The last time I had secure boot enabled on any of my systems was several years ago, but yes. At that time you had to enroll the keys both on the initial install and every update. It was such a headache for limited benefits (for me) that I just started disabling secure boot whenever I was setting up a system.
Things might have gotten easier, but I doubt it as he secure boot system is not really under the control of open source developers (for good reason) and the end user can really only choose whether it is enabled or disabled.
I am asking because I am looking to dual-boot with windows 11 which requires secure-boot afaik. I could disable it whilst switching (each os will be in it’s own drive with the corresponding bootloader) so any os will be on a different drive.
Should be doable either way, but swapping secure boot on and off may cause problems with Windows in your proposed setup. I would pick one and stick with it. I know Linux is compatible with secure boot, I just never bothered to learn how to work with it. If I remember correctly, every time a change was made to the kernel, the keys would need to be reenrolled. This includes whenever the Nvidia driver’s updated.
To be more clear, the swap of the oses (not swap as in the swap partition) will be done from bios by changing the boot drive/efi executable and toggling secure boot accordingly. Do you think this will work?
That’s what I thought you might try. Answer is, I don’t know. I think it would depend on what the UEFI does with the secure boot keys when you disable secure boot. From a security standpoint it would make most sense for it to wipe those keys, but I could be wrong. The easiest way to find out if it would cause a problem would be to try it.
If I understand this article correctly however, Windows only requires that the UEFI be capable of secure boot, not that secure boot be enabled.
I think the first thing I would try is to try installing and booting Windows without secure boot. If that fails, than reinstall, this time with secure boot enabled and leave it enabled. Several other comments here are saying that secure boot in linux is now largely seamless and as it has been several years since I’ve mucked about with it, I’m inclined to listen to their recommendation.
By not necessarily, do you mean that I need to enroll keys?
The last time I had secure boot enabled on any of my systems was several years ago, but yes. At that time you had to enroll the keys both on the initial install and every update. It was such a headache for limited benefits (for me) that I just started disabling secure boot whenever I was setting up a system.
Things might have gotten easier, but I doubt it as he secure boot system is not really under the control of open source developers (for good reason) and the end user can really only choose whether it is enabled or disabled.
I am asking because I am looking to dual-boot with windows 11 which requires secure-boot afaik. I could disable it whilst switching (each os will be in it’s own drive with the corresponding bootloader) so any os will be on a different drive.
Should be doable either way, but swapping secure boot on and off may cause problems with Windows in your proposed setup. I would pick one and stick with it. I know Linux is compatible with secure boot, I just never bothered to learn how to work with it. If I remember correctly, every time a change was made to the kernel, the keys would need to be reenrolled. This includes whenever the Nvidia driver’s updated.
Might want to read up on secure boot.
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki's_EFI_Install_Guide/Configuring_Secure_Boot
To be more clear, the swap of the oses (not swap as in the swap partition) will be done from bios by changing the boot drive/efi executable and toggling secure boot accordingly. Do you think this will work?
That’s what I thought you might try. Answer is, I don’t know. I think it would depend on what the UEFI does with the secure boot keys when you disable secure boot. From a security standpoint it would make most sense for it to wipe those keys, but I could be wrong. The easiest way to find out if it would cause a problem would be to try it.
If I understand this article correctly however, Windows only requires that the UEFI be capable of secure boot, not that secure boot be enabled.
I think the first thing I would try is to try installing and booting Windows without secure boot. If that fails, than reinstall, this time with secure boot enabled and leave it enabled. Several other comments here are saying that secure boot in linux is now largely seamless and as it has been several years since I’ve mucked about with it, I’m inclined to listen to their recommendation.
It should go automatically. See the Fedora change proposals