• unlawfulbooger@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    55
    ·
    19 hours ago

    Well yes, assuming that:

    1. you trust the hardware manufacturer
    2. you can install your own keys (i.e. not locked by vendor)
    3. you secure your bios with a secure password
    4. you disable usb / network boot

    With this you can make your laptop very tamper resistant. It will be basically impossible to tamper with the bootloader while the laptop is off. (e.g install keylogger to get disk-encryption password).

    What they can do, is wipe the bios, which will remove your custom keys and will not boot your computer with secure boot enabled.

    Something like a supply-side attack is still possible however. (e.g. tricking you into installing a malicious bootloader while the PC is booted)

    Always use security in multiple layers, and to think about what you are securing yourself from.