Does “Secure Boot” actually benefit the end user in any way what so ever? Genuine question
Well yes, assuming that:
- you trust the hardware manufacturer
- you can install your own keys (i.e. not locked by vendor)
- you secure your bios with a secure password
- you disable usb / network boot
With this you can make your laptop very tamper resistant. It will be basically impossible to tamper with the bootloader while the laptop is off. (e.g install keylogger to get disk-encryption password).
What they can do, is wipe the bios, which will remove your custom keys and will not boot your computer with secure boot enabled.
Something like a supply-side attack is still possible however. (e.g. tricking you into installing a malicious bootloader while the PC is booted)
Always use security in multiple layers, and to think about what you are securing yourself from.
For you? No. For most people? Nope, not even close.
However, it mitigates certain threat vectors both on Windows and Linux, especially when paired with a TPM and disk encryption. Basically, you can no longer (terms and conditions apply) physically unscrew the storage and inject malware and then pop it back in. Nor can you just read data off the drive.
The threat vector is basically ”our employees keep leaving their laptops unattended in public”.
(Does LUKS with a password mitigate most of this? Yes. But normal people can’t be trusted with passwords and need the TPM to do it for them. And that basically requires SecureBoot to do properly.)
That’s only one use of secure boot. It’s also supposed to prevent UEFI level rootkits, which is a much more important feature for most people.
True. Personally, I’m hoping for easier use of SecureBoot, TPM and encryption on Linux overall. People are complaining about BitLocker, but try doing the same on Linux. All the bits and pieces are there, but integrating everything and having it keep working through kernel upgrades isn’t fun at all.
With LUKS, your boot/efi partition is still unencrypted. So someone could install a malicious bootloader, and you probably wouldn’t know and would enter your password. With secure boot, the malicious bootloader won’t boot because it has no valid signature.
It’s so secure that the first thing under Wikipedia’s entry for Secure boot is Secure boot criticism
Yes this is a real, I’m not joking.
It’s not the first thing, it’s in the middle.
under Wikipedia’s entry for Secure boot
What’s the first thing under the “Secure boot” section? The section that it automatically scrolls to when clicking my link?
Secure Boot
The UEFI specification defines a protocol known as Secure Boot, which…
…
UEFI shell
…
Classes
…
Boot stages
…
Usage
…
Application development
And finally
Criticism
Secure Boot
See also: Secure Boot criticism
It’s right there under the header
You can set it to run only specifically signed binaries on boot.
Specifically signed by anyone with a key - which, considering multiple where leaked over time - is everyone.
Using the capital punishment symbol instead of the killed in action symbol suggests windows was executed after the war (likely by installing linux lol)
There are variations of the Skull and Crossbones here that have specific meaning?
On wikipedia, capital punishment is a skull and amd bones, killed in action is a christian cross
Because KIA takes way too much room on the page.
Thats kinda shitty its a cross. Like holding one religion above the others on a fucking encyclopedia.
It is not a Christian cross, the symbol is the dagger † which is also often used for adding post-scriptum information or challenging parts of a text.
People often mistake it for a cross, given the look, but there’s no actual preference towards any religion here.
The cross is an entirely different unicode character: ✝
Huh TIL. I searched just to confirm and its listed even on wikipedia itself. Thanks for claifying.
Interesting that the dagger shares it origin with the division symbol (÷).
Is there a symbol for a zombie, something that supposedly died many times over but keeps coming back?
That’s the definition of a phoenix: 🐦🔥
most competent Microsoft developer
I had this problem at work a week ago or so, at least with Fujitsu PCs. For them, the main cause isn’t an empty CMOS battery, but rather that Fujitsu generally had too little BIOS cache, since there is nothing about it in the UEFI standard. The update basically overfilled that cache, rendering the BIOS completely unusable. The POST doesn’t even go through fully.
The PC are sort of bricked, you gotta put the mainboard into recovery mode, put the ROM file on a freeBSD formatted stick and wait until you see instructions on the screen. Follow them, restart the PC. I recommend setting the BIOS to the optimized default settings, as not doing that might make the boot of Windows pretty slow in some cases. I did hear that it can delete the keys from the TPM, but I haven’t seen that with my PCs at work.
