Why doesn't EndeavourOS support Secure Boot out of the box?

I think I’ll pass. Thanks haha

Invalid Signature? Never heard of her

There is no need for Microsoft signature. You can create and use your own signing keys - look for sbctl. Additionally, you would need to disable the current installation method and use dracut-uefi-hook or dracut-ukify as secure boot requires the use of EFI stub kernel (kernel and initrd combined in one efi file).

No need for Microsoft or secure boot! I use endeavourOS btw!

Well, secure boot aside. If EOS at least generated (unsigned) unified kernel images, it wouldn’t need to muck with systemd-boot loader entries, as sd-boot auto-detects them and creates appropriate menu entries on its own.

I use grub!

I thought you used refind?

Secure Boot has Microsoft’s finger prints and vested interests written all over it, from day 1. For that matter, so does TPM. Security deficiencies follow MS and manifest with everything that Microsoft touches. I shuddered when Microsoft bought github, now security breaches are common.

Speaking of, rEFInd actually makes using secure boot on Linux pretty easy–at least, easier than the manual way described in the ArchWiki. For those curious, the ArchWiki describes the rEFInd method in their secure boot article: https://wiki.archlinux.org/title/REFInd#Using_your_own_keys

Toss the keys in a directory on the EFI, run the script, and you’re done!

Rod Smith has also written an article about what secure boot is, and why it exists: https://www.rodsbooks.com/efi-bootloaders/secureboot.html

Also an article on making your own keys (the how and the why): https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html

rEFInd also ships with ready-to-use keys:

If you decide to use outside keys, you should obtain them from their maintainer. For convenience, my rEFInd boot manager comes with a number of keys; see its git repository for easy access to individual keys.

I used to use refind.

My thoughts exactly!

IIRC no non microsoft access was microsoft’s position for arm secure boot? Been a while since I read anything about it. Thus you wouldn’t be able to install linux on the arm platform where windows was already installed. Hopefully changed, but I don’t know current status.

To be honest here, you sound like a Microsoft operative trying to use reverse psychology to sway the gullible into using an absolutely anti-consumer system that as soon a you deploy it, you cannot reverse it, and it makes you dependent on Microsoft!

Also: You are the one making the strawman argument, and also a bunch of other logical fallacies: false equivalence, Argumentum ad populum (the appeal to popular belief), arguments of incredulity and many more, and have the 2nd LAW of logic (non contradiction) wrong, because you are missing the “Excluded middle”, and using inferential logic based on false premises! So even if your logic is perfectly valid, it does not guaranty the conclusion to be true and right, it being based on false premises: Garbage in = Garbage out! Hers a syllogism of what you are proposing in it’s most basic form for brevity, but isn’t even the whole of it:

P1: People can hack into your computer and take it over, lock you out…
P2: Secure Boot is a good technology to secure your computer from intruders.
C: Therefore one should use Secure Boot.

The first premise is not necessarily true because SB prevents people who either have physical access to your computer, or to your network because you have “Boot on LAN” turned on so you can boot into computers on your network remotely, and it’s connected to the internet, but if neither is true; people have physical access to your computers or indirectly via the internet, which there are already many security systems in place and practices to adhere to like Isolating your network from the internet… Add: If people have physical access to your computer they still have to understand how to get around whatever security you have, and intend to do so. It also uses a dichotomy; SB is either good or bad, but in this case violates the the rule of excluded middle in inferential logic, because there’s good and bad things it comes with that must not be ignored but recognized and included. IOW, it’s not an either or scenario, but a whole range of possibilities in between based on your wants and needs, and what you are willing to tolerate.

The second premise is also false, because although the concept of SB is great, it’s implementation of having Microsoft the sole authority over YOUR computer (They control the encryption algorithm, supply and have, and therefor also control the keys, fee based nonetheless… and you handing the authority to them instead of being the sole arbiter yourself, is like castrating yourself because there are too many rambunctious kids in your neighborhood that are not your offspring!

The general idea of Secure Boot as a technology is great, it’s implementation is utterly abhorrent! Microsoft may secure your computers, but they are not immune from intrusion, as SB does nothing for already running and always on systems, especially if connected to the internet. Microsoft and other big tech are prime targets and have been hacked more than once and compromised millions of users and their own data! So, even if instead of just Microsoft, other entities could function as authorities they too are not immune to intrusion, and most hacking attempts are not aimed at small business and home computers, and mainly at Windows computers using Microsofts built in back doors, which do not exist on Linux. Of course if you have “123”, “XYZ”, your pets or kids names that can easily be obtained… as passwords, or no password at all, no firewall… then YOU are opening the doors for entry, even on a Linux system.

I could write a book about the deviant logic Microsoft (Big tech in general) uses to fool gullible people with, and why they cannot be trusted as far as you can throw their headquarters; so not at all. They can literally lock you out of your own computer for whatever reason they choose, like not paying your subscription fees… and it still does nothing to keep Microsoft from (as stated in their EULA: “uploading the contents of all of the storage devices of your Windows computer and all connected devices (no mention of type nor OS) to our (Microsofts and from there anyone they choose to share it with) servers”, all shrouded in much more vague, complicated, and unwieldy legalese, it’s no wonder people just click “I agree” and hope for the best. Secure boot as it is, is not about protecting users, but Microsoft and their partners ability to control and manipulate them!

So in conclusion (no syllogism’s needed), just basic grade school logic 101: Secure Boot could be a great thing, but will never be as long as no one but the owner of the hardware it protects is the sole arbiter of it! Microsoft have refused to release the technology as a FOSS and make it an open industry standard anyone can do with as they please, relinquish control to the users, and take themselves out of the equation, and even strong armed and payed millions to make hardware makers adopt it in a way that if you do set it up, there’s no turning back, and you have no say from then on, even if you paid for your gear!

It’s completely anti GNU licensing model, anti consumer and has no place in Linux! Ubuntu, Fedora and others are still not in full control (many and the community at large have tried and tried again), and may never have it, and therefore shouldn’t make it mandatory as it is on Windows systems, and I don’t think they do. If I am correct (I don’t use any of them), although the capability is there to use it out of the box, you still need to get keys… and turn it on, (still no turning back, as it locks down the hardware), and Canonical, Red Hat… cannot reverse it either. They do so not because they think SB is a good model, but because they cannot stop misinformed people from wanting to use it and get bombarded by requests to include it and even make it easy, and so to not rock the boat, they oblige.

I think you need to read up on how exactly SB works (against you), and not Microsofts explanation or uninformed users on forums and the like (mere opinions), but the disambiguated ones from unbiased security expert sources, because the gain from securing your computer from highly unlikely scenarios at the cost of handing total control of your hardware to a megalomaniac corporation for a false sense of security, is not intelligent at all and where philosophy becomes it’s own worse enemy if your epistemology is flawed. You also should read (and understand) the GNU public license Linux is under to understand why no distro should ever use it, because Linux is the opposite from Microsoft in regard to users power and trust in Linux, and why we don’t play friendly with Microsoft, nor anyone else that violate it as standard practice, not even for a one time experiment!

If you want Secure Boot so bad, then the best way for Linux distro’s to handle it in order they not end up getting a bad reputation, is to not endorse it, nor make it easy, and be clear about why you shouldn’t use it, all in the spirit of GNU, Linux, and FOSS in general, yet still leave you that option (not necessarily give it to you, only not disallow it) as to not violate users freedom (even if at your own peril), and if none of that persuades you, be clear with a loud disclaimer of “Use it at your own risk, but we want nothing to do with it, so you are on your own”!

If you are willing to use Secure boot, but can’t get it working or have problems setting it up… then you can always use Windows, who have it as a mandatory default you cannot opt out of, and will make it so you don’t have to do anything but install Windows. If you then find out the hard way that it was a bad Idea, and want to revert to using Linux, it may come with extreme difficulties, because Windows will not relinquish full control to it, nor you, nor will you be able to free yourself from Microsofts control, on any device it’s setup on, and in order to do so will have to get a new and untainted computer.

I understand what you are saying here but I think there is another perspective. Since virtually every PC platform ships with SB enabled this hurts Microsoft not at all but it makes Linux much less accessible.

I would rather see Linux become available to more people than have it be withheld.

I think we have to consider what SB means from a distro perspective. It means that distro boots and functions if you have SB enabled. It doesn’t mean you must use SB or that it is requirement. It means you can choose to use it if you want to. If you don’t want to, that works fine too. It is just about giving people the freedom to choose.

Whether SB is good or bad, adds value or doesn’t, shouldn’t really impact a distro being willing to support it. In point of fact, most of the major distros do now support SB. OpenSuse, Fedora, Debian, Ubuntu and almost all of their derivative distros have support for SB out of the box. Even Solus recently added it in a pretty unique way.

I also agree with another poster that it is probably only a matter of time until there is no choice but to support it.

I can’t agree more…I stopped using Win$lows when the EULA gave more rights to them than the end user…I like to OWN my computer—thank you. I build my own hardware & so far (knock on wood) have not had any opt-in “safe” tech (well—you can’t get away from Intel or AMD issues) in my systems. I do dread the time that I will be forced to, but for now, by choosing wisely, I can steer clear of intrusion.

bro really decided to throw the dictionary and library of babel at this man ahaha

Not to offend or disagree ! I just thought the reply was a bit excessive lol

This is one of those topics that people feel VERY strongly about…I really try to ween everyone I can away from Micro$low…it’s like Cancer in the computing world.

I don’t need nor want secure boot. I just want my system to boot quickly without issues. With endeavourOS using btrfs, btrfs-assistant, snapper-support and btrfsmaintenance and booting with grub on Wayland i get fast, smooth startup without issues. This is both on ryzen with amd gpu and also intel with nvidia.

As I stated: SB has to be setup which enables it to work., so to say “It’s enabled” would mean actively working which it is not, unless you have Windows installed by the factory, or installed it yourself. The SB hardware is installed (It’s hardware after all) as well as the TPM (Trusted Platform Module) Chip which is the part Microsoft can control lock your computer from working as well as any noncompliant software, so whoever MICROSOFT decides is compliant.

Again, they shouldn’t support it, not as long as Microsoft and motherboard MFG’s, use it to to their and not the users advantage. Watch the freaking video, as the best comedy is based on factual truth, and that one is!

You are wasting more time here arguing your own want against that of nearly the entire Linux community and it’s ecosystem! In the time you’ve already spent here doing that you could have read up on and understand how to do it and perhaps have it working by now! Most of us, do not use it, and couldn’t help you anyhow.