SB is definitely imperfect, but a useful tool in moving toward a trusted boot. I think we'd all agree having a trusted boot sequence is desirable, the point of contention being who gets to decide the criteria for trust. It's been a few years since I worked in the space but I think SB gets a bit of an undeserved bad rep (I'm sure because people were vocal early on). There is a SB signed uefi application that allows for enrolling other loaders based on the hash of the loader.
trelane|2 years ago
Good point. Both are important: who does the trusting and how they define trust.
The latter is the second set of concerns: remote attestation.
I recall reading someone on Twitter mentioning having remote attestation for online banking. So starts the dystopia.
But yes, having a trusted chain can be a good thing. It depends entirely on the who, the what, and the how.
account42|2 years ago
We don't.