BIOS says secure boot is enables, HSI does not

When in my BIOS I see that opensuse-securebootis the main boot option, but when i am logged in, KInfoCenter says it is not found

HSI-1
✔ BIOS firmware updates:         Enabled
✔ Platform debugging:            Disabled
✔ SPI write:                     Disabled
✔ Supported CPU:                 Valid
✔ UEFI bootservice variables:    Locked
✘ MEI manufacturing mode:        Not found
✘ MEI override:                  Not found
✘ MEI version:                   Unknown
✘ SPI lock:                      Disabled
✘ SPI BIOS region:               Unlocked
✘ TPM v2.0:                      Not found
✘ UEFI secure boot:              Not found

This might be a more reliable indicator:

mokutil --sb-state

I was only trying to get this enabled since a recently a linux bootkit supposedly capable of being embedded in motherboard firmware has recently cropped up

@40476 https://arstechnica.com/security/2024/11/found-in-the-wild-the-worlds-first-unkillable-uefi-bootkit-for-linux/


lacking the means to infect all Linux distributions other than Ubuntu.

1 Like

The article is ridiculous. If Secure Boot is disabled, all this theater with patching shim simply is not needed. And if attacker added its own certificates to MokList (as implicated by the color of it on this picture), it can invoke arbitrary code and Secure Boot does not protect against anything.

All this article says - if attacker has physical access to your system, attacker can install and do almost anything on your system.

Which is why TPM2 and measured boot exist.

1 Like

I have one machine using TPM2 and measured boot running Aeon, secure boot is disabled, seems to work fine, but it’s a MiniPC and not going anywhere… Other machines have it off…