See the following video but it has mostly disadvantages when it comes to running Linux on your system.
