why does my bios menu have a checkmark saying disable uefi / enable legacy bios

The "legacy bios" [sic] is an emulation performed by the UEFI firmware.

See https://www.blackhat.com/docs/asia-17/m … eality.pdf & https://www.welivesecurity.com/wp-conte … -LoJax.pdf (although Secure Boot doesn't actually offer any protection against LoJax).

Ive not used antix or mx, i dont see the need for uefi boot or secure boot as mentioned by the limitations Head on a sticker mentions.

It makes no sense that Microsoft would break what little security Secure Boot offers by allowing it to boot absolutely anything plugged into a usb port as long as it bothers to look live and EFI. Do you have any references for this unbelievable limitation?

Hmm i dont understand your line of questioning. This is microsoft remember, the operating system that is prone to viruses, malware , constant bsod's and an update schedule that will from time to time brick your machine.

dice wrote:

Ive just disabled uefi altogether

No, you haven't. You've enabled CSM ("Legacy" mode), which emulates non-UEFI booting via your machine's UEFI firmware. This means the machine is still open to the many UEFI firmware vulnerabilities.

dice wrote:

my drives are encrypted so good luck to anyone who can get info off them

If you have a rootkit then it can read the contents of the drive once the system is running. Secure Boot would help prevent rootkits from running. It's far from perfect but it is an extra layer of protection.

And before anybody starts bleating about not trusting Microsoft's keys note that it is possible to create your own keys, enrol them in the UEFI firmware and sign the kernel images with them. That's how I have enabled Secure Boot in my Alpine Linux system.

Okay  but why does my bios menu have a checkmark saying disable uefi / enable legacy bios, i suppose they are one in the same thing as you mention in regards to CSM? Ive not really delved into bios management before, im pretty sure i would brick the computer.I remember flashing a bios about 20 years ago on a windows 2000 machine, is that how it is still done and you just need the correct coreboot image for the machine?

Do you have you any historical examples of said rootkits?

dice wrote:

Ive just disabled uefi altogether

No, you haven't. You've enabled CSM ("Legacy" mode), which emulates non-UEFI booting via your machine's UEFI firmware. This means the machine is still open to the many UEFI firmware vulnerabilities.

dice wrote:

my drives are encrypted so good luck to anyone who can get info off them

If you have a rootkit then it can read the contents of the drive once the system is running. Secure Boot would help prevent rootkits from running. It's far from perfect but it is an extra layer of protection.

And before anybody starts bleating about not trusting Microsoft's keys note that it is possible to create your own keys, enrol them in the UEFI firmware and sign the kernel images with them. That's how I have enabled Secure Boot in my Alpine Linux system.

I myself prefer coreboot + intel me cleaner, or something equivalent of security, but good if you found a way around the issues of the stock bios. I just don't trust it myself man...

For that reason you mentioned and others, for example the intel me issue...

seems foxnews like or far right or  even extremist fringe of the far right ideology.

I wonder how coked up the op is.

he doesn't know what he's talking about.

These are political remarks and insults to a member who is not allowed by golinux to reply to political remarks and defend their reputation. You are punching an opponent with his hands tied. You have been reported.

I didn't know this, I am sorry, no one told me any of this. If I had known, I would have just told you to calm down in a peaceful manner. my apologies.

Please chill man, although I do still think you might be lost, I don't mean this in a harsh way,  but rather that you have been misled. 

You would do wise to examine your own reality, I have to do that a lot myself. I am sure anyone who has an open mind has had to do the same.

That being said, I hold no ill will to  you. I was only having fun before. I don't think you really do coke.  Especially in the physical sense.

Peace...

Who are the developers of devuan in this forum?

I'm one. I make the live isos and maintain a few packages. Why do you ask?

Alright. How do you feel about this?

Instead of answering the question that you know the answer to better than anyone

Can't really answer your question without context which starts with a citation for who posted it.  Please include that when you quote in the future.

we don't fork any of the packages necessary for secure boot. Make sure grub-efi-amd64-signed is installed. The bootloader directory in /boot/efi/EFI/ will be named 'debian'.

Does anyone know any virtualization option that supports Secure Boot in the guest, so one can try and understand what is going on in a successful Secure Boot?

Ive not used antix or mx, i dont see the need for uefi boot or secure boot as mentioned by the limitations Head on a sticker mentions.

It makes no sense that Microsoft would break what little security Secure Boot offers by allowing it to boot absolutely anything plugged into a usb port as long as it bothers to look live and EFI. Do you have any references for this unbelievable limitation?

seems foxnews like or far right or  even extremist fringe of the far right ideology.

These are political remarks and insults to a member who is not allowed by golinux to reply to political remarks and defend their reputation. You are punching an opponent with his hands tied. You have been reported.

Ive just disabled uefi altogether

No, you haven't. You've enabled CSM ("Legacy" mode), which emulates non-UEFI booting via your machine's UEFI firmware. This means the machine is still open to the many UEFI firmware vulnerabilities.

If you have a rootkit then it can read the contents of the drive once the system is running. Secure Boot would help prevent rootkits from running. It's far from perfect but it is an extra layer of protection.

And before anybody starts bleating about not trusting Microsoft's keys note that it is possible to create your own keys, enrol them in the UEFI firmware and sign the kernel images with them. That's how I have enabled Secure Boot in my Alpine Linux system.

Ive just disabled uefi altogether, my drives are encrypted so good luck to anyone who can get info off them as i use serpent plus blowfish cipher keys. Ive also got a machine that is fully encrypted with openbsd using a separate bootloader on a usb. Much more secure than "secure boot" will ever be. Lock down the bios with a password and you have double the protection.

Ulysses_ wrote:

Can't we mix some of MX into devuan?

Why would you want to do that after this post of yours?

MX/AntiX is the work of a state-sponsored political extremist who is openly in the payroll of a state and at the same time pretends to be against the system. Can't be trusted for anything to do with security, privacy, cryptocurrencies, anti-surveillance. Might as well install ubuntu.

https://www.linuxquestions.org/question … ost6188829

Read on for more laughs later in the same thread

Wow, I read that and yeah, he doesn't know what he's talking about.

I wonder how coked up the op is. Sheesh...

That thread has a lot of red meat in it.  Some of which seems foxnews like or far right or  even extremist fringe of the far right ideology.  If the op see's this message, just calm down. this is not helping anyone... people will only laugh at you for this lack of logic and paranoia...

@Ulysses_ . . . no one here is interested in your political rants.  If you want to continue posting here, please leave them at the door.

I wouldn't say that, I find it amusing, but I do think it is a waste of oxygen that could otherwise be used to fuel our brains.