For you? No. For most people? Nope, not even close.
However, it mitigates certain threat vectors both on Windows and Linux, especially when paired with a TPM and disk encryption. Basically, you can no longer (terms and conditions apply) physically unscrew the storage and inject malware and then pop it back in. Nor can you just read data off the drive.
The threat vector is basically ”our employees keep leaving their laptops unattended in public”.
(Does LUKS with a password mitigate most of this? Yes. But normal people can’t be trusted with passwords and need the TPM to do it for them. And that basically requires SecureBoot to do properly.)
It prevents rootkit malware that loads before the OS and therefore is very difficult to detect. If enabled, it tells your machine to only load the OS if it’s signed by a trusted key and hasn’t been tampered with.
you can install your own keys (i.e. not locked by vendor)
you secure your bios with a secure password
you disable usb / network boot
With this you can make your laptop very tamper resistant. It will be basically impossible to tamper with the bootloader while the laptop is off. (e.g install keylogger to get disk-encryption password).
What they can do, is wipe the bios, which will remove your custom keys and will not boot your computer with secure boot enabled.
Something like a supply-side attack is still possible however. (e.g. tricking you into installing a malicious bootloader while the PC is booted)
Always use security in multiple layers, and to think about what you are securing yourself from.
My keys were fine, I’d used them on a previous system. My best guess is boot failed because GPU firmware wasn’t signed with my keys, only Microsoft’s keys. And of course, I can’t just CMOS clear, and I don’t have an iGPU. It’s crazy that an OS can brick my motherboard; I’d be a lot more forgiving if a BIOS option bricked it, but exposing a “brick me” option in efivars for any ring 0 software to press??
Does “Secure Boot” actually benefit the end user in any way what so ever? Genuine question
For you? No. For most people? Nope, not even close.
However, it mitigates certain threat vectors both on Windows and Linux, especially when paired with a TPM and disk encryption. Basically, you can no longer (terms and conditions apply) physically unscrew the storage and inject malware and then pop it back in. Nor can you just read data off the drive.
The threat vector is basically ”our employees keep leaving their laptops unattended in public”.
(Does LUKS with a password mitigate most of this? Yes. But normal people can’t be trusted with passwords and need the TPM to do it for them. And that basically requires SecureBoot to do properly.)
That’s only one use of secure boot. It’s also supposed to prevent UEFI level rootkits, which is a much more important feature for most people.
It prevents rootkit malware that loads before the OS and therefore is very difficult to detect. If enabled, it tells your machine to only load the OS if it’s signed by a trusted key and hasn’t been tampered with.
Well yes, assuming that:
With this you can make your laptop very tamper resistant. It will be basically impossible to tamper with the bootloader while the laptop is off. (e.g install keylogger to get disk-encryption password).
What they can do, is wipe the bios, which will remove your custom keys and will not boot your computer with secure boot enabled.
Something like a supply-side attack is still possible however. (e.g. tricking you into installing a malicious bootloader while the PC is booted)
Always use security in multiple layers, and to think about what you are securing yourself from.
Yes, as long as you get the option to disable it. And use custom keys.
It’s uh, more secure.
I enrolled custom keys and bricked my motherboard 🙃
Same. Should’ve listened to securebootctl telling me the key was malformed.
My keys were fine, I’d used them on a previous system. My best guess is boot failed because GPU firmware wasn’t signed with my keys, only Microsoft’s keys. And of course, I can’t just CMOS clear, and I don’t have an iGPU. It’s crazy that an OS can brick my motherboard; I’d be a lot more forgiving if a BIOS option bricked it, but exposing a “brick me” option in efivars for any ring 0 software to press??
OpROMs?
It’s so secure that the first thing under Wikipedia’s entry for Secure boot is Secure boot criticism
Yes this is a real, I’m not joking.
It’s not the first thing, it’s in the middle.
Click the link, you’ll see it is indeed the first heading under Criticism
What’s the first thing under the “Secure boot” section? The section that it automatically scrolls to when clicking my link?
…
…
…
…
…
And finally
It’s right there under the header
You can set it to run only specifically signed binaries on boot.
Specifically signed by anyone with a key - which, considering multiple where leaked over time - is everyone.