top | item 46938293

(no title)

It really doesn't. UEFI are still not by default locked behind a password (can't be locked since you couldn't change settings in the UEFI if that were the case), so anyone that has access to change a drive can also disable secure boot or enroll their own keys if they want to do an actual supply chain attack.

If your threat model is "has access to the system before first boot" you are fucked on anything that isn't locked down to only the manufacturer.

discuss

bri3d|21 days ago

What if my threat model is "compromised the disk imaging / disk supply chain?" This is a plausible and real threat model, and represents a moderate erosion, like I said.

UEFI Secure Boot is also just not a meaningful countermeasure to anyone with even a moderate paranoia level anyway, so it's all just goofing around at this point from a security standpoint. All of these "add more nag screens for freedom" measures like the grandparent post and yours don't really seem useful to me, though.

fc417fc802|21 days ago

> UEFI Secure Boot is also just not a meaningful countermeasure to anyone with even a moderate paranoia level

Baseless FUD. If you have an actual point to make then do so.

> All of these "add more nag screens for freedom"

No one said anything about a nag screen. You literally just made that up.

For the record google pixels work largely this way. Flash image, test boot, re-lock bootloader.