this post was submitted on 01 Oct 2024
34 points (100.0% liked)

Linux

48157 readers
859 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

To sum it all up, I was looking to completely migrate from Windows 10 to Linux Mint (version 22, Cinnamon Edition). I followed an installation tutorial on YouTube, flashed the ISO to a bootable flash drive using balenaEtcher and booted Mint in my notebook. Something went wrong during the installation though: I tried to go a few steps back to review my options, and when I tried to proceed again I was met with this error:

ubi-partman failed with exit code 10

It seems it means there was a problem with partitions (I selected the option to wipe Windows and replace it with Mint in the installer), so I quit Mint and tried to boot it again so I could redo the installation. However, when i tried to boot it again I was met with this error:

Failed to open \EFI\BOOT\mmx64.efi - Not Found Failed to load image ??: Not Found Failed to start MokManager: Not Found Something has gone seriously wrong: import_mok_state() failed: Not Found

So essentially, since my Windows 10 system was wiped, I was left without an OS. So I looked up the error and it seems it's because version 22 of Mint doesn't have MokManager (don't know how it booted the first time then, but okay), so downloaded the ISO for a different one (version 21.2, Cinnamon Edition) that does have it and flashed my flash drive with it (on a different laptop, since mine was wiped.) When I tried to boot it to my laptop, I was met with yet another error:

Verifying shim SBAT data failed: Security Policy Violation Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation

Now, it seems this will be solved by disabling Secure Boot in the BIOS. However, I'm a bit aprehensive on disabling Secure Boot, since the laptop I used to flash the OS into my bootable drive is a very, very old and unupdated machine. What are the odds of my flash drive being infected with malware that can compromise the installation if i disable Secure Boot? What should I do in this situation? Can anyone shine me some light? Any help would be appreciated, thanks!

top 6 comments
sorted by: hot top controversial new old
[–] henfredemars@infosec.pub 14 points 1 month ago* (last edited 1 month ago) (1 children)

It is highly unlikely that you have malware sophisticated enough to do something like compromise installation media (already exceedingly rare) yet not sophisticated enough to bypass secure boot.

The purpose of secure boot is to verify that the boot loader and kernel are approved by the manufacturer (or friends of such). There are certainly ways to inject software into a system that doesn’t reside in those locations. It just makes boot sector viruses and kernel mode rootkits slightly more technically challenging to write when you can’t simply modify those parts of the operating system directly. If malware gets root on your installation it’s game over whether or not you have secure boot enabled. Much of the software on a computer is none of those things protected by secure boot.

Plus, take another wager: most systems today ship with secure boot enabled. If you were a malware author, would you still be writing malware that needs secure boot turned off to run? Of course not! You would focus on the most common system you can to maximize impact. Thus, boot sector viruses are mostly lost to time. Malware authors moved on.

Overall, it’s a pretty inconsequential feature born of good intentions but practically speaking malware still exists in spite of it. It’s unlikely to matter to any malware you would find in the wild today. Secure boot keys get leaked. You can still get malware in your applications. Some malware even brings its own vulnerable drivers to punch into the kernel anyway and laugh in the face of your secure boot mitigation. The only thing secure boot can actually do when it works is to ensure that on the disk the boot loader and kernel look legit. I guess it kind of helps in theory.

[–] vampira@lemmy.eco.br 3 points 1 month ago

Very informative, thanks!

[–] Guenther_Amanita@slrpnk.net 8 points 1 month ago* (last edited 1 month ago) (1 children)

Afaik, secure boot won't increase the security as much as you think.

Did you try to reinstall it? From what you've written, you have some trouble with booting it. Maybe you selected some wrong partition schemes? The best one would be to select "Wipe whole drive and install".

Did you disable secure boot, install it, and the enable it again? If yes, don't. Boot your ISO from the USB with secure boot enabled and install it from there.

Btw, if you worry about security, then also consider also enabling full disk encryption, or at least the encryption of /home/

[–] vampira@lemmy.eco.br 2 points 1 month ago (1 children)

I did select to wipe the whole drive and install. And I wish I could install it with Secure Boot enabled but it seems thr only solution is to disable it.

[–] Guenther_Amanita@slrpnk.net 2 points 1 month ago* (last edited 1 month ago) (1 children)

I totally understand your wish, absolutely valid. From what I know Mint supports secure boot.

There aren't many things that prevent that, but one might be the Nvidia driver. Were you able to boot into Mint and install it or similar things? Or did you just get greeted by the error message?

Maybe try downloading the image again and reflash it with another tool (e.g. Fedora Media Writer instead of Etcher) on another USB if you have one. It might be totally possible that your .iso did get corrupted in the process. And then do the whole process again.

I believe I had something similar a long time ago when I aborted the download and then resumed it, or when I pulled the USB too quickly without safely ejecting it beforehand.

I don't use Mint, but secure boot is something that usually works by default on most distros.

[–] vampira@lemmy.eco.br 1 points 1 month ago

Thanks for the answer! From the other answers I got in this thread it seems it'll be safe to turn off Secure Boot, so I guess I'll do that and try to boot again.