Secure Boot and Updates

Hi,

I need some help as a Linux and Zorin total beginner. I've installed Zorin about ten days ago on a laptop. It's installed in dual boot with the latest version of Ubuntu. Everything works well.
However, I have a question concerning a problem I had to face two ago. I try to check regul

Sorry for being clumsy... I try to check regularly if there are updates on Zorin. There was a security update. During the installation of the files, there was a message I didn't really understand. It was about Secure Boot and saying that I had to make changes. I had to create a password and to confirm it. It said that I would be guided after restarting the computer and that I would have to type the password again at that moment. The installation went on but there was no message saying it was finished. So I just restarted as indicated. There was a blue screen looking like the booting menu. I just remember that there was a UEFI option. I didn't know what to do and pressed on Enter. And the computer booted on Zorin without asking me the created password. I haven't got screenshots unfortunately and my explanations are probably very vague.

  1. What should I do if this happens again during an update? That's something I'm really not used to on Windows.
  2. Should secure boot absolutely be enabled with Zorin? Is it absolutely necessary with the firewall activated? I suppose that both are necessary to avoid any potential attack. On Ubuntu, I have a message saying that secure boot should be activated when it's disabled.

Thanks for your help and especially for beginners like me.

Did the screen look like the picture ? If so the easiest option is to disable secure boot. Mok is used for enrolment of proprietary drivers on windows dual boot system.

2 Likes

No it didn't look like that. There was nothing about MOK. I am no longer using Windows on that computer. But I used it before the new installation. Now, there is only a dual boot with Zorin and Ubuntu.

There were two options on the screen: UEFI and something else I can't remember.

1 Like

Just checking , You wrote of secure boot so I thought of Windows . There are usually two boot options in the bios, one for UEFI or Legacy some systems other names. Mine is CSM. Without a picture I can't be sure if it was a bios screen you saw or not.

If you are not using Windows, I would disable Secure Boot.

Secure boot was implemented to bolster Windows OS Security. It operates like a bouncer at a nightclub, only allowing items listed as "signed as safe" by Microsoft to initialize.
If it is not signed as safe, it does not init. This is helpful on Windows since Windows lacks the sudo protected ROOT that most of GnuLinux uses.

The trouble with it, for GnuLinux users, is that MS does not or at least has not, been very complete about providing full signature lists for all vetted GnuLinux software.
While the majority of people will report not having any problems with running Secure Boot alongside of GnuLinux, it begs the question: Why bother if it is not necessary and may even block essential software from initializing?

3 Likes

I agree, you absolutely need to disable SECURE BOOT in your computer's BIOS menu. To get there, on many machines, you hold down the DEL key, a couple seconds, after hitting the power button, to turn on the computer.

Some machines do use a different key to get into the BIOS, just look up what your computer uses online, and you will find out. On my computer though, its the DEL key.

If for some reason the installation medium, didn't give you a chance to create a password, you can do so later in the system settings, under USERS.

PS: The problem with computers sold in stores, is that they always sell them with Windows on them already setup, out of the box, and ready to go. This leaves users with 0-experience, on how to install other operating systems, and the do's and don'ts, because they never had to learn them.

I was lucky in school, because I got a head start on this stuff working with MAC and PC computer's. This was before computer tech clubs became popular in schools. Back when most of what you learned, was in a typing class.


Thanks for all your answers.
When looking at the information on the Bios of my machine, it still indicates that Windows 10 is still installed on my computer. In fact, it's not true because I am using Zorin and Ubuntu with a dual boot. If I have understood, with keeping Secure Boot enabled, there is still a kind of Microsoft microprogramme in the computer which is going to check if the softwares installed on Zorin have been certified by Microsoft. Some Linux softwares are, the others not because the list has not been updated by Microsoft. That's why when there is a message concerning Secure Boot during the daily updates of the softwares on Zorin and asking for creating passwords and confirming them, it's much better to disable Secure Boot because I am probably using a software which hasn't been certified.
When I am using Ubuntu, I only install snaps proposed by the store. I must always enter my password for each downloaded software. On Zorin, when I am downloading flathubs, there is no need to enter a password. Is it because all flathubs are checked and working in a kind of compartment?
I have installed all the softwares I need on Zorin now and they all come from the store. The same thing for Ubuntu. I use only use Gmail on Firefox or Chrome. Is it risky to disable secure boot in that case? Is there any serious risk of being infected by a virus or a malware in that case considering the fact that a breach on a software could be exploited?
I would like to thank you all for helping Zorin beginners. I only use Windows on my two last computers but I still have ten years old laptops. And I must say that first tests of Zorin on one of them really show that Zorin is totally adapted for them. Zorin OS is nice, much quicker, really cool to use and completely adapted for the most basic needs of users (surfing on the net, listening to music...).
What's great above all is this incredible community on the forum which is always ready to help new users of the OS who have very limited Linux knowledge like me. Zorin OS has that great advantage of being adapted for everyday users. To conclude, since Zorin is Irish, I would say "Thanks a million" to the community. I am not sure but I think that's something that people say there.

1 Like

Could you explain the problem you're facing in a bit more detail?

Most likely, the Windows OS Bootloader remains in your EFI partition.
You can safely remove it.
You can check with the terminal command

efibootmgr

You may see something that looks like:

BootCurrent: 0001
Timeout: 1 seconds
BootOrder: 0001,0000
Boot0000* Windows Boot Manager
Boot0001* ubuntu

You see that Windows bootloader in boot 0000. You only need that last digit to specify that boot file. Run:

sudo efibootmgr -b 0 -B

Secure Boot does not prevent Virus Infection. What it can do is prevent virus initialization once the infection happened.
If you were actively running Windows OS, I would say that there is some risk in having Secure Boot disabled, though low. As long as you are generally attentive as the User about your internet activities, all your risks remain low.
Something about Computer Security is that the majority of people assign themselves greater importance than they actually have.
The vast majority of users out there simply are not viable targets for hacking. We, mostly, are dull and uninteresting.
Beware of general phishing and scams (mass data) and you will be fine.
But if you do things that make you interesting, then you will need to invest more time in securing yourself from curious sniffs.

2 Likes

In regards to Flatpak packages, you should see a badge indicating whether they are verified by Flathub (the source of the download) or not.
Flatpak packages are indeed "sandboxed", or "compartmentalized", but that is not the reason why you don't need to enter your passwords. These are installed in your user's home directory where no additional permissions are required (i.e., no systems files are modified in the process, and thus no need to ask for elevate permissions). There are other implications to be aware of with format packages like Flatpak and Snap, which work very similarly in this regard, but that's a discussion for another time.

About security, I would advice common sense for the best defense against broad attacks that aren't aimed at any one individual in particular. Just don't download anything weird and refrain from clicking around every flashing banners you see online. This includes emails that you receive — even from trusted contacts — especially if you don't expect to receive them.

What I find amusing about anti-virus is how the definition of what a "virus" has changed over the years. Not too long ago, what we would absolutely consider a security risk is now considered an essential feature. Spyware and Adware used to be a thing. Now they come built right into most software and operating systems, such as Windows. People even pay to have them installed.

1 Like

I have used the command efibootmgr.
Here is the screenshot:

More information:


Just as said, I am using Ubuntu and Zorin in a dual boot.
Partition two: Ubuntu 24.4 248GB, Partition 3: Zorin 17.2 751 GB.
I installed Ubuntu first with a USB key and then Zorin with a second one.
I don't know what partition 1 is corresponding to (Ubuntu bootloader???). I had Windows before. When I installed Ubuntu first, I chose the option which completely erased the hard drive.

Other elements that might help:


I didn't run the command sudo efibootmgr -b 0 -B since Windows Boot manager seems to have been erased.
In Main in the starting Setup utility, Windows 10 is still indicated as the factory installed OS (I suppose this is only for information and not showing that there are still Windows 10 files remaining).

That is your EFI boot partition.

I am not sure why this is. You show no bootloader for it, nor is it on your disk.
It may just be set in print as default in the BIOS coding...

Remnants of Windows is incredible difficult to get rid of. I wrote a post on here back in 2021, when I got my newest computer, that came with Windows 10 pre-installed. I couldn't believe how many partitions were on the drive, I think there were 6 of them.

I had to boot off of my Zorin installation medium, with my USB drive, and then I used the Gparted software, to delete the partitions off the drive, and then to format the drive. After I did that, I then ran the installer to erase disk and install Zorin OS.

Windows acts like a parasite, it doesn't want to leave. When I first tried to delete all the partitions, not all of them got deleted at first, I had to reboot and do it all over again. But like all parasites, they can be killed eventually, and I gave Windows the what for.

I hope that you can get this situation sorted out, but I am starting to think that the best option, is to just start over completely. Besides, Zorin OS should be able to do everything straight Ubuntu can do, so not sure you should need Ubuntu on top of Zorin, but thats your choice.

My thought process is this, you've got a complicated setup, and it got messed up. If it were me, the easiest thing for me to do, would be to start over from scratch. Erase partitions, format drive, and install Zorin OS.

Because if it were me, I'd be spending a whole lot more time, trying to investigate the OS with a Sherlock homes magnifier, trying to find all the bugs in the OS to fix. Just my opinion, my two cents.


That's funny :grin:

1 Like