Join Log in
Score:-1
Worn-out_home-tech avatar Ubuntu

Secure boot & 'Device Security'

cn flag
Worn-out_home-tech

about 3 days ago I bought a brand new system and did a clean install of 23.04. I did not have secure boot enabled. I then spent the next 3 days installing software to get my system up to a fully running state.

In my gnome 'settings' configuration I found 'Privacy' and then 'device security'. It seemed I failed a lot of tests. Including a tainted kernel ('vboxdrv' was the cause). I removed the tainting program [which is a problem as I need the program (Virtualbox) ] and then tried to fix as many of the failed checks that I could... including turning on 'Secure Boot' in bios.

I set it to 'Windows' & 'standard'.

My question is this... by turning this on, I imagine I get a certain level of protection. But have I locked in a potentially compromised system by doing this? Should I have had secure boot from the very start, or is it ok to turn it on now?

I now pass all of HS1, and some of the others. Am I making too much of this feature?

203
2 + 0
Score:1
user535733 avatar Ubuntu
cn flag
user535733

This question is asking for opinions, which may vary wildly and confuse more than help. Security is a broad topic.

Improving your device security settings is rather like locking one window of your home: It helps (let's say that again: IT HELPS). It's not a complete security solution. There are other windows for an intruder to enter...or simply peer through.

Good security is more a set of good habits and a bit of learning than any particular single tool.

For an excellent primer from a professional on the many facets of good security and good habits, I recommend episodes 152-156 of the Ubuntu Security Podcast.

+ 4
Worn-out_home-tech avatar
cn flag
Worn-out_home-tech
No, my question is more a case of the function of secure boot. I understand it ensures that the pre-os firmware is still ok and not compromised. By turning it on, am i locking in a potentially compromised pre-os software or am I ensuring that it actually isn't compromised (like a virus check)? With the window analogy.. by locking it, have I locked the burglar inside or ensured there isn't one and locked them out (in terms of that window).
0
Reply
user535733 avatar
cn flag
user535733
Sorry, it was not clear that you intended Question #2 of 3 buried in the fourth paragraph to be your main question. Sure, an attacker that gains root access can defeat a later enablement of Secure Boot several ways. So best practice is to reinstall Ubuntu after enabling Secure Boot, thus wiping those unknown backdoors from that undetected attacker. Keep in mind that Secure Boot addresses (very well) only one attack vector among many. The human in the system must evaluate and manage these risks.
0
Reply
Worn-out_home-tech avatar
cn flag
Worn-out_home-tech
Thanks for that.. I'll need to determine the likelihood of being compromised over those 3 days and whether a complete reinstall is doable. Would reloading one's bios clear out back doors?
0
Reply
user535733 avatar
cn flag
user535733
AskUbuntu uses a Question/Answer format. It is not a discussion forum. See that Ubuntu Security Podcast link for their discussions of BIOS vulnerabilities.
0
Reply
Score:0
Anto avatar Ubuntu
si flag
Anto

/etc/dkms/framework.conf /etc/kernel/header_postinst.d/dkms /etc/kernel/install.d/dkms /etc/kernel/postinst.d/dkms /etc/kernel/prerm.d/dkms /etc/modprobe.d/dkms.conf /usr/lib/dkms/common.postinst /usr/lib/dkms/dkms-autopkgtest /usr/lib/dkms/dkms_autoinstaller /usr/sbin/dkms /usr/share/apport/package-hooks/dkms_packages.py /usr/share/bash-completion/completions/dkms /usr/share/doc/dkms/HOWTO.Debian /usr/share/doc/dkms/changelog.Debian.gz /usr/share/doc/dkms/copyright /usr/share/lintian/overrides/dkms /usr/share/man/man8/dkms.8.gz

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.