Cybersecurity firm ESET is urging Windows 10 users to upgrade to Windows 11 or Linux to avoid a “security fiasco” as the 10-year-old operating system nears the end of support in October 2025.
“It’s five minutes to twelve to avoid a security fiasco for 2025,” explains ESET security expert Thorsten Urbanski.
Even on Linux, it’s probably a good idea to set up SecureBoot with your TPM. Very few distros will automatically set this up for you, but I know for sure that Ubuntu and Fedora do this by default.
Can you explicate why I should want either SecureBoot or a TPM in a Linux environment?
As a normal person I don’t think there’s a good reason. It just makes it harder for someone to get into your system/recover your data if there’s a problem with the machine (or if it’s stolen but personally I think it’s less likely for that to happen for the majority of people). If it’s a company PC with sensitive info on it that’s backed up elsewhere then yea you want to prevent people from getting into that thing as much as possible.
Per the arch wiki for Secure Boot:
Secure Boot is a security feature found in the UEFIstandard, designed to add a layer of protection to the pre-boot process: by maintaining a cryptographically signed list of binaries authorized or forbidden to run at boot, it helps in improving the confidence that the machine core boot components (boot manager, kernel, initramfs) have not been tampered with.
As such it can be seen as a continuation or complement to the efforts in securing one’s computing environment, reducing the attack surface that other software security solutions such as system encryption cannot easily cover, while being totally distinct and not dependent on them. Secure Boot just stands on its own as a component of current security practices, with its own set of pros and cons.
Note: For a deeper overview about Secure Boot in Linux, see Rodsbooks’ Secure Boot article and other online resources.
Per arch wiki for TPM:
Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, which is a dedicated microprocessor designed to secure hardware by integrating cryptographic keys into devices.
In practice a TPM can be used for various different security applications such as secure boot, key storage and random number generation.
TPM is naturally supported only on devices that have TPM hardware support. If your hardware has TPM support but it is not showing up, it might need to be enabled in the BIOS settings.
Note: There are two very different TPM specifications: 2.0 and 1.2, which also use different software stacks.
All that to say this is still not as secure as it could be (since it lacks some decent remote attestation), but security is best in layers, so a Secure Boot setup can be a great way to protect your pre-boot process.
Bazzite and probably other uBlue distros, which are all based on some Fedora atomic variant, also do this by default and have instructions for setting it up later, if you choose not to do it at install.
How does this work?
Depends on your distros documentation, but essentially it verifies your UEFI, OS kernel, and other boot processes haven’t been tampered with based on cryptographic signatures. Its really a neat setup.