For all of my personal machines secure boot is disabled.
The main benefit is enabling signature checks on every piece of code that runs to start your machine. This is a good idea to prevent direct modification of the binaries involved. This will work as far up the chain as software supports, even to userland code although I don’t know of any Linux distros do that.
However, if you occasionally rebuild any of that software and can sign it yourself secure boot just moves the attack surface from the binaries into the build process. Any modifications made to the kernel, bootloader, or firmware before signing are included as trusted code and are vulnerable to malicious modification.
Since I don’t / can’t verify every piece of code on my system, and rebuild Linux occasionally, and people have demonstrated secure boot bypass flaws, I prefer to disable secure boot entirely for convenience. Also, in a roundabout way this increases the security of my system because I won’t get locked out for misconfiguring an update.
For all of my personal machines secure boot is disabled.
The main benefit is enabling signature checks on every piece of code that runs to start your machine. This is a good idea to prevent direct modification of the binaries involved. This will work as far up the chain as software supports, even to userland code although I don’t know of any Linux distros do that.
However, if you occasionally rebuild any of that software and can sign it yourself secure boot just moves the attack surface from the binaries into the build process. Any modifications made to the kernel, bootloader, or firmware before signing are included as trusted code and are vulnerable to malicious modification.
Since I don’t / can’t verify every piece of code on my system, and rebuild Linux occasionally, and people have demonstrated secure boot bypass flaws, I prefer to disable secure boot entirely for convenience. Also, in a roundabout way this increases the security of my system because I won’t get locked out for misconfiguring an update.