Neither Secure Boot nor TPM were ever actually about security and neither meaningfully improves security. They are DRM features that exist solely to ensure you can never truly own the things you buy.
Um, TPMs for sure provide meaningful security. Maybe their use is implemented poorly a lot of the time, AND they can be abused to hold control over hardware you've purchased, but low level exploits are for sure a thing and TPMs and other dedicated hardware security modules (for enterprise) most definitely serve a purpose.
They're a response to the ever evolving advancement of cyber exploits. Don't knock them on principle, take affront to when they're used poorly.
There's the truth. Thank you.
Sticking to linux and indie games forever then !
Kernal level anticheat is invasive and the vast majority of anticheats are probably installing spyware with root access.
In my opinion its only useful against unsigned boot attacks and such,also you have to go through Microsoft for signing which is pretty bad if you wanna reduce reliance on Microsoft.
The biggest issue to me is that if you (the OS maker) wants a shim so you can use your own CA, you have to go through Microsoft. And they can just say no.
I think Tuxedo is still waiting on their shim.
It's pretty pointless if you allow it to use Microsoft's keys. It's a lot of work to set it up to only use your keys and that bricks certain poorly designed laptops.
For Linux, the protection is weak.
But if properly implemented, it’s good. But it would be a hassle to do and would require users to register new keys and blacklist Microsoft’s.
Measured boot is a better solution for Linux. It’s decentralized and does not rely on Microsoft. It uses the TPM to “measure” various parts of the UEFI, bootloader, and OS to ensure they have not been tampered with.
Never heard of that
Does "every" modern BIOS support that?
Need to read up on it...
No, it requires a TPM2 chip. So the requirements for measured boot are to similar to Windows 11.
Poettering has a few blog posts and conference videos on it. And Aeon is a distro that implements measured boot as the default.
I use Aeon on my laptop, and I will say there are usability issues, but hopefully the kinks get worked out. Since installing in March, I've had to enter my recovery key and reenroll three times due to some kind of firmware update. This is on an older laptop (Ryzen 3500U), so I don't know if it's a common issue or unique to me.
Anyway, it's a cool idea, I hope it gets more attention. The benefits for regular users are fairly minimal, but I certainly appreciate security for security's sake.
Thanks!
That's good to know.
As I need my laptop for work, I can't really risk such experiments...
Yeah, mine is just for mucking around at home. I mostly browse the web and play casual games. Nothing important is stored there, so if I need to reinstall, then so be it.
All secure boot does is ensue the binary (say, Linux or Windows kernel) run in early boot is "trusted," meaning it's cryptographically signed by a key the motherboard has. You can usually load your own keys and sign your own binaries, but I imagine only large orgs do that if they have a lot of Linux systems or something.
The way Linux works with this is they use a shim binary that is signed by Microsoft's key, and that binary loads the actual Linux kernel. The kernel itself is not signed with that key.
The only way this impacts gaming is if games check if Secure Boot is enabled. If it is enabled, the game knows the system booted with something signed by a key the motherboard trusts. For most systems, that means Microsoft's keys, but AFAIK, they can't check what key was used in early boot unless the kernel provides some indication of that.
Basically, it's an anti-tampering check, so they have some assurance the kernel is untampered from what the maintainer released.
Some newer distros like Bazzite are pretty awesome in that they install their own Secure Boot keys during the first time setup.
That's pretty dope! I imagine we'll see more distros follow suit as the September expiration of Microsoft's keys approaches.
My distro, openSUSE Tumbleweed, does that as well, but I imagine plenty don't.
Edit: I'm wrong, looks like they do that for "Trusted Boot," but not "secure boot," if this documentation is to be believed. It's an option, not forced. I'm going to check later if it's configured properly on my machine that I set up several years ago.
Others have already explained the secure boot process. But one thing that might impact gaming is that TPMs also implement cryptographic acceleration in hardware. Not only does it speed up operations, it guarantees that the binary code for the library running on the chip hasn't been modified.
Some anti-cheat libraries might require the TPM and having secure boot on guarantees that feature exists.
Secureboot is a security measure to make sure the boot environment have not been tampered with. It would detect malwares that attempt to modify the boot environments. According to ArchWiki, it ensures "core boot components (boot manager, kernel, initramfs) have not been tampered with", which would protect against initramfs-swap attacks like de-LUKS, however there are conflicting reports on the internet, and I have not tried myself.
I personally don't find it makes Linux harder to install, like others suggested. Unless you use a surface device, it will happily accept the key for most common linux distro, including Ubuntu, Debian, Fedora, and many more. For most custom distros, you can easily register its key via MOK (require root privilege and confirmation in the UEFI, for security purpose). In fact, Debian project is quite clear on SecureBoot not being a tool for MS to monopolize the desktop market: https://wiki.debian.org/SecureBoot#What_is_UEFI_Secure_Boot_NOT.3F .
However, if you need to load additional kernel modules, like NVIDIA drivers, secureboot can get quite annoying. I am actually quite interested in why Windows don't have a problem loading additional drivers, yet Linux do.
In the end, I feel if you are using a distro that works with secureboot, there is no reason to leave it off; if you find it annoying, yet okay with a downgrade in security, then you might want to leave it off.
Secure boot is BS
No, it's not actually bad, it can just be a hassle to deal with. Much like when TLS was becoming the norm for websites there was a bit of an adjustment period when things weren't always configured just right or folks didn't have good auto renewal yet. It doesn't mean the tech is bad.
Linux does support TPM and secure boot: https://wiki/ .debian.org/SecureBoot#What_is_UEFI_Secure_Boot.3F
So the problem is really only about kernel level anticheat, not the secure boot itself ?
Worst part is everything has to use Microsoft's signing keys, so it's ironically a gigantic security hole if your threat model includes being on Microsoft's shit list.
Only by default. You can load your own keys instead of Microsoft's, and some Linux distros do just that.
Which makes this requirement even more meaningless because someone who wants to cheat by running a modified kernel will obviously know how to follow a tutorial to add his MOK and sign his version of the kernel.
Yup. All it does is restrict less sophisticated users, but surely they'd also be willing to follow a guide to configure it.
Discussions and news about gaming on the GNU/Linux family of operating systems (including the Steam Deck). Potentially a $HOME away from home for disgruntled /r/linux_gaming denizens of the redditarian demesne.
This page can be subscribed to via RSS.
Original /r/linux_gaming pengwing by uoou.
No memes/shitposts/low-effort posts, please.
WWW:
Discord:
IRC:
Matrix:
Telegram: