Secure boot can’t fail due to expired certificates if it’s already disabled…
Secure boot security used as ransomware to ensure Windows purchases.
So, is there any consensus if secure boot is even needed at all? I’ve read so many different opinions about this the past few days and have no idea.
As almost always the answer is “it depends”.
From a security perspective you want to make sure that what your system boots is trusted and not tampered with by a third party. If your threat model includes people with physical access or malicious software (root kits) manipulating your operating system, then secure boot can help mitigating if you set it up correctly.
If that’s none of your concern, then you probably shouldn’t bother with it.
As almost always the answer is “it depends”.
From a security perspective you want to make sure that what your system boots is trusted and not tampered with by a third party. If your threat model includes people with physical access or malicious software (root kits) manipulating your operating system, then secure boot can help mitigating if you set it up correctly.
If that’s none of your concern, then you probably shouldn’t bother with it.It’s such a silly system. Could have just had it in a way that automatically trusts only whatever system(s) is/are installed while the BIOS is unlocked so any user benefits from secure boot as soon as they set a BIOS password.
But this breaks automatic updates without entering the BIOS and is just not feasible except for the PC on your desk at home.
But this breaks automatic updates without entering the BIOS
Maybe I’m misunderstanding a technical aspect here, but wouldn’t only the bootloader need to be signed? To my understanding a tamper-proof system already assumes full disk-encryption anyway, so any kinds of automatic updates would be happening in a black box anyway, wouldn’t it?
and is just not feasible except for the PC on your desk at home
That’s probably a different and more value-based discussion and I’m quite sure you didn’t intend it that way, but it’s hard for me to put into words how much this sentence structure offends me 😅
A benefit to the users in front of their personal computers can never be an exception, it is (… ought to be) always the point of everything, the end goal. Having a solution that benefits end users and puts other entities at a disadvantage is always preferable over a solution that puts end users at a disadvantage for the benefit of other entities.I think I understand why you are offended by this sentence and I’m with you on the benefits of user freedom.
For the first part, yes, technically only the bootloader has to be signed, after that the bootloader is trusted and should do “the right thing”.
What I meant was that manually entering the BIOS after an upgrade of the thing you want to boot into (e.g. grub) is not an option for computers that you can’t easily access physically, especially in large numbers and located somewhere other than your home. IMHO the system is not “silly”, but works well in these scenarios. I agree, that it is not designed to be convenient for end users.
Another thing to watch out for is fake third-party utilities that will claim they will fix this problem. Unless directly provided from an official Distro itself and is verified, be careful what you download and install.
This is a golden opportunity for malicious actors to get bad code into systems.
Nah, don’t use it. Secure boot is tainted by Microsoft 🤮
