WingNews logo WingNews
top | item 35844983

(no title)

CircleSpokes | 2 years ago

Anyone saying secureboot "brings absolutely nothing" clearly doesn't understand how secure boot works (or is just arguing in bad faith). Secure boot has issues (see key revocation issue & vulnerable UEFI program used by malware to install bootkit) but it does address a real security issue.

People might not like who holds the commonly preinstalled keys (Microsoft and motherboard OEMs) but even then you can add your own keys and sign your own images if you want (there was just a post yesterday about doing this for raspberry pis),

discuss

order

csdvrx|2 years ago

> People might not like who holds the commonly preinstalled keys (Microsoft and motherboard OEMs) but even then you can add your own keys and sign your own images if you want (there was just a post yesterday about doing this for raspberry pis),

I like SecureBoot, and I like that I can select my keys to sign things the UEFI will run, but I don't like that I can't replace the UEFI itself since it's protected by bootguard.

Now if I can edit the UEFI, that's a gamechanger: I could have my signed UEFI payloads check the UEFI firmware has the parts I want (or don't want) and refuse to keep booting if it doesn't

realusername|2 years ago

The raspberry pi example is an even worse implementation of secure boot using an absurd write only once scheme for the keys.

That's just creating more ewaste, nobody can ever use that device normally again and it cannot be resold.

CircleSpokes|2 years ago

I don't think its absurd at all. It isn't required in anyway (opt in), lets you use your own keys (no preinstalled microsoft or other bigcorp keys), and isn't possible for someone to modify what keys you installed.

Of course if you lose your keys you can't sign anything else and that would make it basically ewaste, but most things end up as waste when you take actions that are reckless and can't be reversed (which is what losing the keys would be). Plus tech tends to ends up as ewaste after less than a decade anyways. Like sure you could still be using an AMD steamroller CPU but realistically after 10 years you'd be better off using a cheaper more power efficient chip anyways.