Linux Jargon Buster: What are Secure Boot & Shim Files?

Secure Boot is a security standard developed to keep your computer safe from malware that could sneak in and start doing harmful things even before the operating system (OS) fully loads. It’s FOSS turns 13! 13 years of helping people use Linux ❤️Key Exchange Key (KEK): This key confirms whether other keys can be trusted, acting as a bridge between the platform key and bootloaders.Secure Boot is great for security, but there are times when it can cause issues:During startup, Secure Boot checks each program that tries to load against these keys and databases. Only programs that have valid, signed keys will run, making sure your system stays secure.If you decide that you need to disable Secure Boot, here’s a simple guide:If you’re a Linux user, you might have found yourself tangled in boot issues while installing your favorite distro especially if “Secure Boot is” in the picture.

What is Secure Boot?

🚧Allowed Database (DB): Contains a list of approved signatures for software that’s allowed to load.The discourse around Secure Boot is polarizing, and for good reason. Take, for instance, the Ubuntu 21.04 release fiasco, where the latest shim files (used to enable Secure Boot on Linux) had compatibility issues with early EFI firmware, causing some users’ systems to become unbootable after an upgrade.Not all distributions offer Secure Boot support, so it’s worth verifying before installation if you plan to keep Secure Boot enabled. Ubuntu eventually released a fix, but not before many users found themselves troubleshooting or even downgrading to older shims just to get their systems to boot.

How does Secure Boot work?

If something without this signature tries to load, Secure Boot stops it, protecting your computer from potential harm.In this guide, I’ll break down Secure Boot in simple terms and explain how it affects Linux installations, including what you can do if it gets in the way.A Shim is a small program that acts like a translator between Secure Boot and the Linux OS. The Shim file is signed with a key that Secure Boot recognizes (often by Microsoft), so it’s allowed to load. Disabling Secure Boot makes your system more vulnerable to boot-level attacks. Ensure that you have other security measures in place, like keeping your OS up-to-date and using antivirus software.Secure Boot uses a chain of trust with different types of cryptographic keys (think of them as digital ID cards) to verify each step of the boot process. Here’s a simple breakdown:And we need your help to go on for 13 more years. Support us with a Plus membership and enjoy an ad-free reading experience and get a Linux eBook for free.

What are Shim files?

The Shim then verifies the signature of the Linux bootloader (like GRUB) and passes control to it if everything checks out. When Secure Boot is turned on, your computer will only load software/operating system with a special signature or “stamp” of approval. While Secure Boot has posed compatibility challenges for Linux, many popular distributions have adapted to work smoothly with it. If you ever wanted to appreciate our work with Plus membership but didn’t like the recurring subscription, this is your chance 😃

Why Secure Boot is important?

It is part of what’s called the Unified Extensible Firmware Interface (UEFI), which replaced the older BIOS system. UEFI is a modern way for your computer to boot up and check everything is working as expected.However, turning off Secure Boot also removes that extra layer of security, so it’s essential to proceed carefully.In my experience, especially with a dedicated graphics card on my gaming laptop, keeping Secure Boot off is almost a necessity.

• Bootkits and rootkits are blocked from loading by the signature check.
• Tampered or unauthorized programs are prevented from affecting the boot process.
• Users are alerted if something is wrong, so they can address potential issues before they become serious problems.

When you might need to disable Secure Boot

🚧

• Installing unsigned operating systems: Some operating systems, especially certain Linux distributions, may not have the required signatures to pass Secure Boot verification. If your OS isn’t recognized, Secure Boot will prevent it from loading.
• Using custom drivers or bootloaders: Certain drivers or bootloaders might not be signed, which can cause compatibility issues.
• Advanced Configurations: For power users who want to customize their systems, Secure Boot’s restrictions can feel limiting. Disabling it allows for greater flexibility, especially in homelab or development environments.

This process creates a “chain of trust” from Secure Boot to Linux, so the OS can load securely even on a Secure Boot-enabled system.

Which distros support Secure Boot?

For distros that don’t support Secure Boot directly, you can still disable it in the BIOS settings or manually add a trusted bootloader, though it requires some technical knowledge.Forbidden Database (DBX): Stores signatures of known, unsafe programs. If something tries to load from this list, Secure Boot blocks it.Secure Boot is meant to add an extra layer of protection to our systems, preventing unverified software from running at boot. Sounds like a win, right?

• Ubuntu
• Fedora
• openSUSE/SUSE
• Zorin
• Linux Mint
• Debian
• Red Hat

1. Restart your computer and enter the UEFI/BIOS settings (this usually involves pressing a key like F2, F10, or DEL during startup).
2. Find the Secure Boot option: In the settings, look for “Secure Boot” under Security or Boot options.
3. Disable Secure Boot: Set it to “Disabled.” Be sure to save changes and exit.

How to Disable UEFI Secure Boot in WindowsSecure boot may not allow you to boot from a bootable USB. Follow this simple tutorial with screenshots and learn to disable UEFI secure boot in Windows.

Final Thoughts

Well, not always. For Linux users, Secure Boot can often feel like more of a hassle than a help, leading to issues, failed installations, and troubleshooting headaches. This is not an extensive list of all distros with secure boot support. There are many more distros out there that support secure boot. Please check their official websites for information.This article is for those interested in understanding Secure Boot’s quirks and why your favorite distro might not boot up smoothly. With Secure Boot enabled, proprietary drivers tend to fail during installation, as I’ve seen firsthand on Pop!_OS. It’s a compromise I choose for compatibility, though it shouldn’t have to be this way.These distros include signed bootloaders and shim binaries that allow them to run without issues on systems with Secure Boot enabled. To celebrate 13 years of It’s FOSS, we have a lifetime membership option with reduced pricing of just . This is valid until 25th June only.But what exactly is Secure Boot, how do shim files play a role, and when should you consider disabling it?