Id like to hear thoughts. Of course us gamers hate kernel level anti cheat, but is that actually tied to secureboot?
I know some/most distros can boot in secure mode, so it doesn’t seem like an issue there.
With all the new games moving to it, looks like we will all have to sit them out or install Spyware (microshit) to play. I will opt not to.
Others have already explained the secure boot process. But one thing that might impact gaming is that TPMs also implement cryptographic acceleration in hardware. Not only does it speed up operations, it guarantees that the binary code for the library running on the chip hasn’t been modified.
Some anti-cheat libraries might require the TPM and having secure boot on guarantees that feature exists.
It depends. If it’s under your control with your own keys then it can be beneficial. If it’s under someone else’s control (as it is for most people) then it’s a step towards the walled garden.
Kernal level anticheat is invasive and the vast majority of anticheats are probably installing spyware with root access.
I’ve avoided kernal anti-cheat basically forever on principle. On the plus side, there is talk about Microsoft kicking 3rd parties out of the kernal on windows, stemming from the cloudstrike debacle. If they kick out anti-virus, I can’t imagine that they let game publishers stay. We might actually see the death of kernal anti-cheat soon.
On a side-note, it’s a really sad state that so much of the world runs on computers but the majority of people don’t know the first thing about using them. It has led us to so many bad places today that I really didn’t expect when I was a teen…
Crowdstrike*
Aw dang it, you’re right. lol
Neither Secure Boot nor TPM were ever actually about security and neither meaningfully improves security. They are DRM features that exist solely to ensure you can never truly own the things you buy.
Um, TPMs for sure provide meaningful security. Maybe their use is implemented poorly a lot of the time, AND they can be abused to hold control over hardware you’ve purchased, but low level exploits are for sure a thing and TPMs and other dedicated hardware security modules (for enterprise) most definitely serve a purpose.
They’re a response to the ever evolving advancement of cyber exploits. Don’t knock them on principle, take affront to when they’re used poorly.
How is TPM involved in making sure you don’t own things? It certainly improves security (other than the poorly made ones at least)
There’s the truth. Thank you.
Sticking to linux and indie games forever then !
It’s pretty pointless if you allow it to use Microsoft’s keys. It’s a lot of work to set it up to only use your keys and that bricks certain poorly designed laptops.
I kind of assume Microsoft’s real motivation was to make Linux harder to install, and the “oh it’s more secure” stuff is a happy coincidence for them.
¯\_(ツ)_/¯ it’s not necessarily bad afaik, but it is a hassle if you don’t use windows, so it’s not something I plan on putting up with really
Thankfully none of the games I play seem to be going that route (yet)
The games that use it seem to be made by companies we shouldn’t be supporting anyway, so win win.
All secure boot does is ensue the binary (say, Linux or Windows kernel) run in early boot is “trusted,” meaning it’s cryptographically signed by a key the motherboard has. You can usually load your own keys and sign your own binaries, but I imagine only large orgs do that if they have a lot of Linux systems or something.
The way Linux works with this is they use a shim binary that is signed by Microsoft’s key, and that binary loads the actual Linux kernel. The kernel itself is not signed with that key.
The only way this impacts gaming is if games check if Secure Boot is enabled. If it is enabled, the game knows the system booted with something signed by a key the motherboard trusts. For most systems, that means Microsoft’s keys, but AFAIK, they can’t check what key was used in early boot unless the kernel provides some indication of that.
Basically, it’s an anti-tampering check, so they have some assurance the kernel is untampered from what the maintainer released.
Some newer distros like Bazzite are pretty awesome in that they install their own Secure Boot keys during the first time setup.
That’s pretty dope! I imagine we’ll see more distros follow suit as the September expiration of Microsoft’s keys approaches.
My distro, openSUSE Tumbleweed, does that as well, but I imagine plenty don’t.
Edit: I’m wrong, looks like they do that for “Trusted Boot,” but not “secure boot,” if this documentation is to be believed. It’s an option, not forced. I’m going to check later if it’s configured properly on my machine that I set up several years ago.
Did Novel git gud?
Apparently. OpenSUSE is going hard on the “we build quality” angle, and I’m here for it.
No, it’s not actually bad, it can just be a hassle to deal with. Much like when TLS was becoming the norm for websites there was a bit of an adjustment period when things weren’t always configured just right or folks didn’t have good auto renewal yet. It doesn’t mean the tech is bad.
In my understanding, Secure Boot has absolutely nothing to do with games or kernel-level anticheats some games use. Those latter are completely different beasts, more similar to drivers. There are many concerns about Secure Boot, like how it can harm Linux adoption or eventually give MS hardware control overreach.
Why do games require secureboot to be on then? Its gotta be related to their kernel level anti cheat.
Idk, this is the first time I hear about it. Do you know which particular games do this? I played few with kernel-level anticheats (Genshin Impact, League of Legends) without having Secure Boot on, even though my hardware fully supports it and I have it enabled now on Linux.
Fortnight and bf6, valorant, likely gta6. All games I wont play anyway
I think both windows and Linux turn on a number of kernel hardening options when secure boot is on.
Worst part is everything has to use Microsoft’s signing keys, so it’s ironically a gigantic security hole if your threat model includes being on Microsoft’s shit list.
Only by default. You can load your own keys instead of Microsoft’s, and some Linux distros do just that.
Which makes this requirement even more meaningless because someone who wants to cheat by running a modified kernel will obviously know how to follow a tutorial to add his MOK and sign his version of the kernel.
Yup. All it does is restrict less sophisticated users, but surely they’d also be willing to follow a guide to configure it.
Linux does support TPM and secure boot: https://wiki/ .debian.org/SecureBoot#What_is_UEFI_Secure_Boot.3F
So the problem is really only about kernel level anticheat, not the secure boot itself ?
It’s not all bad necessarily, but that “anticheat” vendors are demanding it sure does suggest it’s being used for nefarious purposes.
Except it was never about cheaters. It’s about DRM. You don’t own the things you buy and they want to make sure it stays that way.
🤭 nobody 🧵 talk𐑙 b𐑬t CVE-2025-7027.
𐑓 commoners.
