Disabling Secure Boot on a Home Computer running Linux

Question

How likely is it that disabling Secure Boot on a home computer running Linux would suffer from the advertised threat of

unauthorized code—such as bootkits and rootkits—from being executed during the boot process?

How would such animals get onto a home computer of which I am the only user? It seems unlikely to me that that would be a problem in my instance. But maybe I am missing something?

I am interested in doing this because I would like to enable hibernation on this computer, which, because it has an nVidia GPU, cannot be reliably suspended. The computer has a swap partition and nvram rather than a hard disk, and I think the delays would be tolerable and less annoying than the frequent need to reboot.

Answer 1

Not likely

You will get wildly different answers depending on who you ask. For some people, who just want to use their computer, secure boot looks like an annoyance. For some companies who think they want to remain in control over the device given to a customer, secure boot may be a component of creating a trusted system even if someone else has physical access to it. In my opinion, secure boot is more relevant in context of encryption and digital rights management more than the advertised security. The folks over at security.SE will probably have a different opinion.

There are various attacks which are easier to execute when secure boot is disabled. All those attacks either need physical access to your machine or gain administrative access. While the latter is more reasonable (flaw in your browser's sandbox, then root privilege escalation,…), it is still not likely to actually happen to you. Unless you are a military institution targeted by state-level agents, I would not fuss about it.