This has been my stance for years, but I am open to be persuaded why this is a terrible practice that will lead to kitten murder.
I saw someone else give a similar reasoning that if there were a booting error, they would never assume it was a rootkit, but some breakage between all of the booting cruft. I certainly lack any expertise to understand what happens during boot to be able to diagnose problems.
My stance is similar: I insist that any computer I use to run my main OS uses the CSM (Compatibility Support Module) method of booting. This effectively eliminates UEFI's role completely after control is handed to the bootloader, using the pre-UEFI boot method of locating the first sector of the boot device and executing that.
As a user, I see very little benefit to using UEFI.
I have a concern that if I find malware or suspicious activity on a system, when I report it through Virus Total or another channel I won't be believed if secure boot is disabled and that appears in the logs. Or if another threat actor got in during the brief period it was disabled and invalidated the audit trail.
"We won't accept any reports because your secure boot chain is too short." To put it bluntly and crudely. Not to dismiss a very real and important real-life issue.
I've lost people I love in my life over similar things. I don't want to be in a similar situation in other Walks or Paths of life.
It's a powerful incentive mechanism. Even if you're believed in the end how long did it take? How old? And now that difficult thing becomes a talking point when you just wanted to build.
You could if you want to, but if your distribution provides a UEFI bootloader (shim / grub / systemd-boot / whatever) signed by the default MS-trusted cert, or you're willing to set up everything yourself with your own certs, it doesn't hurt to enable it either (except when an incident like this happens).
The Mint forums pretty much tell everyone to blanket disable secure boot because nobody seems to know how to make it work, certainly not well enough to explain it to a beginner.
I accidentally checked "install media codecs" on the Mint installation which requires secure boot. Didn't think much of it but something went wrong later on in the setup causing a restart. Well, it left the secure boot stuff in a weird state and forced me to reset the CMOS because nothing was working or booting.
Yeah I thought Red Hat fought to get their keys installed in there, too. Which is why Fedora and RHEL (and derivatives like CentOS or Rocky) work alright OOTB
I installed Linux on a new laptop yesterday, and couldn't get either NixOS or Debian to install until I turned off secure boot. So I guess these distros don't bother getting every release signed by Microsoft.
At least it was easy to turn off. I just wish the error message mentioned Secure Boot -- it took me a few minutes to figure out what was wrong. At first I thought I had a corrupt USB stick or something.
There are two separate Secure Boot keys Microsoft uses: one which they use to sign Windows, and another which they use to sign everything else (the "Microsoft 3rd Party UEFI CA"). AFAIK, some recent laptops with Windows preinstalled come by the default with the second one disabled in the BIOS (it's a new Microsoft requirement). To install Linux on these laptops without disabling Secure Boot, you have to go into the BIOS and enable that key.
Most mainstream distros work fine with secure boot still enabled. You can disable it if you want, but if you use Bitlocker, disabling secure boot will require you to enter the recovery key, which is a massive pain.
You can always disable secure boot if you want to, but in this case installing the patches released two years ago would probably be a better fix.
