Do I need to verify a .ISO before flashing, if my laptop has secure boot?
My Dell XPS 9310 has secure boot enabled and the BIOS is up to date and there are no manual keys added there.
Can I download a ubuntu .ISO from anywhere and flash into any computer without worrying about malwares? Will it boot the USB drive only if the image is correctly signed by Ubuntu?
I want to understand the thread modeling. I've been reading https://wiki.ubuntu.com/UEFI/SecureBoot
it looks like ubuntu is loaded by a windows shim, whatever it may mean:
On Ubuntu, all pre-built binaries intended to be loaded as part of the boot process, with the exception of the initrd image, are signed by Canonical's UEFI certificate, which itself is implicitly trusted by being embedded in the shim loader, itself signed by Microsoft.
this makes me think that I still need to trust the image to verify itself.
If that's the case, can I add Canonical keys directly to the BIOS and then it will never boot anything not from Canonical?
