• ReCursing@feddit.uk
    link
    fedilink
    English
    arrow-up
    71
    ·
    22 hours ago

    Does “Secure Boot” actually benefit the end user in any way what so ever? Genuine question

    • enumerator4829@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      26
      ·
      11 hours ago

      For you? No. For most people? Nope, not even close.

      However, it mitigates certain threat vectors both on Windows and Linux, especially when paired with a TPM and disk encryption. Basically, you can no longer (terms and conditions apply) physically unscrew the storage and inject malware and then pop it back in. Nor can you just read data off the drive.

      The threat vector is basically ”our employees keep leaving their laptops unattended in public”.

      (Does LUKS with a password mitigate most of this? Yes. But normal people can’t be trusted with passwords and need the TPM to do it for them. And that basically requires SecureBoot to do properly.)

      • unixcat@lemmy.world
        link
        fedilink
        arrow-up
        5
        ·
        4 hours ago

        That’s only one use of secure boot. It’s also supposed to prevent UEFI level rootkits, which is a much more important feature for most people.

    • Cornelius_Wangenheim@lemmy.world
      link
      fedilink
      arrow-up
      15
      ·
      edit-2
      12 hours ago

      It prevents rootkit malware that loads before the OS and therefore is very difficult to detect. If enabled, it tells your machine to only load the OS if it’s signed by a trusted key and hasn’t been tampered with.

    • unlawfulbooger@lemmy.blahaj.zone
      link
      fedilink
      arrow-up
      55
      ·
      19 hours ago

      Well yes, assuming that:

      1. you trust the hardware manufacturer
      2. you can install your own keys (i.e. not locked by vendor)
      3. you secure your bios with a secure password
      4. you disable usb / network boot

      With this you can make your laptop very tamper resistant. It will be basically impossible to tamper with the bootloader while the laptop is off. (e.g install keylogger to get disk-encryption password).

      What they can do, is wipe the bios, which will remove your custom keys and will not boot your computer with secure boot enabled.

      Something like a supply-side attack is still possible however. (e.g. tricking you into installing a malicious bootloader while the PC is booted)

      Always use security in multiple layers, and to think about what you are securing yourself from.

    • bdonvr@thelemmy.club
      link
      fedilink
      arrow-up
      33
      arrow-down
      1
      ·
      20 hours ago

      Yes, as long as you get the option to disable it. And use custom keys.

      It’s uh, more secure.

          • Nat (she/they)@lemmy.blahaj.zone
            link
            fedilink
            English
            arrow-up
            6
            ·
            12 hours ago

            My keys were fine, I’d used them on a previous system. My best guess is boot failed because GPU firmware wasn’t signed with my keys, only Microsoft’s keys. And of course, I can’t just CMOS clear, and I don’t have an iGPU. It’s crazy that an OS can brick my motherboard; I’d be a lot more forgiving if a BIOS option bricked it, but exposing a “brick me” option in efivars for any ring 0 software to press??

        • carrylex@lemmy.worldOP
          link
          fedilink
          arrow-up
          3
          arrow-down
          2
          ·
          19 hours ago

          under Wikipedia’s entry for Secure boot

          What’s the first thing under the “Secure boot” section? The section that it automatically scrolls to when clicking my link?

          • InnerScientist@lemmy.world
            link
            fedilink
            arrow-up
            12
            arrow-down
            3
            ·
            19 hours ago

            Secure Boot

            The UEFI specification defines a protocol known as Secure Boot, which…

            UEFI shell

            Classes

            Boot stages

            Usage

            Application development

            And finally

            Criticism

      • Lucy :3@feddit.org
        link
        fedilink
        arrow-up
        8
        ·
        18 hours ago

        Specifically signed by anyone with a key - which, considering multiple where leaked over time - is everyone.