Global secureboot option

I don’t find the global secureboot option in the documentation. Is it not possible to override the default and disable secureboot by default?

Set security.secureboot=false in your default profile

Ah, in the profile. I was trying incus config, instead. Thank you very much!

is vm more secure if secureboot is enabled? what’s the advantage of it, in addition to have host in secure boot

Yeah, it’s more secure as that will prevent an attacker from running firmware level code, protects against persistent attacks

i see that some images ask for disable secureboot like alpine but my current host itself isnt enable ssecureboot? shouldnt host be first requirement otherwise its moot to only have in vm no ?

No, it’s still useful to protect the VM itself from an attack. It will prevent a malicious user or attacker with root access to the VM from running firmware level attacks on that VM which could be used to inject hidden firmware level logic that could then be used to attack the guest OS even if reinstalled.

SecureBoot on the host serves the same role but this time not in protecting the OS running on guest VMs but instead the host OS itself from effectively the same kind of attacks.

The images that request for it to be off are typically Linux distributions that don’t have a chain of trust to the UEFI root CA, some of those can enroll their own keys like IncusOS does, some others just don’t have any of the necessary tooling needed to have their kernels, kernel modules and bootloaders be signed.

can we use sbctl for create keys and enroll and then enable secureboot option, that works ?

Yep, you can.

Typically security.secureboot=false will keep SecureBoot supported but remove the standard keys, so effectively puts it into Setup Mode.