I'm sorry but I'm pretty saddened that this myth is still doing its rounds.
Secure Boot is not a Microsoft feature. It is a general feature, Linux was just late to the game and there isn't any distro that has implemented it entirely yet. Zorin is very close, but no cigar at this point.
Everyone and their mother should use Secure Boot, (as well as Measured Boot, otherwise it is still incomplete and thus insecure), since a Linux desktop without it, is much less secure than any Windows installation, even with Full Disk Encryption enabled. This is because without SB&MB, it is trivial to infect the kernel and install a keylogger, which scoops up the FDE passphrase the next time the legitimate user boots the system. Yes, this requires at least physical access once, staying unnoticed, to the machine to manipulate it.
But with the advent of Artificial Intelligence, those kind of attacks are steadily moving from "knowledgeable hacker" to "script kiddie" and now lowering further to "random university dorm creep".
To my opinion, these attacks have never really been only reserved for nation state attackers. Especially with certain professions, like doctors, psychologists, lawyers or security researches, just using FDE is in my opinion insufficient, because it could be that a person is an interesting enough of a target to warrant such an attack. And as I mentioned, I only see the possibility of that increasing since it's becoming more and more available to the average person to execute such an attack.
Yes, Microsoft has a very strong foothold on SecureBoot, since hardware manufacturers basically only ship TPM-hardware with Microsoft keys by default. That is all. But Secure Boot is not Microsoft-exclusive, as Zorin proves this with very reliable MOK enrollment.
This kind of understanding and opinions on these security measures will keep Linux from achieving its full potential. I simply refuse to use an OS that is less secure than Windows, and I'm a nobody. I can already expect comments "you're not interesting enough, you don't need that".
Thank you for your opinion, but I lay those comments beside me. To my opinion, those statements also strongly undermine active Linux development to become an actually safe and mature desktop OS that is as secure, if not more secure than Windows. Because you directly or indirectly tell others, users and developers, that there is no need desire to have Secure Boot/Measured Boot on Linux, which has led to the situation where we are right now;
Linux is still 10 years behind Windows and Mac, while all the tools and methods are available to achieve this. It's just that no distro has fully implemented this, outside of Arch Linux maybe, if someone chooses to set it up that way. (I played around with Arch, and achieved Secure Boot + Measured Boot but I like a Debian-based distro more).
Zorin just needs to implement UKI, then it's basically there. I made a thread in the feedback section: Zorin is really good; it's only missing a Unified Kernel Image
Some closing remarks.
- I'm aiming mainly for personal/professional desktop(laptop)/office use. If Zorin wants to become the Windows alternative for small and medium business, or local governments, this should be implemented. If not yet, I expect any CISO worth their salt to require this today or tomorrow.
- Gaming for me is totally out of scope related to this security requirement. I know that makes a lot of stuff more difficult, but you can just game on a separate game PC with Windows or Bazzite or use a game console.
- Same with Dual Boot or other requirements that make it more difficult to achieve.
MOK should be made password-less maybe though, to simplify software updates. Other than that, having to run another MOK enrollment, even once a month, after an update, is not a problem to me.
