What is "Secure Boot"

jdege · ‎02-04-2021

I recently bought a NUC, with the intention of using it to run an Ubuntu VMWare host.

Ubuntu installed without issue, and the VMWare Workstation install as well, except that on start VMWare tried to build and install a pair of drivers, and that failed.

I found instructions for calling with that, here: https://develmonk.com/2020/06/06/whats-wrong-with-vmware-workstation-on-ubuntu/.

And it all seemed to work, to include signing the driver modules and importing the signing key into the system's MOK list.

After a reboot I was asked for the password for the signing key, and I thought everything was fine.

It wasn't. VMWare was still unable to load the drivers.

At this point, I was stuck, essentially trying things at random.

I went into the BIOS and tried to change UEFI boot, and was unable to.

I saw the setting for "Secure Boot", and just to see I disabled it. And afterwards, VMWare could load the drivers.

What is this "Secure Boot"?

How does it differ from UEFI Boot?

And why would it prevent signed drivers from loading?

AlHill · ‎02-04-2021

Secure Boot? From Microsoft:

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot

Doc (not an Intel employee or contractor)

jdege · ‎02-06-2021

How does UEFI differ from Secure Boot?

If they work together, what does UEFI do, and what does Secure Boot do?

If I turn off Secure Boot, how much security do I have left?

If I turn Secure Boot back on, how do I get it to recognize MOK-signed drivers, in Ubuntu?

n_scott_pearson · ‎02-06-2021

UEFI is simply a common (ok, 'universal') framework for implementing BIOS. It implements or supports most of the standard interfaces and capabilities necessary within a BIOS.

Secure Boot was described above, but I will say it slightly differently: It is a security feature implemented in the BIOS, which tries to establish a root of trust that starts at the H/W and F/W and extends all the way up into the O/S.

If you turn off Secure Boot, you will still have the security features implemented within the O/S environment, you just won't have the security against other, perhaps nefarious, O/S being booted.

For Ubuntu, start here: https://wiki.ubuntu.com/UEFI/SecureBoot.

Hope this helps,

...S

jdege · ‎02-08-2021

Why are my signed drivers not being loaded?

Is there some kind of logging that will explain why they are not being accepted?

AlHill · ‎02-08-2021

@jdege You should be contacting the LINUX community regarding your OS and secure boot.

Note that you boot your OS in either legacy or UEFI mode. If you have concerns about secure boot, turn it off.

Doc (not an Intel employee or contractor)

David_G_Intel · ‎02-11-2021

Hello jdege

Were you able to check the previous post?

Let us know if you still need assistance.

Best regards,

David G.

Intel Customer Support Technician

jdege · ‎02-11-2021

I have a better understanding of the difference between UEFI and Secure Boot, thanks.

I don't get understand why my signing process isn't working. But I'll chase that on the Ubuntu forums.

David_G_Intel · ‎02-15-2021

Hello jdege

Thank you for the update.

We are glad to see the community answered your request, we will proceed to close this thread now. If you need any additional information, please submit a new question as this thread will no longer be monitored.

Best regards,

David G

Intel Customer Support Technician