Why was I asked to create a password in order to disable secure boot on initial installation of Ubuntu 16.04?

Question

On initial installation of Ubuntu 16.04, I checked off "Install third-party software" and, underneath it, I was prompted to check off another option which would allow the OS package to automatically disable secure boot on its own, a prerequisite of which was creating a password that would somehow allow this whole process to occur.

After continuing with the installation, I was never given any indication that this disabling of secure boot had occurred, nor was I ever prompted to enter the password that I had created.

Upon successful installation of the OS, I restarted my computer and checked out the BIOS. In BIOS, secure boot was still enabled. However, back in Ubuntu, I am able to seamlessly play MP3 and Flash files, which I assume indicates that the installation of third-party software was successful.

I haven't run into any problems as of yet (other than the fact that the UI has been a bit finicky and buggy at times), but I would like to know what on Earth I actually accomplished by creating that password.

What happened to the password I created? Will I need to remember it for any reason? It's not the same as my login/sudo password.

Has Ubuntu permanently edited my BIOS in order to make an exception for itself? If so, how can I view these changes and potentially undo them? Is that where the password would come in?

Why does Ubuntu need to disable/bypass secure boot to install the ubuntu-restricted-extras package anyway? Is my installation okay? Have I set myself up for future problems? Should I try reinstalling with secure boot manually disabled as not to receive that prompt in the first place?

Additional information: I am running a UEFI system, and I am dual-booting Ubuntu 16.04 alongside Windows 10.

Another user has asked a question about a similar problem here. Unlike this user, I do not receive a warning about "booting in insecure mode," but I would also like to know whether Ubuntu has created an exception for itself and how I could manage such exceptions. Unlike myself, this user has not mentioned anything about having to create a password.

Answer 1

UEFI Secure Boot protects your boot loader from being tampered with by using a combination of CA keys and signatures in boot files. Microsoft for example has signed boot loaders for which CA keys are already present in UEFI firmware of most PC's already.

This only protects the very early core of the loader and nothing afterwards. For example initrd(initramfs) is not protected, or anything after (GRUB, kernel, Modules, Drivers, anything in userspace, etc).

3rd party software that you installed MAY have included certain low-level PCI or RAID code required for the boot loader, which is why you need to create a password, which will create a key in the UEFI firmware's space. After modifications, if the system notices something different at boot time, the BIOS will stop at POST and ask for the same password you entered during installation to prove that you are the one who installed the software. This method insures that a user physically sitting at the computer is entering this password as confirmation since no software can be loaded at BIOS POST time to fake this.

For most user systems, secure boot does little to protect you. It does not prevent viruses or malware, or installation of those. All it does it prevent low-level bootloader tampering, which is usually prevented by basic antivirus or OS security anyways. In my opinion, and according to most documentation out there, it can be safely disabled.